[OE-core][dunfell][PATCH] bind: Backport fix for CVE-2023-2828

2023-09-05 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream Patch: 
https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch

LINK: https://security-tracker.debian.org/tracker/CVE-2023-2828

Signed-off-by: Vijay Anusuri 
---
 .../bind/bind/CVE-2023-2828.patch | 166 ++
 .../recipes-connectivity/bind/bind_9.11.37.bb |   1 +
 2 files changed, 167 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
new file mode 100644
index 00..6f6c104530
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch
@@ -0,0 +1,166 @@
+
+Upstream-Status: Backport [import from debian 
security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz
+Upstream patch 
https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch]
+Upstream Commit: 
https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a
+CVE: CVE-2023-2828
+Signed-off-by: Vijay Anusuri 
+
+---
+ lib/dns/rbtdb.c | 106 +---
+ 1 file changed, 63 insertions(+), 43 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index b1b928c..3165e26 100644
+--- a/lib/dns/rbtdb.c
 b/lib/dns/rbtdb.c
+@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, 
rdatasetheader_t *header,
+ static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+ bool tree_locked, expire_t reason);
+ static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+-isc_stdtime_t now, bool tree_locked);
++size_t purgesize, bool tree_locked);
+ static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+ rdatasetheader_t *newheader);
+ static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t 
*newheader,
+ 
+ static dns_dbmethods_t zone_methods;
+ 
++static size_t
++rdataset_size(rdatasetheader_t *header) {
++  if (!NONEXISTENT(header)) {
++  return (dns_rdataslab_size((unsigned char *)header,
++ sizeof(*header)));
++  }
++
++  return (sizeof(*header));
++}
++
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+   isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, 
dns_dbversion_t *version,
+   }
+ 
+   if (cache_is_overmem)
+-  overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
++  overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
++tree_locked);
+ 
+   NODE_LOCK(>node_locks[rbtnode->locknum].lock,
+ isc_rwlocktype_write);
+@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, 
dns_dbversion_t *version,
+   cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+ 
+   header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+-  if (header && header->rdh_ttl < now - RBTDB_VIRTUAL)
+-  expire_header(rbtdb, header, tree_locked,
+-expire_ttl);
++  if (header != NULL) {
++  dns_ttl_t rdh_ttl = header->rdh_ttl;
++
++  if (rdh_ttl < now - RBTDB_VIRTUAL) {
++  expire_header(rbtdb, header, tree_locked,
++expire_ttl);
++  }
++  }
+ 
+   /*
+* If we've been holding a write lock on the tree just for
+@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t 
*header,
+   ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link);
+ }
+ 
++static size_t
++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
++ bool tree_locked) {
++  rdatasetheader_t *header, *header_prev;
++  size_t purged = 0;
++
++  for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
++   header != NULL && purged <= purgesize; header = header_prev)
++  {
++  header_prev = ISC_LIST_PREV(header, link);
++  /*
++   * Unlink the entry at this point to avoid checking it
++   * again even if it's currently used someone else and
++   * cannot be purged at this moment.  This entry won't be
++   * referenced any more (so unlinking is safe) since the
++   * TTL was reset to 0.
++   */
++  ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
++  size_t

Re: [OE-core][kirkstone][PATCH] inetutils: Security fix for CVE-2023-40303

2023-09-06 Thread Vijay Anusuri via lists.openembedded.org 
Hi Siddharth,

CVE-2023-40303 patch for kirkstone already submitted and landed in
kirkstone-nut.

https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=2d2fc8e2b0eaa20f6bf8cfc0d1acd908f3dac2ec

Thanks & Regards,
Vjay

On Wed, Sep 6, 2023 at 1:45 PM Siddharth via lists.openembedded.org  wrote:

> From: Siddharth Doshi 
>
> Upstream-Status: Backport from [
> https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
> ]
> CVE: CVE-2023-40303
> Signed-off-by: Siddharth Doshi 
> ---
>  .../inetutils/inetutils/CVE-2023-40303.patch  | 283 ++
>  .../inetutils/inetutils_2.2.bb|   1 +
>  2 files changed, 284 insertions(+)
>  create mode 100644
> meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch
>
> diff --git
> a/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch
> b/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch
> new file mode 100644
> index 00..06f7f2fc00
> --- /dev/null
> +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2023-40303.patch
> @@ -0,0 +1,283 @@
> +From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001
> +From: Jeffrey Bencteux 
> +Date: Fri, 30 Jun 2023 19:02:45 +0200
> +Subject: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check set*id() return values
> +
> +Several setuid(), setgid(), seteuid() and setguid() return values
> +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
> +leading to potential security issues.
> +
> +Signed-off-by: Jeffrey Bencteux 
> +Signed-off-by: Simon Josefsson 
> +
> +Upstream-Status: Backport from [
> https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
> ]
> +CVE: CVE-2023-40303
> +Signed-off-by: Siddharth Doshi 
> +
> +---
> + ftpd/ftpd.c  | 10 +++---
> + src/rcp.c| 39 +--
> + src/rlogin.c | 11 +--
> + src/rsh.c| 25 +
> + src/rshd.c   | 20 +---
> + src/uucpd.c  | 15 +--
> + 6 files changed, 100 insertions(+), 20 deletions(-)
> +
> +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
> +index 68d41fd..703fbbc 100644
> +--- a/ftpd/ftpd.c
>  b/ftpd/ftpd.c
> +@@ -865,7 +865,9 @@ end_login (struct credentials *pcred)
> +   char *remotehost = pcred->remotehost;
> +   int atype = pcred->auth_type;
> +
> +-  seteuid ((uid_t) 0);
> ++  if (seteuid ((uid_t) 0) == -1)
> ++_exit (EXIT_FAILURE);
> ++
> +   if (pcred->logged_in)
> + {
> +   logwtmp_keep_open (ttyline, "", "");
> +@@ -1154,7 +1156,8 @@ getdatasock (const char *mode)
> +
> +   if (data >= 0)
> + return fdopen (data, mode);
> +-  seteuid ((uid_t) 0);
> ++  if (seteuid ((uid_t) 0) == -1)
> ++_exit (EXIT_FAILURE);
> +   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
> +   if (s < 0)
> + goto bad;
> +@@ -1981,7 +1984,8 @@ passive (int epsv, int af)
> +   else/* !AF_INET6 */
> + ((struct sockaddr_in *) _addr)->sin_port = 0;
> +
> +-  seteuid ((uid_t) 0);
> ++  if (seteuid ((uid_t) 0) == -1)
> ++_exit (EXIT_FAILURE);
> +   if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0)
> + {
> +   if (seteuid ((uid_t) cred.uid))
> +diff --git a/src/rcp.c b/src/rcp.c
> +index 476cbaa..cd84570 100644
> +--- a/src/rcp.c
>  b/src/rcp.c
> +@@ -348,14 +348,23 @@ main (int argc, char *argv[])
> +   if (from_option)
> + { /* Follow "protocol", send data. */
> +   response ();
> +-  setuid (userid);
> ++
> ++  if (setuid (userid) == -1)
> ++  {
> ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid()
> failed)");
> ++  }
> ++
> +   source (argc, argv);
> +   exit (errs);
> + }
> +
> +   if (to_option)
> + { /* Receive data. */
> +-  setuid (userid);
> ++  if (setuid (userid) == -1)
> ++  {
> ++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid()
> failed)");
> ++  }
> ++
> +   sink (argc, argv);
> +   exit (errs);
> + }
> +@@ -540,7 +549,11 @@ toremote (char *targ, int argc, char *argv[])
> + if (response () < 0)
> +   exit (EXIT_FAILURE);
> + free (bp);
> +-setuid (userid);
> ++
> ++if (setuid (userid) == -1)
> ++  {
> ++error (EXIT_FAILURE, 0, "Could not drop privileges
> (setuid() failed)");
> ++  }
> +   }
> + source (1, argv + i);
> + close (rem);
> +@@ -633,7 +646,12 @@ tolocal (int argc, char *argv[])
> + ++errs;
> + continue;
> +   }
> +-  seteuid (userid);
> ++
> ++  if (seteuid (userid) == -1)
> ++  {
> ++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid()
> failed)");
> ++  }
> ++
> + #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
> +   sslen = sizeof (ss);
> +   (void)

[OE-core][dunfell][PATCH] qemu: Backport fix for CVE-2023-0330

2023-09-11 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

A DMA-MMIO reentrancy problem may lead to memory corruption bugs
like stack overflow or use-after-free.

Summary of the problem from Peter Maydell:
https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com

Reference:
https://gitlab.com/qemu-project/qemu/-/issues/556

qemu.git$ git log --no-merges --oneline   --grep CVE-2023-0330
b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller 
(CVE-2023-0330)
a2e1753b80 memory: prevent dma-reentracy issues

Included second commit as well as commit log of a2e1753b80 says it
resolves CVE-2023-0330

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/qemu/qemu.inc   |   3 +-
 ...-2023-0330.patch => CVE-2023-0330_1.patch} |   0
 .../qemu/qemu/CVE-2023-0330_2.patch   | 135 ++
 3 files changed, 137 insertions(+), 1 deletion(-)
 rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => 
CVE-2023-0330_1.patch} (100%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 2871818cb1..eda05e8d8a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -137,7 +137,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3409-4.patch \
file://CVE-2021-3409-5.patch \
file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
-   file://CVE-2023-0330.patch \
+   file://CVE-2023-0330_1.patch \
+   file://CVE-2023-0330_2.patch \
file://CVE-2023-3354.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
new file mode 100644
index 00..3b45bc0411
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch
@@ -0,0 +1,135 @@
+From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
+From: Alexander Bulekov 
+Date: Thu, 27 Apr 2023 17:10:06 -0400
+Subject: [PATCH] memory: prevent dma-reentracy issues
+
+Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA.
+This flag is set/checked prior to calling a device's MemoryRegion
+handlers, and set when device code initiates DMA.  The purpose of this
+flag is to prevent two types of DMA-based reentrancy issues:
+
+1.) mmio -> dma -> mmio case
+2.) bh -> dma write -> mmio case
+
+These issues have led to problems such as stack-exhaustion and
+use-after-frees.
+
+Summary of the problem from Peter Maydell:
+https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282
+Resolves: CVE-2023-0330
+
+Signed-off-by: Alexander Bulekov 
+Reviewed-by: Thomas Huth 
+Message-Id: <20230427211013.2994127-2-alx...@bu.edu>
+[thuth: Replace warn_report() with warn_report_once()]
+Signed-off-by: Thomas Huth 
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri 
+---
+ include/exec/memory.h  |  5 +
+ include/hw/qdev-core.h |  7 +++
+ memory.c   | 16 
+ 3 files changed, 28 insertions(+)
+
+diff --git a/include/exec/memory.h b/include/exec/memory.h
+index 2b8bccdd..0c8cdb8e 100644
+--- a/include/exec/memory.h
 b/include/exec/memory.h
+@@ -378,6 +378,8 @@ struct MemoryRegion {
+ bool is_iommu;
+ RAMBlock *ram_block;
+ Object *owner;
++/* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath 
*/
++DeviceState *dev;
+ 
+ const MemoryRegionOps *ops;
+ void *opaque;
+@@ -400,6 +402,9 @@ struct MemoryRegion {
+ const char *name;
+ unsigned ioeventfd_nb;
+ MemoryRegionIoeventfd *ioeventfds;
++
++/* For devices designed to perform re-entrant IO into their own IO MRs */
++bool disable_reentrancy_guard;
+ };
+ 
+ struct IOMMUMemoryRegion {
+diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
+index 1518495b..206f0a70 100644
+--- a/include/hw/qdev-core.h
 b/include/hw/qdev-core.h
+@@ -138,6 +138,10 @@ struct NamedGPIOList {
+

Re: [OE-core][mickledore][PATCH 2/2] qemu: fix CVE-2023-0330

2023-09-17 Thread Vijay Anusuri via lists.openembedded.org 
Hi Steve,

Same patch I've submitted for dunfell. Please revert it, if it is failing.

Thanks & Regards,
Vijay

On Fri, Sep 15, 2023 at 8:56 PM Steve Sakoman  wrote:

> On Wed, Sep 13, 2023 at 4:44 AM Steve Sakoman via
> lists.openembedded.org 
> wrote:
> >
> > Unfortunately this change breaks the qemux86 and qemux86-64 tests on
> > the autobuilder:
>
> The versions of this patch for both mickledore and kirkstone break
> qemux86 and qemux86-64 in the same way, so I can't take the patch for
> either branch.
>
> Steve
>
> >
> > https://errors.yoctoproject.org/Errors/Details/736394/
> > https://errors.yoctoproject.org/Errors/Details/736395/
> >
> > In both cases:
> >
> > Failed: qemux86-64 does not shutdown within timeout(120)
> >
> > There was recently an issue fixed in the master branch where x86 was
> > broken after a version upgrade:
> >
> >
> https://git.openembedded.org/openembedded-core/commit/?id=3d3fa94ee6d7ea58e3ec64d28bd6414437806cfd
> >
> > Not sure if it is related, since the commit message indicates "won't
> > boot" as the symptom and this appears to be a shutdown issue. Perhaps
> > Richard can comment.
> >
> > Steve
> >
> > On Tue, Sep 12, 2023 at 10:02 PM Urade, Yogita via
> > lists.openembedded.org
> >  wrote:
> > >
> > > From: Yogita Urade 
> > >
> > > A DMA-MMIO reentrancy problem may lead to memory corruption bugs
> > > like stack overflow or use-after-free.
> > >
> > > Summary of the problem from Peter Maydell:
> > >
> https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
> > >
> > > Reference:
> > > https://gitlab.com/qemu-project/qemu/-/issues/556
> > >
> > > qemu.git$ git log --no-merges --oneline   --grep CVE-2023-0330
> > > b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
> controller (CVE-2023-0330)
> > > a2e1753b80 memory: prevent dma-reentracy issues
> > >
> > > Included second commit as well as commit log of a2e1753b80 says it
> > > resolves CVE-2023-0330
> > >
> > > Signed-off-by: Yogita Urade 
> > > ---
> > >  meta/recipes-devtools/qemu/qemu.inc   |   3 +-
> > >  ...23-0330.patch => CVE-2023-0330-0001.patch} |   0
> > >  .../qemu/qemu/CVE-2023-0330-0002.patch| 136 ++
> > >  3 files changed, 138 insertions(+), 1 deletion(-)
> > >  rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch =>
> CVE-2023-0330-0001.patch} (100%)
> > >  create mode 100644
> meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch
> > >
> > > diff --git a/meta/recipes-devtools/qemu/qemu.inc
> b/meta/recipes-devtools/qemu/qemu.inc
> > > index 2efe63cdc0..1a50e4d524 100644
> > > --- a/meta/recipes-devtools/qemu/qemu.inc
> > > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > > @@ -36,7 +36,8 @@ SRC_URI = "
> https://download.qemu.org/${BPN}-${PV}.tar.xz \
> > > file://qemu-guest-agent.init \
> > > file://qemu-guest-agent.udev \
> > > file://ppc.patch \
> > > -  file://CVE-2023-0330.patch \
> > > +  file://CVE-2023-0330-0001.patch \
> > > +  file://CVE-2023-0330-0002.patch \
> > >file://CVE-2023-3301.patch \
> > >file://CVE-2023-3255.patch \
> > >file://CVE-2023-2861.patch \
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch
> > > similarity index 100%
> > > rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
> > > rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0001.patch
> > > diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch
> b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch
> > > new file mode 100644
> > > index 00..a21b01bd25
> > > --- /dev/null
> > > +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330-0002.patch
> > > @@ -0,0 +1,136 @@
> > > +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001
> > > +From: Alexander Bulekov 
> > > +Date: Tue, 12 Sep 2023 10:49:46 +
> > > +Subject: [PATCH] memory: prevent dma-reentracy issues
> > > +
> > > +Add a flag to the DeviceState, when a device is engaged in
> PIO/MMIO/DMA.
> > > +This flag is set/checked prior to calling a device's MemoryRegion
> > > +handlers, and set when device code initiates DMA.  The purpose of this
> > > +flag is to prevent two types of DMA-based reentrancy issues:
> > > +
> > > +1.) mmio -> dma -> mmio case
> > > +2.) bh -> dma write -> mmio case
> > > +
> > > +These issues have led to problems such as stack-exhaustion and
> > > +use-after-frees.
> > > +
> > > +Summary of the problem from Peter Maydell:
> > > +
> https://lore.kernel.org/qemu-devel/cafeaca_23vc7he3iam-jva6w38lk4hjowae5kcknhprd5fp...@mail.gmail.com
> > > +
> > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62
> > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540
> > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541
> > > +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556
> > >

[OE-core][kirkstone][PATCH] inetutils: Fix CVE-2023-40303

2023-08-28 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-commit: 
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
& 
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d

Signed-off-by: Vijay Anusuri 
---
 ...tpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | 282 ++
 ...03-Indent-changes-in-previous-commit.patch | 256 
 .../inetutils/inetutils_2.2.bb|   2 +
 3 files changed, 540 insertions(+)
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch

diff --git 
a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 00..0f388ec424
--- /dev/null
+++ 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,282 @@
+From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux 
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH] CVE-2023-40303 ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check 
set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+Signed-off-by: Jeffrey Bencteux 
+Signed-off-by: Simon Josefsson 
+
+Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+CVE: CVE-2023-40303
+Signed-off-by: Vijay Anusuri 
+---
+ ftpd/ftpd.c  | 10 +++---
+ src/rcp.c| 39 +--
+ src/rlogin.c | 11 +--
+ src/rsh.c| 25 +
+ src/rshd.c   | 20 +---
+ src/uucpd.c  | 15 +--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 68d41fd..703fbbc 100644
+--- a/ftpd/ftpd.c
 b/ftpd/ftpd.c
+@@ -865,7 +865,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
++
+   if (pcred->logged_in)
+ {
+   logwtmp_keep_open (ttyline, "", "");
+@@ -1154,7 +1156,8 @@ getdatasock (const char *mode)
+ 
+   if (data >= 0)
+ return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+ goto bad;
+@@ -1981,7 +1984,8 @@ passive (int epsv, int af)
+   else/* !AF_INET6 */
+ ((struct sockaddr_in *) _addr)->sin_port = 0;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0)
+ {
+   if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index 476cbaa..cd84570 100644
+--- a/src/rcp.c
 b/src/rcp.c
+@@ -348,14 +348,23 @@ main (int argc, char *argv[])
+   if (from_option)
+ { /* Follow "protocol", send data. */
+   response ();
+-  setuid (userid);
++
++  if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
++
+   source (argc, argv);
+   exit (errs);
+ }
+ 
+   if (to_option)
+ { /* Receive data. */
+-  setuid (userid);
++  if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
++
+   sink (argc, argv);
+   exit (errs);
+ }
+@@ -540,7 +549,11 @@ toremote (char *targ, int argc, char *argv[])
+ if (response () < 0)
+   exit (EXIT_FAILURE);
+ free (bp);
+-setuid (userid);
++
++if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
+   }
+ source (1, argv + i);
+ close (rem);
+@@ -633,7 +646,12 @@ tolocal (int argc, char *argv[])
+ ++errs;
+ continue;
+   }
+-  seteuid (userid);
++
++  if (seteuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() 
failed)");
++  }
++
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+   sslen = sizeof (ss);
+   (void) getpeername (rem, (struct sockaddr *) , );
+@@ -646,7 +664,12 @@ tolocal (int argc, char *argv[])
+ #endif
+   vect[0] = target;
+   sink (1, vect);
+-

[OE-core][dunfell][PATCH] go: Backport fix for CVE-2023-29409

2023-08-31 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-commit: 
https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |   1 +
 .../go/go-1.14/CVE-2023-29409.patch   | 175 ++
 2 files changed, 176 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index b2cf805d2d..20377e095b 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -69,6 +69,7 @@ SRC_URI += "\
 file://CVE-2023-29404.patch \
 file://CVE-2023-29400.patch \
 file://CVE-2023-29406.patch \
+file://CVE-2023-29409.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
new file mode 100644
index 00..00685cc180
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29409.patch
@@ -0,0 +1,175 @@
+From 2300f7ef07718f6be4d8aa8486c7de99836e233f Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker 
+Date: Wed, 7 Jun 2023 15:27:13 -0700
+Subject: [PATCH] [release-branch.go1.19] crypto/tls: restrict RSA keys in
+ certificates to <= 8192 bits
+
+Extremely large RSA keys in certificate chains can cause a client/server
+to expend significant CPU time verifying signatures. Limit this by
+restricting the size of RSA keys transmitted during handshakes to <=
+8192 bits.
+
+Based on a survey of publicly trusted RSA keys, there are currently only
+three certificates in circulation with keys larger than this, and all
+three appear to be test certificates that are not actively deployed. It
+is possible there are larger keys in use in private PKIs, but we target
+the web PKI, so causing breakage here in the interests of increasing the
+default safety of users of crypto/tls seems reasonable.
+
+Thanks to Mateusz Poliwczak for reporting this issue.
+
+Updates #61460
+Fixes #61579
+Fixes CVE-2023-29409
+
+Change-Id: Ie35038515a649199a36a12fc2c5df3af855dca6c
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1912161
+Reviewed-by: Damien Neil 
+Reviewed-by: Tatiana Bradley 
+Run-TryBot: Roland Shoemaker 
+(cherry picked from commit d865c715d92887361e4bd5596e19e513f27781b7)
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1965487
+Reviewed-on: https://go-review.googlesource.com/c/go/+/514915
+Run-TryBot: David Chase 
+Reviewed-by: Matthew Dempsky 
+TryBot-Bypass: David Chase 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/2300f7ef07718f6be4d8aa8486c7de99836e233f]
+CVE: CVE-2023-29409
+Signed-off-by: Vijay Anusuri 
+---
+ src/crypto/tls/handshake_client.go  |  8 +++
+ src/crypto/tls/handshake_client_test.go | 78 +
+ src/crypto/tls/handshake_server.go  |  4 ++
+ 3 files changed, 90 insertions(+)
+
+diff --git a/src/crypto/tls/handshake_client.go 
b/src/crypto/tls/handshake_client.go
+index 4fb528c..ba33ea1 100644
+--- a/src/crypto/tls/handshake_client.go
 b/src/crypto/tls/handshake_client.go
+@@ -788,6 +788,10 @@ func (hs *clientHandshakeState) sendFinished(out []byte) 
error {
+   return nil
+ }
+ 
++// maxRSAKeySize is the maximum RSA key size in bits that we are willing
++// to verify the signatures of during a TLS handshake.
++const maxRSAKeySize = 8192
++
+ // verifyServerCertificate parses and verifies the provided chain, setting
+ // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
+ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
+@@ -798,6 +802,10 @@ func (c *Conn) verifyServerCertificate(certificates 
[][]byte) error {
+   c.sendAlert(alertBadCertificate)
+   return errors.New("tls: failed to parse certificate 
from server: " + err.Error())
+   }
++  if cert.PublicKeyAlgorithm == x509.RSA && 
cert.PublicKey.(*rsa.PublicKey).N.BitLen() > maxRSAKeySize {
++  c.sendAlert(alertBadCertificate)
++  return fmt.Errorf("tls: server sent certificate 
containing RSA key larger than %d bits", maxRSAKeySize)
++  }
+   certs[i] = cert
+   }
+ 
+diff --git a/src/crypto/tls/handshake_client_test.go 
b/src/crypto/tls/handshake_client_test.go
+index 6bd3c37..8d20b2b 100644
+--- a/src/crypto/tls/handshake_client_test.go
 b/src/crypto/tls/handshake_client_test.go
+@@ -1984,3 +1984,81 @@ func TestCloseClientConnectionOnIdleServer(t 
*testing.T) {
+   t.Errorf("Error expected, but no error returned")
+   }
+ }
++
++// discardConn wraps a net.Conn but discards all writes, but reports that 
they happened.
++type discardConn struct {
++  net.Conn
++}
++
++func (dc *discardConn) Write(data []byte) (int, error) {
++

[OE-core][dunfell][PATCH] tiff: CVE patch correction for CVE-2023-3576

2023-10-30 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

- The commit 
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
 https://security-tracker.debian.org/tracker/CVE-2023-3618

Signed-off-by: Vijay Anusuri 
---
 .../files/{CVE-2023-3618-1.patch => CVE-2023-3576.patch}  | 3 ++-
 .../files/{CVE-2023-3618-2.patch => CVE-2023-3618.patch}  | 0
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)
 rename meta/recipes-multimedia/libtiff/files/{CVE-2023-3618-1.patch => 
CVE-2023-3576.patch} (93%)
 rename meta/recipes-multimedia/libtiff/files/{CVE-2023-3618-2.patch => 
CVE-2023-3618.patch} (100%)

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
similarity index 93%
rename from meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
rename to meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
index 35ed852519..67837fe142 100644
--- a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3576.patch
@@ -4,8 +4,9 @@ Date: Tue, 7 Mar 2023 15:02:08 +0800
 Subject: [PATCH] Fix memory leak in tiffcrop.c
 
 Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
-CVE: CVE-2023-3618
+CVE: CVE-2023-3576
 Signed-off-by: Hitendra Prajapati 
+Signed-off-by: Vijay Anusuri 
 ---
  tools/tiffcrop.c | 7 ++-
  1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
similarity index 100%
rename from meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch
rename to meta/recipes-multimedia/libtiff/files/CVE-2023-3618.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 6df4244697..d27381b4cd 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -43,8 +43,8 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-26966.patch \
file://CVE-2023-2908.patch \
file://CVE-2023-3316.patch \
-   file://CVE-2023-3618-1.patch \
-   file://CVE-2023-3618-2.patch \
+   file://CVE-2023-3576.patch \
+   file://CVE-2023-3618.patch \
   "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = 
"5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189824): 
https://lists.openembedded.org/g/openembedded-core/message/189824
Mute This Topic: https://lists.openembedded.org/mt/102291704/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH v2] xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380

2023-11-07 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-5367.patch  |  84 +++
 .../xserver-xorg/CVE-2023-5380.patch  | 102 ++
 .../xorg-xserver/xserver-xorg_1.20.14.bb  |   2 +
 3 files changed, 188 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
new file mode 100644
index 00..508588481e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
+From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer 
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
+CVE: CVE-2023-5367
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xiproperty.c| 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
 b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ XIDestroyDeviceProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
 b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ RRDestroyOutputProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
new file mode 100644
index 00..720340d83b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor

[OE-core][mickledore][kirkstone][PATCH v2] xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380

2023-11-07 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-5367.patch  |  84 +++
 .../xserver-xorg/CVE-2023-5380.patch  | 102 ++
 .../xorg-xserver/xserver-xorg_21.1.8.bb   |   2 +
 3 files changed, 188 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
new file mode 100644
index 00..508588481e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
+From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer 
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
+CVE: CVE-2023-5367
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xiproperty.c| 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
 b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ XIDestroyDeviceProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
 b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ RRDestroyOutputProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
new file mode 100644
index 00..57e2a5abdf
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
@@ -0,0 +1,102 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor

[OE-core][kirkstone][PATCH] tiff: CVE patch correction for CVE-2023-3576

2023-10-30 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

- The commit 
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
 https://security-tracker.debian.org/tracker/CVE-2023-3618

Signed-off-by: Vijay Anusuri 
---
 .../tiff/{CVE-2023-3618-1.patch => CVE-2023-3576.patch}   | 3 ++-
 .../tiff/{CVE-2023-3618-2.patch => CVE-2023-3618.patch}   | 0
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-1.patch => 
CVE-2023-3576.patch} (93%)
 rename meta/recipes-multimedia/libtiff/tiff/{CVE-2023-3618-2.patch => 
CVE-2023-3618.patch} (100%)

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
similarity index 93%
rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
index 8f55d2b496..b17dd72170 100644
--- a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-1.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3576.patch
@@ -4,8 +4,9 @@ Date: Tue, 7 Mar 2023 15:02:08 +0800
 Subject: [PATCH] Fix memory leak in tiffcrop.c
 
 Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
-CVE: CVE-2023-3618
+CVE: CVE-2023-3576
 Signed-off-by: Hitendra Prajapati 
+Signed-off-by: Vijay Anusuri 
 ---
  tools/tiffcrop.c | 7 ++-
  1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
similarity index 100%
rename from meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618-2.patch
rename to meta/recipes-multimedia/libtiff/tiff/CVE-2023-3618.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 8dcd73273e..e925b7d652 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -40,8 +40,8 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-26965.patch \
file://CVE-2023-2908.patch \
file://CVE-2023-3316.patch \
-   file://CVE-2023-3618-1.patch \
-   file://CVE-2023-3618-2.patch \
+   file://CVE-2023-3576.patch \
+   file://CVE-2023-3618.patch \
file://CVE-2023-26966.patch \
file://CVE-2022-40090.patch \
file://CVE-2023-1916.patch \
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189829): 
https://lists.openembedded.org/g/openembedded-core/message/189829
Mute This Topic: https://lists.openembedded.org/mt/102292263/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-05 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586]

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-5367.patch  |  84 +
 .../xserver-xorg/CVE-2023-5380.patch  | 102 
 .../xserver-xorg/CVE-2023-5574-1.patch| 113 ++
 .../xserver-xorg/CVE-2023-5574-2.patch|  42 +++
 .../xserver-xorg/CVE-2023-5574-3.patch|  54 +
 .../xorg-xserver/xserver-xorg_1.20.14.bb  |   5 +
 6 files changed, 400 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
new file mode 100644
index 00..508588481e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
+From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer 
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
+CVE: CVE-2023-5367
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xiproperty.c| 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
 b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ XIDestroyDeviceProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
 b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ RRDestroyOutputProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+-- 
+GitLab
+
diff --git

[OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586]

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-5367.patch  |  84 +
 .../xserver-xorg/CVE-2023-5380.patch  | 102 
 .../xserver-xorg/CVE-2023-5574-1.patch| 113 ++
 .../xserver-xorg/CVE-2023-5574-2.patch|  42 +++
 .../xserver-xorg/CVE-2023-5574-3.patch|  54 +
 .../xorg-xserver/xserver-xorg_21.1.8.bb   |   5 +
 6 files changed, 400 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
new file mode 100644
index 00..508588481e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
@@ -0,0 +1,84 @@
+From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Tue, 3 Oct 2023 11:53:05 +1000
+Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
+
+The handling of appending/prepending properties was incorrect, with at
+least two bugs: the property length was set to the length of the new
+part only, i.e. appending or prepending N elements to a property with P
+existing elements always resulted in the property having N elements
+instead of N + P.
+
+Second, when pre-pending a value to a property, the offset for the old
+values was incorrect, leaving the new property with potentially
+uninitalized values and/or resulting in OOB memory writes.
+For example, prepending a 3 element value to a 5 element property would
+result in this 8 value array:
+  [N, N, N, ?, ?, P, P, P ] P, P
+^OOB write
+
+The XI2 code is a copy/paste of the RandR code, so the bug exists in
+both.
+
+CVE-2023-5367, ZDI-CAN-22153
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer 
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a]
+CVE: CVE-2023-5367
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xiproperty.c| 4 ++--
+ randr/rrproperty.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
+index 066ba21fba..d315f04d0e 100644
+--- a/Xi/xiproperty.c
 b/Xi/xiproperty.c
+@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ XIDestroyDeviceProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+diff --git a/randr/rrproperty.c b/randr/rrproperty.c
+index c2fb9585c6..25469f57b2 100644
+--- a/randr/rrproperty.c
 b/randr/rrproperty.c
+@@ -209,7 +209,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ RRDestroyOutputProperty(prop);
+ return BadAlloc;
+ }
+-new_value.size = len;
++new_value.size = total_len;
+ new_value.type = type;
+ new_value.format = format;
+ 
+@@ -226,7 +226,7 @@ RRChangeOutputProperty(RROutputPtr output, Atom property, 
Atom type,
+ case PropModePrepend:
+ new_data = new_value.data;
+ old_data = (void *) (((char *) new_value.data) +
+-  (prop_value->size * size_in_bytes));
++  (len * size_in_bytes));
+ break;
+ }
+ if (new_data)
+-- 
+GitLab
+
diff --git

Re: [OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org 
Hi Steve,

Xserver-xorg version is the same for both mickledore and kirkstone. Could
you please merge this patch to mickledore along with kirkstone.

Thanks & Regards,
Vijay

On Mon, Nov 6, 2023 at 4:51 PM Vijay Anusuri via lists.openembedded.org
 wrote:

> From: Vijay Anusuri 
>
> Upstream-Status: Backport
> [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
> &
> <https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a;>
>
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
> &
> <https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7;>
>
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f
> &
> <https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f;>
>
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f
> &
> <https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f;>
>
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586
> ]
>
> Signed-off-by: Vijay Anusuri 
> ---
>  .../xserver-xorg/CVE-2023-5367.patch  |  84 +
>  .../xserver-xorg/CVE-2023-5380.patch  | 102 
>  .../xserver-xorg/CVE-2023-5574-1.patch| 113 ++
>  .../xserver-xorg/CVE-2023-5574-2.patch|  42 +++
>  .../xserver-xorg/CVE-2023-5574-3.patch|  54 +
>  .../xorg-xserver/xserver-xorg_21.1.8.bb   |   5 +
>  6 files changed, 400 insertions(+)
>  create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
>  create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
>  create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch
>  create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch
>  create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch
>
> diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
> new file mode 100644
> index 00..508588481e
> --- /dev/null
> +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
> @@ -0,0 +1,84 @@
> +From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
> +From: Peter Hutterer 
> +Date: Tue, 3 Oct 2023 11:53:05 +1000
> +Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
> +
> +The handling of appending/prepending properties was incorrect, with at
> +least two bugs: the property length was set to the length of the new
> +part only, i.e. appending or prepending N elements to a property with P
> +existing elements always resulted in the property having N elements
> +instead of N + P.
> +
> +Second, when pre-pending a value to a property, the offset for the old
> +values was incorrect, leaving the new property with potentially
> +uninitalized values and/or resulting in OOB memory writes.
> +For example, prepending a 3 element value to a 5 element property would
> +result in this 8 value array:
> +  [N, N, N, ?, ?, P, P, P ] P, P
> +^OOB write
> +
> +The XI2 code is a copy/paste of the RandR code, so the bug exists in
> +both.
> +
> +CVE-2023-5367, ZDI-CAN-22153
> +
> +This vulnerability was discovered by:
> +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> +
> +Signed-off-by: Peter Hutterer 
> +
> +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
> ]
> +CVE: CVE-2023-5367
> +Signed-off-by: Vijay Anusuri 
> +---
> + Xi/xiproperty.c| 4 ++--
> + randr/rrproperty.c | 4 ++--
> + 2 files changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
> +index 066ba21fba..d315f04d0e 100644
> +--- a/Xi/xiproperty.c
>  b/Xi/xiproperty.c
> +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom
> property, Atom type,
> + XIDestroyDeviceProperty(prop);
> + return BadAlloc;
> + }
> +-new_value.size = len;
> ++new_value.size = total_len;
> + new_value.type = type;
> + new_value.format = format;
> +
> +@@ -747,7 +747,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom
> property, Atom type,
> + case PropModePrepend:
> + new_data = new_val

Re: [OE-core][dunfell][PATCH] xserver-xorg: Fix for CVE-2023-5367 CVE-2023-5380 and CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org 
Sure Ross.

Thanks & Regards,
Vijay

On Mon, Nov 6, 2023 at 4:08 PM Ross Burton  wrote:

> It would be much appreciated if you could submit to master first and then
> backport to the stable releases, as it makes tracking what releases have
> been fixed a lot easier.
>
> Ross
>
> > On 6 Nov 2023, at 05:47, Vijay Anusuri via lists.openembedded.org
>  wrote:
> >
> > From: Vijay Anusuri 
> >
> > Upstream-Status: Backport
> > [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
> > &
> >
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7
> > &
> >
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f
> > &
> >
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f
> > &
> >
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586
> ]
> >
> > Signed-off-by: Vijay Anusuri 
> > ---
> > .../xserver-xorg/CVE-2023-5367.patch  |  84 +
> > .../xserver-xorg/CVE-2023-5380.patch  | 102 
> > .../xserver-xorg/CVE-2023-5574-1.patch| 113 ++
> > .../xserver-xorg/CVE-2023-5574-2.patch|  42 +++
> > .../xserver-xorg/CVE-2023-5574-3.patch|  54 +
> > .../xorg-xserver/xserver-xorg_1.20.14.bb  |   5 +
> > 6 files changed, 400 insertions(+)
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch
> > create mode 100644
> meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch
> >
> > diff --git
> a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
> b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
> > new file mode 100644
> > index 00..508588481e
> > --- /dev/null
> > +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
> > @@ -0,0 +1,84 @@
> > +From 541ab2ecd41d4d8689e71855d93e492bc554719a Mon Sep 17 00:00:00 2001
> > +From: Peter Hutterer 
> > +Date: Tue, 3 Oct 2023 11:53:05 +1000
> > +Subject: [PATCH] Xi/randr: fix handling of PropModeAppend/Prepend
> > +
> > +The handling of appending/prepending properties was incorrect, with at
> > +least two bugs: the property length was set to the length of the new
> > +part only, i.e. appending or prepending N elements to a property with P
> > +existing elements always resulted in the property having N elements
> > +instead of N + P.
> > +
> > +Second, when pre-pending a value to a property, the offset for the old
> > +values was incorrect, leaving the new property with potentially
> > +uninitalized values and/or resulting in OOB memory writes.
> > +For example, prepending a 3 element value to a 5 element property would
> > +result in this 8 value array:
> > +  [N, N, N, ?, ?, P, P, P ] P, P
> > +^OOB write
> > +
> > +The XI2 code is a copy/paste of the RandR code, so the bug exists in
> > +both.
> > +
> > +CVE-2023-5367, ZDI-CAN-22153
> > +
> > +This vulnerability was discovered by:
> > +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
> > +
> > +Signed-off-by: Peter Hutterer 
> > +
> > +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
> ]
> > +CVE: CVE-2023-5367
> > +Signed-off-by: Vijay Anusuri 
> > +---
> > + Xi/xiproperty.c| 4 ++--
> > + randr/rrproperty.c | 4 ++--
> > + 2 files changed, 4 insertions(+), 4 deletions(-)
> > +
> > +diff --git a/Xi/xiproperty.c b/Xi/xiproperty.c
> > +index 066ba21fba..d315f04d0e 100644
> > +--- a/Xi/xiproperty.c
> >  b/Xi/xiproperty.c
> > +@@ -730,7 +730,7 @@ XIChangeDeviceProperty(DeviceIntPtr dev, Atom
> property, Atom type,
> > + XIDestroyDeviceProperty(prop);
> > + return BadAlloc;
> > + }
> > +-new_value.size = len;
> > ++new_value.size = total_len;
> > + new_value.type = type;
> > + new_value.format = format;
> > +
> > +@@ -747,7 +747,7 @@ XIChangeDeviceProperty

[OE-core][master][PATCH] xserver-xorg: Fix for CVE-2023-5574

2023-11-06 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/b6fe3f924aecac6d6e311673511ce61aa2f7a81f
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab2c58ba4719fc31c19c7829b06bdba8a88bd586]

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-5574-1.patch| 113 ++
 .../xserver-xorg/CVE-2023-5574-2.patch|  42 +++
 .../xserver-xorg/CVE-2023-5574-3.patch|  54 +
 .../xorg-xserver/xserver-xorg_21.1.9.bb   |   3 +
 4 files changed, 212 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-3.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch
new file mode 100644
index 00..9a8e583e78
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-1.patch
@@ -0,0 +1,113 @@
+From 1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Thu, 12 Oct 2023 12:44:13 +1000
+Subject: [PATCH] fb: properly wrap/unwrap CloseScreen
+
+fbCloseScreen assumes that it overrides miCloseScreen (which just
+calls FreePixmap(screen->devPrivates)) and emulates that instead of
+wrapping it.
+
+This is a wrong assumption, we may have ShmCloseScreen in the mix too,
+resulting in leaks (see below). Fix this by properly setting up the
+CloseScreen wrapper.
+
+This means we no longer need the manual DestroyPixmap call in
+vfbCloseScreen, reverting d348ab06aae21c153ecbc3511aeafc8ab66d8303
+
+CVE-2023-5574, ZDI-CAN-21213
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer 
+Reviewed-by: Adam Jackson 
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/1953f460b9ad1a9cdf0fcce70f6ad3310b713d5f]
+CVE: CVE-2023-5574
+Signed-off-by: Vijay Anusuri 
+---
+ fb/fb.h |  1 +
+ fb/fbscreen.c   | 14 ++
+ hw/vfb/InitOutput.c |  7 ---
+ 3 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/fb/fb.h b/fb/fb.h
+index d157b6956d..cd7bd05d21 100644
+--- a/fb/fb.h
 b/fb/fb.h
+@@ -410,6 +410,7 @@ typedef struct {
+ #endif
+ DevPrivateKeyRecgcPrivateKeyRec;
+ DevPrivateKeyRecwinPrivateKeyRec;
++CloseScreenProcPtr  CloseScreen;
+ } FbScreenPrivRec, *FbScreenPrivPtr;
+ 
+ #define fbGetScreenPrivate(pScreen) ((FbScreenPrivPtr) \
+diff --git a/fb/fbscreen.c b/fb/fbscreen.c
+index 4ab807ab50..c481033f98 100644
+--- a/fb/fbscreen.c
 b/fb/fbscreen.c
+@@ -29,6 +29,7 @@
+ Bool
+ fbCloseScreen(ScreenPtr pScreen)
+ {
++FbScreenPrivPtr screen_priv = fbGetScreenPrivate(pScreen);
+ int d;
+ DepthPtr depths = pScreen->allowedDepths;
+ 
+@@ -37,9 +38,10 @@ fbCloseScreen(ScreenPtr pScreen)
+ free(depths[d].vids);
+ free(depths);
+ free(pScreen->visuals);
+-if (pScreen->devPrivate)
+-FreePixmap((PixmapPtr)pScreen->devPrivate);
+-return TRUE;
++
++pScreen->CloseScreen = screen_priv->CloseScreen;
++
++return pScreen->CloseScreen(pScreen);
+ }
+ 
+ Bool
+@@ -144,6 +146,7 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int 
xsize, int ysize,
+int dpix, int dpiy, int width, int bpp)
+ #endif
+ {
++FbScreenPrivPtr screen_priv;
+ VisualPtr visuals;
+ DepthPtr depths;
+ int nvisuals;
+@@ -177,8 +180,11 @@ fbFinishScreenInit(ScreenPtr pScreen, void *pbits, int 
xsize, int ysize,
+   rootdepth, ndepths, depths,
+   defaultVisual, nvisuals, visuals))
+ return FALSE;
+-/* overwrite miCloseScreen with our own */
++
++screen_priv = fbGetScreenPrivate(pScreen);
++screen_priv->CloseScreen = pScreen->CloseScreen;
+ pScreen->CloseScreen = fbCloseScreen;
++
+ return TRUE;
+ }
+ 
+diff --git a/hw/vfb/InitOutput.c b/hw/vfb/InitOutput.c
+index 48efb61b2f..076fb7defa 100644
+--- a/hw/vfb/InitOutput.c
 b/hw/vfb/InitOutput.c
+@@ -720,13 +720,6 @@ vfbCloseScreen(ScreenPtr pScreen)
+ 
+ pScreen->CloseScreen = pvfb->closeScreen;
+ 
+-/*
+- * fb overwrites miCloseScreen, so do this here
+- */
+-if (pScreen->devPrivate)
+-(*pScreen->DestroyPixmap) (pScreen->devPrivate);
+-pScreen->devPrivate = NULL;
+-
+ return pScreen->CloseScreen(pScreen);
+ }
+ 
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5574-2.patch
new file mode 100644
index 00..2cdef752c7
--- /dev/null
+++

Re: [OE-core][dunfell][PATCH] ghostscript: fix CVE-2023-36664

2023-09-29 Thread Vijay Anusuri via lists.openembedded.org 
Hi Steve,

Any update on this ?

Thanks & Regards,
Vijay

On Tue, Sep 26, 2023 at 10:01 AM  wrote:

> From: Vijay Anusuri 
>
> Artifex Ghostscript through 10.01.2 mishandles permission validation for
> pipe devices (with the %pipe% prefix or the | pipe character prefix).
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2023-36664
>
> Upstream commits:
>
> https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5
>
> https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
>
> https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099
>
> Signed-off-by: Vijay Anusuri 
> ---
>  .../ghostscript/CVE-2023-36664-1.patch| 145 ++
>  .../ghostscript/CVE-2023-36664-2.patch|  60 
>  .../ghostscript/CVE-2023-36664-pre1.patch |  62 
>  .../ghostscript/ghostscript_9.52.bb   |   3 +
>  4 files changed, 270 insertions(+)
>  create mode 100644
> meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
>  create mode 100644
> meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
>  create mode 100644
> meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch
>
> diff --git
> a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
> b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
> new file mode 100644
> index 00..a3bbe958eb
> --- /dev/null
> +++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
> @@ -0,0 +1,145 @@
> +From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
> +From: Chris Liddell 
> +Date: Wed, 7 Jun 2023 10:23:06 +0100
> +Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for
> permission validation
> +
> +For regular file names, we try to simplfy relative paths before we use
> them.
> +
> +Because the %pipe% device can, effectively, accept command line calls, we
> +shouldn't be simplifying that string, because the command line syntax can
> end
> +up confusing the path simplifying code. That can result in permitting a
> pipe
> +command which does not match what was originally permitted.
> +
> +Special case "%pipe" in the validation code so we always deal with the
> entire
> +string.
> +
> +Upstream-Status: Backport [
> https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c
> ]
> +CVE: CVE-2023-36664
> +Signed-off-by: Vijay Anusuri 
> +---
> + base/gpmisc.c   | 31 +++
> + base/gslibctx.c | 56 -
> + 2 files changed, 64 insertions(+), 23 deletions(-)
> +
> +diff --git a/base/gpmisc.c b/base/gpmisc.c
> +index c4fffae..09ac6b3 100644
> +--- a/base/gpmisc.c
>  b/base/gpmisc.c
> +@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
> +  && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
> +   prefix_len = 0;
> + }
> +-rlen = len+1;
> +-bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen +
> prefix_len, "gp_validate_path");
> +-if (bufferfull == NULL)
> +-return gs_error_VMerror;
> +-
> +-buffer = bufferfull + prefix_len;
> +-if (gp_file_name_reduce(path, (uint)len, buffer, ) !=
> gp_combine_success)
> +-return gs_error_invalidfileaccess;
> +-buffer[rlen] = 0;
> +
> ++/* "%pipe%" do not follow the normal rules for path definitions, so
> we
> ++   don't "reduce" them to avoid unexpected results
> ++ */
> ++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
> ++  bufferfull = buffer = (char
> *)gs_alloc_bytes(mem->thread_safe_memory, len + 1, "gp_validate_path");
> ++  if (buffer == NULL)
> ++  return gs_error_VMerror;
> ++  memcpy(buffer, path, len);
> ++  buffer[len] = 0;
> ++  rlen = len;
> ++}
> ++else {
> ++  rlen = len+1;
> ++  bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen
> + prefix_len, "gp_validate_path");
> ++  if (bufferfull == NULL)
> ++  return gs_error_VMerror;
> ++
> ++  buffer = bufferfull + prefix_len;
> ++  if (gp_file_name_reduce(path, (uint)len, buffer, ) !=
> gp_combine_success)
> ++  return gs_error_invalidfileaccess;
> ++  buffer[rlen] = 0;
> ++}
> + while (1) {
> + switch (mode[0])
> + {
> +diff --git a/base/gslibctx.c b/base/gslibctx.c
> +index 20c5eee..355c0e3 100644
> +--- a/base/gslibctx.c
>  b/base/gslibctx.c
> +@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem,
> gs_path_control_t type, const ch
> + return gs_error_rangecheck;
> + }
> +
> +-rlen = len+1;
> +-buffer = (char *)gs_alloc_bytes(core->memory, rlen,
> "gp_validate_path");
> +-if (buffer == NULL)
> +-return gs_error_VMerror;
> ++/* "%pipe%" do not follow the normal rules for path definitions, so
> we
> ++

[OE-core][dunfell][PATCH] gawk: backport Debian patch to fix CVE-2023-4156

2023-10-03 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/focal-security
&
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]

Signed-off-by: Vijay Anusuri 
---
 .../gawk/gawk/CVE-2023-4156.patch | 28 +++
 meta/recipes-extended/gawk/gawk_5.0.1.bb  |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch

diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch 
b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
new file mode 100644
index 00..c6cba058a7
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
@@ -0,0 +1,28 @@
+From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
+From: "Arnold D. Robbins" 
+Date: Wed, 3 Aug 2022 13:00:54 +0300
+Subject: [PATCH] Smal bug fix in builtin.c.
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/focal-security
+Upstream commit 
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
+CVE: CVE-2023-4156
+Signed-off-by: Vijay Anusuri 
+---
+ ChangeLog | 6 ++
+ builtin.c | 5 -
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- gawk-5.1.0.orig/builtin.c
 gawk-5.1.0/builtin.c
+@@ -957,7 +957,10 @@ check_pos:
+   s1++;
+   n0--;
+   }
+-  if (val >= num_args) {
++  // val could be less than zero if someone 
provides a field width
++  // so large that it causes integer overflow. 
Mainly fuzzers do this,
++  // but let's try to be good anyway.
++  if (val < 0 || val >= num_args) {
+   toofew = true;
+   break;
+   }
diff --git a/meta/recipes-extended/gawk/gawk_5.0.1.bb 
b/meta/recipes-extended/gawk/gawk_5.0.1.bb
index 1b29ec3113..c71890c19e 100644
--- a/meta/recipes-extended/gawk/gawk_5.0.1.bb
+++ b/meta/recipes-extended/gawk/gawk_5.0.1.bb
@@ -18,6 +18,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
 SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \
file://remove-sensitive-tests.patch \
file://run-ptest \
+   file://CVE-2023-4156.patch \
 "
 
 SRC_URI[md5sum] = "c5441c73cc451764055ee65e9a4292bb"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188624): 
https://lists.openembedded.org/g/openembedded-core/message/188624
Mute This Topic: https://lists.openembedded.org/mt/101729230/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] cups: Backport fix for CVE-2023-32360 and CVE-2023-4504

2023-10-02 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream commits:
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
& 
https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-extended/cups/cups.inc   |  2 +
 .../cups/cups/CVE-2023-32360.patch| 31 ++
 .../cups/cups/CVE-2023-4504.patch | 40 +++
 3 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32360.patch
 create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-4504.patch

diff --git a/meta/recipes-extended/cups/cups.inc 
b/meta/recipes-extended/cups/cups.inc
index 1d2377486a..6cfe314f20 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -16,6 +16,8 @@ SRC_URI = 
"https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
file://CVE-2022-26691.patch \
file://CVE-2023-32324.patch \
file://CVE-2023-34241.patch \
+   file://CVE-2023-32360.patch \
+   file://CVE-2023-4504.patch \
"
 
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases;
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-32360.patch 
b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
new file mode 100644
index 00..4d39e1e57f
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-32360.patch
@@ -0,0 +1,31 @@
+From a0c8b9c9556882f00c68b9727a95a1b6d1452913 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet 
+Date: Tue, 6 Dec 2022 09:04:01 -0500
+Subject: [PATCH] Require authentication for CUPS-Get-Document.
+
+Upstream-Status: Backport 
[https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913]
+CVE: CVE-2023-32360
+Signed-off-by: Vijay Anusuri 
+---
+ conf/cupsd.conf.in | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/conf/cupsd.conf.in b/conf/cupsd.conf.in
+index b258849078..a07536f3e4 100644
+--- a/conf/cupsd.conf.in
 b/conf/cupsd.conf.in
+@@ -68,7 +68,13 @@ IdleExitTimeout @EXIT_TIMEOUT@
+ Order deny,allow
+   
+ 
+-  
++  
++Require user @OWNER @SYSTEM
++Order deny,allow
++  
++
++  
++AuthType Default
+ Require user @OWNER @SYSTEM
+ Order deny,allow
+   
diff --git a/meta/recipes-extended/cups/cups/CVE-2023-4504.patch 
b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
new file mode 100644
index 00..be0db1fbd4
--- /dev/null
+++ b/meta/recipes-extended/cups/cups/CVE-2023-4504.patch
@@ -0,0 +1,40 @@
+From a9a7daa77699bd58001c25df8a61a8029a217ddf Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal 
+Date: Fri, 1 Sep 2023 16:47:29 +0200
+Subject: [PATCH] raster-interpret.c: Fix CVE-2023-4504
+
+We didn't check for end of buffer if it looks there is an escaped
+character - check for NULL terminator there and if found, return NULL
+as return value and in `ptr`, because a lone backslash is not
+a valid PostScript character.
+
+Upstream-Status: Backport 
[https://github.com/OpenPrinting/cups/commit/2431caddb7e6a87f04ac90b5c6366ad268b6ff31]
+CVE: CVE-2023-4504
+Signed-off-by: Vijay Anusuri 
+---
+ cups/raster-interpret.c | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/cups/raster-interpret.c
 b/cups/raster-interpret.c
+@@ -1113,7 +1113,19 @@ scan_ps(_cups_ps_stack_t *st,   /* I  - S
+ 
+   cur ++;
+ 
+-if (*cur == 'b')
++ /*
++  * Return NULL if we reached NULL terminator, a lone backslash
++* is not a valid character in PostScript.
++  */
++
++  if (!*cur)
++  {
++*ptr = NULL;
++
++return (NULL);
++  }
++
++  if (*cur == 'b')
+ *valptr++ = '\b';
+   else if (*cur == 'f')
+ *valptr++ = '\f';
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188620): 
https://lists.openembedded.org/g/openembedded-core/message/188620
Mute This Topic: https://lists.openembedded.org/mt/101728136/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] ghostscript: fix CVE-2023-36664

2023-09-25 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Artifex Ghostscript through 10.01.2 mishandles permission validation for
pipe devices (with the %pipe% prefix or the | pipe character prefix).

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-36664

Upstream commits:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4ceaf92815302863a8c86fcfcf2347e0118dd3a5
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099

Signed-off-by: Vijay Anusuri 
---
 .../ghostscript/CVE-2023-36664-1.patch| 145 ++
 .../ghostscript/CVE-2023-36664-2.patch|  60 
 .../ghostscript/CVE-2023-36664-pre1.patch |  62 
 .../ghostscript/ghostscript_9.52.bb   |   3 +
 4 files changed, 270 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-2.patch
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-pre1.patch

diff --git 
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
new file mode 100644
index 00..a3bbe958eb
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-1.patch
@@ -0,0 +1,145 @@
+From 5e65eeae225c7d02d447de5abaf4a8e6d234fcea Mon Sep 17 00:00:00 2001
+From: Chris Liddell 
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH] Bug 706761: Don't "reduce" %pipe% file names for permission 
validation
+
+For regular file names, we try to simplfy relative paths before we use them.
+
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c]
+CVE: CVE-2023-36664
+Signed-off-by: Vijay Anusuri 
+---
+ base/gpmisc.c   | 31 +++
+ base/gslibctx.c | 56 -
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index c4fffae..09ac6b3 100644
+--- a/base/gpmisc.c
 b/base/gpmisc.c
+@@ -1046,16 +1046,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+  && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+   prefix_len = 0;
+ }
+-rlen = len+1;
+-bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
+-if (bufferfull == NULL)
+-return gs_error_VMerror;
+-
+-buffer = bufferfull + prefix_len;
+-if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
+-return gs_error_invalidfileaccess;
+-buffer[rlen] = 0;
+ 
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++  bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, 
len + 1, "gp_validate_path");
++  if (buffer == NULL)
++  return gs_error_VMerror;
++  memcpy(buffer, path, len);
++  buffer[len] = 0;
++  rlen = len;
++}
++else {
++  rlen = len+1;
++  bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
++  if (bufferfull == NULL)
++  return gs_error_VMerror;
++
++  buffer = bufferfull + prefix_len;
++  if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
++  return gs_error_invalidfileaccess;
++  buffer[rlen] = 0;
++}
+ while (1) {
+ switch (mode[0])
+ {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 20c5eee..355c0e3 100644
+--- a/base/gslibctx.c
 b/base/gslibctx.c
+@@ -719,14 +719,28 @@ gs_add_control_path_len(const gs_memory_t *mem, 
gs_path_control_t type, const ch
+ return gs_error_rangecheck;
+ }
+ 
+-rlen = len+1;
+-buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-if (buffer == NULL)
+-return gs_error_VMerror;
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++  buffer = (char *)gs_alloc_bytes(core->memory, len + 1, 
"gs_add_control_path_len");
++  if (buffer == NULL)
++  return gs_error_VMerror;
++  memcpy(buffer, path, len);
++  buffer[len] = 0;
++  rlen = len;

[OE-core][dunfell][PATCH] go: Backport fix for CVE-2022-41725 and CVE-2023-24536

2023-09-25 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-commit:
https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50
&
https://github.com/golang/go/commit/4e5a313524da62600eb59dbf98624cfe946456f8
&
https://github.com/golang/go/commit/5246fa5e75b129a7dbd9722aa4de0cbaf7ceae43
&
https://github.com/golang/go/commit/5c55ac9bf1e5f779220294c843526536605f42ab
&
https://github.com/golang/go/commit/ef41a4e2face45e580c5836eaebd51629fc23f15
&
https://github.com/golang/go/commit/7a359a651c7ebdb29e0a1c03102fce793e9f58f0
&
https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |   7 +
 .../go/go-1.14/CVE-2022-41725-pre1.patch  |  85 +++
 .../go/go-1.14/CVE-2022-41725-pre2.patch  |  97 +++
 .../go/go-1.14/CVE-2022-41725-pre3.patch  |  98 +++
 .../go/go-1.14/CVE-2022-41725.patch   | 660 ++
 .../go/go-1.14/CVE-2023-24536_1.patch | 134 
 .../go/go-1.14/CVE-2023-24536_2.patch | 184 +
 .../go/go-1.14/CVE-2023-24536_3.patch | 349 +
 8 files changed, 1614 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index 20377e095b..784b502f46 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -70,6 +70,13 @@ SRC_URI += "\
 file://CVE-2023-29400.patch \
 file://CVE-2023-29406.patch \
 file://CVE-2023-29409.patch \
+file://CVE-2022-41725-pre1.patch \
+file://CVE-2022-41725-pre2.patch \
+file://CVE-2022-41725-pre3.patch \
+file://CVE-2022-41725.patch \
+file://CVE-2023-24536_1.patch \
+file://CVE-2023-24536_2.patch \
+file://CVE-2023-24536_3.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
new file mode 100644
index 00..37ebc41947
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
@@ -0,0 +1,85 @@
+From 874b3132a84cf76da6a48978826c04c380a37a50 Mon Sep 17 00:00:00 2001
+From: avivklas 
+Date: Fri, 7 Aug 2020 21:50:12 +0300
+Subject: [PATCH] mime/multipart: return overflow errors in Reader.ReadForm
+
+Updates Reader.ReadForm to check for overflow errors that may
+result from a leeway addition of 10MiB to the input argument
+maxMemory.
+
+Fixes #40430
+
+Change-Id: I510b8966c95c51d04695ba9d08fcfe005fd11a5d
+Reviewed-on: https://go-review.googlesource.com/c/go/+/247477
+Run-TryBot: Emmanuel Odeke 
+Trust: Cuong Manh Le 
+Trust: Emmanuel Odeke 
+TryBot-Result: Go Bot 
+Reviewed-by: Emmanuel Odeke 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/874b3132a84cf76da6a48978826c04c380a37a50]
+CVE: CVE-2022-41725 #Dependency Patch1
+Signed-off-by: Vijay Anusuri 
+---
+ src/mime/multipart/formdata.go  |  4 
+ src/mime/multipart/formdata_test.go | 18 ++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/mime/multipart/formdata.go b/src/mime/multipart/formdata.go
+index 832d0ad693666..4eb31012941ac 100644
+--- a/src/mime/multipart/formdata.go
 b/src/mime/multipart/formdata.go
+@@ -7,6 +7,7 @@ package multipart
+ import (
+   "bytes"
+   "errors"
++  "fmt"
+   "io"
+   "io/ioutil"
+   "net/textproto"
+@@ -41,6 +42,9 @@ func (r *Reader) readForm(maxMemory int64) (_ *Form, err 
error) {
+ 
+   // Reserve an additional 10 MB for non-file parts.
+   maxValueBytes := maxMemory + int64(10<<20)
++  if maxValueBytes <= 0 {
++  return nil, fmt.Errorf("multipart: integer overflow from 
maxMemory(%d) + 10MiB for non-file parts", maxMemory)
++  }
+   for {
+   p, err := r.NextPart()
+   if err == io.EOF {
+diff --git a/src/mime/multipart/formdata_test.go 
b/src/mime/multipart/formdata_test.go
+index 7d756c8c244a0..7112e0d3727fe 100644
+--- a/src/mime/multipart/formdata_test.go
 b/src/mime/multipart/formdata_test.go
+@@ -7,6 +7,7 @@ package multipart
+ import (
+   "bytes"
+   "io"
++  "math"
+   "os"
+   "strings"
+   "testing"
+@@ -52,6 +53,23 @@ func TestReadFormWithNamelessFile(t *testing.T) {
+   }
+ }
+ 
++// Issue 40430: Ensure that we report integer overflows in additions of 
maxMemory,
++// instead of silently and subtly failing without

[OE-core][dunfell][PATCH] ghostscript: Backport fix CVE-2023-43115

2023-10-08 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote
code execution via crafted PostScript documents because they can switch to the
IJS device, or change the IjsServer parameter, after SAFER has been activated.
NOTE: it is a documented risk that the IJS server can be specified on a gs
command line (the IJS device inherently must execute a command to start the IJS 
server).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-43115

Upstream commit:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5

Signed-off-by: Vijay Anusuri 
---
 .../ghostscript/CVE-2023-43115.patch  | 62 +++
 .../ghostscript/ghostscript_9.52.bb   |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 00..3acb8a503c
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@
+From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
+From: Ken Sharp 
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH] IJS device - try and secure the IJS server startup
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5]
+CVE: CVE-2023-43115
+Signed-off-by: Vijay Anusuri 
+---
+ devices/gdevijs.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 3d337c5..e50d69f 100644
+--- a/devices/gdevijs.c
 b/devices/gdevijs.c
+@@ -934,6 +934,9 @@ gsijs_finish_copydevice(gx_device *dev, const gx_device 
*from_dev)
+ static const char rgb[] = "DeviceRGB";
+ gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+ 
++if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++  return_error(gs_error_invalidaccess);
++
+ code = gx_default_finish_copydevice(dev, from_dev);
+ if(code < 0)
+ return code;
+@@ -1363,7 +1366,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+ if (code >= 0)
+ code = gsijs_read_string(plist, "IjsServer",
+ ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-dev->LockSafetyParams, is_open);
++  ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+ 
+ if (code >= 0)
+ code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb 
b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 0a2f9f5046..9712871e7f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -44,6 +44,7 @@ SRC_URI_BASE = 
"https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
 file://CVE-2023-36664-pre1.patch \
 file://CVE-2023-36664-1.patch \
 file://CVE-2023-36664-2.patch \
+file://CVE-2023-43115.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188828): 
https://lists.openembedded.org/g/openembedded-core/message/188828
Mute This Topic: https://lists.openembedded.org/mt/101846497/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] gawk: backport Debian patch to fix CVE-2023-4156

2023-10-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches?h=ubuntu/jammy-security
&
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]

Signed-off-by: Vijay Anusuri 
---
 .../gawk/gawk/CVE-2023-4156.patch | 28 +++
 meta/recipes-extended/gawk/gawk_5.1.1.bb  |  1 +
 2 files changed, 29 insertions(+)
 create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch

diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch 
b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
new file mode 100644
index 00..bc157d6afb
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
@@ -0,0 +1,28 @@
+From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
+From: "Arnold D. Robbins" 
+Date: Wed, 3 Aug 2022 13:00:54 +0300
+Subject: [PATCH] Smal bug fix in builtin.c.
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/gawk/tree/debian/patches/CVE-2023-4156.patch?h=ubuntu/jammy-security
+Upstream commit 
https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212]
+CVE: CVE-2023-4156
+Signed-off-by: Vijay Anusuri 
+---
+ ChangeLog | 6 ++
+ builtin.c | 5 -
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- gawk-5.1.0.orig/builtin.c
 gawk-5.1.0/builtin.c
+@@ -957,7 +957,10 @@ check_pos:
+   s1++;
+   n0--;
+   }
+-  if (val >= num_args) {
++  // val could be less than zero if someone 
provides a field width
++  // so large that it causes integer overflow. 
Mainly fuzzers do this,
++  // but let's try to be good anyway.
++  if (val < 0 || val >= num_args) {
+   toofew = true;
+   break;
+   }
diff --git a/meta/recipes-extended/gawk/gawk_5.1.1.bb 
b/meta/recipes-extended/gawk/gawk_5.1.1.bb
index fe339805d0..0b0d0897bc 100644
--- a/meta/recipes-extended/gawk/gawk_5.1.1.bb
+++ b/meta/recipes-extended/gawk/gawk_5.1.1.bb
@@ -18,6 +18,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
 SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \
file://remove-sensitive-tests.patch \
file://run-ptest \
+   file://CVE-2023-4156.patch \
"
 
 SRC_URI[sha256sum] = 
"6168d8d1dc8f74bd17d9dc22fa9634c49070f232343b744901da15fb4f06bffd"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189442): 
https://lists.openembedded.org/g/openembedded-core/message/189442
Mute This Topic: https://lists.openembedded.org/mt/102057055/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH] inetutils: Fix CVE-2023-40303

2023-08-28 Thread Vijay Anusuri via lists.openembedded.org 
Hi Khem Raj,

I have backported your patch for kirkstone and sent v2 patch for review.

https://lists.openembedded.org/g/openembedded-core/message/186847

Thanks & Regards,
Vijay

On Mon, Aug 28, 2023 at 10:42 PM Khem Raj  wrote:

> I sent a patch for master already see
>
> https://lists.openembedded.org/g/openembedded-core/topic/patch_1_2_inetutils_fix/100993486?p=,,,100,0,0,0::recentpostdate/sticky,,,100,2,0,100993486,previd%3D1693242624210149855,nextid%3D1692981851065733310=1693242624210149855=1692981851065733310
>
> you can send a direct backport of that for kirkstone.
>
> On Mon, Aug 28, 2023 at 8:39 AM Vijay Anusuri via
> lists.openembedded.org 
> wrote:
> >
> > From: Vijay Anusuri 
> >
> > Upstream-commit:
> https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
> > &
> https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d
> >
> > Signed-off-by: Vijay Anusuri 
> > ---
> >  ...tpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | 282 ++
> >  ...03-Indent-changes-in-previous-commit.patch | 256 
> >  .../inetutils/inetutils_2.2.bb|   2 +
> >  3 files changed, 540 insertions(+)
> >  create mode 100644
> meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
> >  create mode 100644
> meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch
> >
> > diff --git
> a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
> b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
> > new file mode 100644
> > index 00..0f388ec424
> > --- /dev/null
> > +++
> b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
> > @@ -0,0 +1,282 @@
> > +From e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 Mon Sep 17 00:00:00 2001
> > +From: Jeffrey Bencteux 
> > +Date: Fri, 30 Jun 2023 19:02:45 +0200
> > +Subject: [PATCH] CVE-2023-40303 ftpd,rcp,rlogin,rsh,rshd,uucpd: fix:
> check set*id() return values
> > +
> > +Several setuid(), setgid(), seteuid() and setguid() return values
> > +were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
> > +leading to potential security issues.
> > +
> > +Signed-off-by: Jeffrey Bencteux 
> > +Signed-off-by: Simon Josefsson 
> > +
> > +Upstream-Status: Backport [
> https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
> ]
> > +CVE: CVE-2023-40303
> > +Signed-off-by: Vijay Anusuri 
> > +---
> > + ftpd/ftpd.c  | 10 +++---
> > + src/rcp.c| 39 +--
> > + src/rlogin.c | 11 +--
> > + src/rsh.c| 25 +
> > + src/rshd.c   | 20 +---
> > + src/uucpd.c  | 15 +--
> > + 6 files changed, 100 insertions(+), 20 deletions(-)
> > +
> > +diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
> > +index 68d41fd..703fbbc 100644
> > +--- a/ftpd/ftpd.c
> >  b/ftpd/ftpd.c
> > +@@ -865,7 +865,9 @@ end_login (struct credentials *pcred)
> > +   char *remotehost = pcred->remotehost;
> > +   int atype = pcred->auth_type;
> > +
> > +-  seteuid ((uid_t) 0);
> > ++  if (seteuid ((uid_t) 0) == -1)
> > ++_exit (EXIT_FAILURE);
> > ++
> > +   if (pcred->logged_in)
> > + {
> > +   logwtmp_keep_open (ttyline, "", "");
> > +@@ -1154,7 +1156,8 @@ getdatasock (const char *mode)
> > +
> > +   if (data >= 0)
> > + return fdopen (data, mode);
> > +-  seteuid ((uid_t) 0);
> > ++  if (seteuid ((uid_t) 0) == -1)
> > ++_exit (EXIT_FAILURE);
> > +   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
> > +   if (s < 0)
> > + goto bad;
> > +@@ -1981,7 +1984,8 @@ passive (int epsv, int af)
> > +   else/* !AF_INET6 */
> > + ((struct sockaddr_in *) _addr)->sin_port = 0;
> > +
> > +-  seteuid ((uid_t) 0);
> > ++  if (seteuid ((uid_t) 0) == -1)
> > ++_exit (EXIT_FAILURE);
> > +   if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0)
> > + {
> > +   if (seteuid ((uid_t) cred.uid))
> > +diff --git a/src/rcp.c b/src/rcp.c
> > +index 476cbaa..cd84570 100644
> > +--- a/src/rcp.c
> >  b/src/rcp.c
> > +@@ -348,14 +348,23 @@ main (int argc,

[OE-core][kirkstone][PATCH v2] inetutils: Backport fix for CVE-2023-40303

2023-08-28 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-commit: 
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
& 
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d

Signed-off-by: Vijay Anusuri 
---
 ...tpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | 280 ++
 ...03-Indent-changes-in-previous-commit.patch | 254 
 .../inetutils/inetutils_2.2.bb|   2 +
 3 files changed, 536 insertions(+)
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch

diff --git 
a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 00..7f5baf3637
--- /dev/null
+++ 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,280 @@
+From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux 
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+ set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+Signed-off-by: Jeffrey Bencteux 
+Signed-off-by: Simon Josefsson 
+Signed-off-by: Khem Raj 
+Signed-off-by: Vijay Anusuri 
+---
+ ftpd/ftpd.c  | 10 +++---
+ src/rcp.c| 39 +--
+ src/rlogin.c | 11 +--
+ src/rsh.c| 25 +
+ src/rshd.c   | 20 +---
+ src/uucpd.c  | 15 +--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 92b2cca5..28dd523f 100644
+--- a/ftpd/ftpd.c
 b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
++
+   if (pcred->logged_in)
+ {
+   logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+ 
+   if (data >= 0)
+ return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+ goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else/* !AF_INET6 */
+ ((struct sockaddr_in *) _addr)->sin_port = 0;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0)
+ {
+   if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index 75adb253..cdcf8500 100644
+--- a/src/rcp.c
 b/src/rcp.c
+@@ -345,14 +345,23 @@ main (int argc, char *argv[])
+   if (from_option)
+ { /* Follow "protocol", send data. */
+   response ();
+-  setuid (userid);
++
++  if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
++
+   source (argc, argv);
+   exit (errs);
+ }
+ 
+   if (to_option)
+ { /* Receive data. */
+-  setuid (userid);
++  if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
++
+   sink (argc, argv);
+   exit (errs);
+ }
+@@ -537,7 +546,11 @@ toremote (char *targ, int argc, char *argv[])
+ if (response () < 0)
+   exit (EXIT_FAILURE);
+ free (bp);
+-setuid (userid);
++
++if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
+   }
+ source (1, argv + i);
+ close (rem);
+@@ -630,7 +643,12 @@ tolocal (int argc, char *argv[])
+ ++errs;
+ continue;
+   }
+-  seteuid (userid);
++
++  if (seteuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() 
failed)");
++  }
++
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+   sslen = sizeof (ss);
+   (void) getpeername (rem, (struct sockaddr *) , );
+@@ -643,7 +661,12 @@ tolocal (int argc, char *argv[])
+ #endif
+   vect[0] = target;
+

[OE-core][dunfell][PATCH] inetutils: Backport fix for CVE-2023-40303

2023-08-29 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-commit: 
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
& 
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=9122999252c7e21eb7774de11d539748e7bdf46d

Signed-off-by: Vijay Anusuri 
---
 ...tpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch | 283 ++
 ...03-Indent-changes-in-previous-commit.patch | 254 
 .../inetutils/inetutils_1.9.4.bb  |   2 +
 3 files changed, 539 insertions(+)
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 create mode 100644 
meta/recipes-connectivity/inetutils/inetutils/0002-CVE-2023-40303-Indent-changes-in-previous-commit.patch

diff --git 
a/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
new file mode 100644
index 00..aea07bd803
--- /dev/null
+++ 
b/meta/recipes-connectivity/inetutils/inetutils/0001-CVE-2023-40303-ftpd-rcp-rlogin-rsh-rshd-uucpd-fix-ch.patch
@@ -0,0 +1,283 @@
+From 703418fe9d2e3b1e8d594df5788d8001a8116265 Mon Sep 17 00:00:00 2001
+From: Jeffrey Bencteux 
+Date: Fri, 30 Jun 2023 19:02:45 +0200
+Subject: [PATCH] CVE-2023-40303: ftpd,rcp,rlogin,rsh,rshd,uucpd: fix: check
+ set*id() return values
+
+Several setuid(), setgid(), seteuid() and setguid() return values
+were not checked in ftpd/rcp/rlogin/rsh/rshd/uucpd code potentially
+leading to potential security issues.
+
+CVE: CVE-2023-40303
+Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6]
+Signed-off-by: Jeffrey Bencteux 
+Signed-off-by: Simon Josefsson 
+Signed-off-by: Khem Raj 
+Signed-off-by: Vijay Anusuri 
+---
+ ftpd/ftpd.c  | 10 +++---
+ src/rcp.c| 39 +--
+ src/rlogin.c | 11 +--
+ src/rsh.c| 25 +
+ src/rshd.c   | 20 +---
+ src/uucpd.c  | 15 +--
+ 6 files changed, 100 insertions(+), 20 deletions(-)
+
+diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
+index 5db88d0..b52b122 100644
+--- a/ftpd/ftpd.c
 b/ftpd/ftpd.c
+@@ -862,7 +862,9 @@ end_login (struct credentials *pcred)
+   char *remotehost = pcred->remotehost;
+   int atype = pcred->auth_type;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
++
+   if (pcred->logged_in)
+ {
+   logwtmp_keep_open (ttyline, "", "");
+@@ -1151,7 +1153,8 @@ getdatasock (const char *mode)
+ 
+   if (data >= 0)
+ return fdopen (data, mode);
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   s = socket (ctrl_addr.ss_family, SOCK_STREAM, 0);
+   if (s < 0)
+ goto bad;
+@@ -1978,7 +1981,8 @@ passive (int epsv, int af)
+   else/* !AF_INET6 */
+ ((struct sockaddr_in *) _addr)->sin_port = 0;
+ 
+-  seteuid ((uid_t) 0);
++  if (seteuid ((uid_t) 0) == -1)
++_exit (EXIT_FAILURE);
+   if (bind (pdata, (struct sockaddr *) _addr, pasv_addrlen) < 0)
+ {
+   if (seteuid ((uid_t) cred.uid))
+diff --git a/src/rcp.c b/src/rcp.c
+index bafa35f..366295c 100644
+--- a/src/rcp.c
 b/src/rcp.c
+@@ -347,14 +347,23 @@ main (int argc, char *argv[])
+   if (from_option)
+ { /* Follow "protocol", send data. */
+   response ();
+-  setuid (userid);
++
++  if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
++
+   source (argc, argv);
+   exit (errs);
+ }
+ 
+   if (to_option)
+ { /* Receive data. */
+-  setuid (userid);
++  if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
++
+   sink (argc, argv);
+   exit (errs);
+ }
+@@ -539,7 +548,11 @@ toremote (char *targ, int argc, char *argv[])
+ if (response () < 0)
+   exit (EXIT_FAILURE);
+ free (bp);
+-setuid (userid);
++
++if (setuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (setuid() 
failed)");
++  }
+   }
+ source (1, argv + i);
+ close (rem);
+@@ -634,7 +647,12 @@ tolocal (int argc, char *argv[])
+ ++errs;
+ continue;
+   }
+-  seteuid (userid);
++
++  if (seteuid (userid) == -1)
++  {
++error (EXIT_FAILURE, 0, "Could not drop privileges (seteuid() 
failed)");
++  }
++
+ #if defined IP_TOS && defined IPPROTO_IP && defined IPTOS_THROUGHPUT
+   sslen = sizeof (ss);
+   (void) getpeername (rem, (struct sockaddr *) , );
+@@ -647,7 +665,12 @@ tolocal (int argc, char *argv[])
+ #endif
+   vect[0] = target;
+

[OE-core][dunfell][PATCH] tiff: backport Debian patch to fix CVE-2023-41175

2023-11-10 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport [import from debian 
security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz
Upstream commit 
https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]

Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175

Signed-off-by: Vijay Anusuri 
---
 .../libtiff/files/CVE-2023-41175.patch| 67 +++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
new file mode 100644
index 00..3f44a42012
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-41175.patch
@@ -0,0 +1,67 @@
+From 4cc97e3dfa6559f4d17af0d0687bcae07ca4b73d Mon Sep 17 00:00:00 2001
+From: Arie Haenel 
+Date: Wed, 19 Jul 2023 19:40:01 +
+Subject: raw2tiff: fix integer overflow and bypass of the check (fixes #592)
+
+Upstream-Status: Backport [import from debian 
security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz
+Upstream commit 
https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+CVE: CVE-2023-41175
+Signed-off-by: Vijay Anusuri 
+---
+ tools/raw2tiff.c | 26 ++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index ab36ff4e..a905da52 100644
+--- a/tools/raw2tiff.c
 b/tools/raw2tiff.c
+@@ -35,6 +35,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ 
+ #ifdef HAVE_UNISTD_H
+ # include 
+@@ -101,6 +102,7 @@ main(int argc, char* argv[])
+   int fd;
+   char*outfilename = NULL;
+   TIFF*out;
++  uint32  temp_limit_check = 0;
+ 
+   uint32 row, col, band;
+   int c;
+@@ -212,6 +214,30 @@ main(int argc, char* argv[])
+   if (guessSize(fd, dtype, hdr_size, nbands, swab, , ) < 0)
+   return 1;
+ 
++  if ((width == 0) || (length == 0) ){
++  fprintf(stderr, "Too large nbands value specified.\n");
++  return (EXIT_FAILURE);
++  }
++
++  temp_limit_check = nbands * depth;
++
++  if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
++  fprintf(stderr, "Too large length size specified.\n");
++  return (EXIT_FAILURE);
++  }
++  temp_limit_check = temp_limit_check * length;
++
++  if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
++  fprintf(stderr, "Too large width size specified.\n");
++  return (EXIT_FAILURE);
++  }
++  temp_limit_check = temp_limit_check * width;
++
++  if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  
{
++  fprintf(stderr, "Too large header size specified.\n");
++  return (EXIT_FAILURE);
++  }
++
+   if (outfilename == NULL)
+   outfilename = argv[optind+1];
+   out = TIFFOpen(outfilename, "w");
+-- 
+2.30.2
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 31e7db19aa..2697a28463 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -46,6 +46,7 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-3576.patch \
file://CVE-2023-3618.patch \
file://CVE-2023-40745.patch \
+   file://CVE-2023-41175.patch \
   "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = 
"5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190402): 
https://lists.openembedded.org/g/openembedded-core/message/190402
Mute This Topic: https://lists.openembedded.org/mt/102503619/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] tiff: Backport fix for CVE-2023-41175

2023-11-09 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]

Reference: https://security-tracker.debian.org/tracker/CVE-2023-41175

Signed-off-by: Vijay Anusuri 
---
 .../libtiff/tiff/CVE-2023-41175.patch | 69 +++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch

diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch 
b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch
new file mode 100644
index 00..06645bed68
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-41175.patch
@@ -0,0 +1,69 @@
+From 6e2dac5f904496d127c92ddc4e56eccfca25c2ee Mon Sep 17 00:00:00 2001
+From: Arie Haenel 
+Date: Wed, 19 Jul 2023 19:40:01 +
+Subject: [PATCH] raw2tiff: fix integer overflow and bypass of the check (fixes 
#592)
+
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee]
+CVE: CVE-2023-41175
+Signed-off-by: Vijay Anusuri 
+---
+ tools/raw2tiff.c | 29 +
+ 1 file changed, 29 insertions(+)
+
+diff --git a/tools/raw2tiff.c b/tools/raw2tiff.c
+index dfee715..253c023 100644
+--- a/tools/raw2tiff.c
 b/tools/raw2tiff.c
+@@ -36,6 +36,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ 
+ #ifdef HAVE_UNISTD_H
+ # include 
+@@ -101,6 +102,7 @@ main(int argc, char* argv[])
+   int fd;
+   char*outfilename = NULL;
+   TIFF*out;
++  uint32_t temp_limit_check = 0; /* temp for integer overflow 
checking*/
+ 
+   uint32_t row, col, band;
+   int c;
+@@ -212,6 +214,33 @@ main(int argc, char* argv[])
+   if (guessSize(fd, dtype, hdr_size, nbands, swab, , ) < 0)
+   return EXIT_FAILURE;
+ 
++  /* check for integer overflow in */
++  /* hdr_size + (*width) * (*length) * nbands * depth */
++
++  if ((width == 0) || (length == 0) ){
++  fprintf(stderr, "Too large nbands value specified.\n");
++  return (EXIT_FAILURE);
++  }
++
++  temp_limit_check = nbands * depth;
++
++  if ( !temp_limit_check || length > ( UINT_MAX / temp_limit_check ) )  {
++  fprintf(stderr, "Too large length size specified.\n");
++  return (EXIT_FAILURE);
++  }
++  temp_limit_check = temp_limit_check * length;
++
++  if ( !temp_limit_check || width > ( UINT_MAX / temp_limit_check ) )  {
++  fprintf(stderr, "Too large width size specified.\n");
++  return (EXIT_FAILURE);
++  }
++  temp_limit_check = temp_limit_check * width;
++
++  if ( !temp_limit_check || hdr_size > ( UINT_MAX - temp_limit_check ) )  
{
++  fprintf(stderr, "Too large header size specified.\n");
++  return (EXIT_FAILURE);
++  }
++
+   if (outfilename == NULL)
+   outfilename = argv[optind+1];
+   out = TIFFOpen(outfilename, "w");
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index e925b7d652..11e3818c69 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -46,6 +46,7 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-40090.patch \
file://CVE-2023-1916.patch \
file://CVE-2023-40745.patch \
+   file://CVE-2023-41175.patch \
"
 
 SRC_URI[sha256sum] = 
"0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190398): 
https://lists.openembedded.org/g/openembedded-core/message/190398
Mute This Topic: https://lists.openembedded.org/mt/102502426/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] pam: Fix for CVE-2024-22365

2024-01-23 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from 
https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb

Signed-off-by: Vijay Anusuri 
---
 .../pam/libpam/CVE-2024-22365.patch   | 59 +++
 meta/recipes-extended/pam/libpam_1.3.1.bb |  1 +
 2 files changed, 60 insertions(+)
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-22365.patch

diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch 
b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
new file mode 100644
index 00..33ac37b7f0
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
@@ -0,0 +1,59 @@
+From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner 
+Date: Wed, 27 Dec 2023 14:01:59 +0100
+Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
+ local DoS situations
+
+Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
+being placed in user controlled directories, causing the PAM module to
+block indefinitely during `openat()`.
+
+Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
+refer to a directory.
+
+With this the check whether the final path element is a directory
+becomes unnecessary, drop it.
+
+Upstream-Status: Backport 
[https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb]
+CVE: CVE-2024-22365
+Signed-off-by: Vijay Anusuri 
+---
+ modules/pam_namespace/pam_namespace.c | 18 +-
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/modules/pam_namespace/pam_namespace.c 
b/modules/pam_namespace/pam_namespace.c
+index 2528cff86..f72d67189 100644
+--- a/modules/pam_namespace/pam_namespace.c
 b/modules/pam_namespace/pam_namespace.c
+@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, 
int do_mkdir,
+   int dfd = AT_FDCWD;
+   int dfd_next;
+   int save_errno;
+-  int flags = O_RDONLY;
++  int flags = O_RDONLY | O_DIRECTORY;
+   int rv = -1;
+   struct stat st;
+ 
+@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, 
int do_mkdir,
+   rv = openat(dfd, dir, flags);
+   }
+ 
+-  if (rv != -1) {
+-  if (fstat(rv, ) != 0) {
+-  save_errno = errno;
+-  close(rv);
+-  rv = -1;
+-  errno = save_errno;
+-  goto error;
+-  }
+-  if (!S_ISDIR(st.st_mode)) {
+-  close(rv);
+-  errno = ENOTDIR;
+-  rv = -1;
+-  goto error;
+-  }
+-  }
+-
+   if (flags & O_NOFOLLOW) {
+   /* we are inside user-owned dir - protect */
+   if (protect_mount(rv, p, idata) == -1) {
diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb 
b/meta/recipes-extended/pam/libpam_1.3.1.bb
index bc72afe6ad..527a368e2d 100644
--- a/meta/recipes-extended/pam/libpam_1.3.1.bb
+++ b/meta/recipes-extended/pam/libpam_1.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = 
"https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
file://pam-security-abstract-securetty-handling.patch \
file://pam-unix-nullok-secure.patch \
file://crypt_configure.patch \
+   file://CVE-2024-22365.patch \
   "
 
 SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194260): 
https://lists.openembedded.org/g/openembedded-core/message/194260
Mute This Topic: https://lists.openembedded.org/mt/103925828/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] libxml2: Backport fix for CVE-2021-3516

2023-12-17 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]

Signed-off-by: Vijay Anusuri 
---
 .../libxml/libxml2/CVE-2021-3516.patch| 35 +++
 meta/recipes-core/libxml/libxml2_2.9.10.bb|  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
new file mode 100644
index 00..200f42091e
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2021-3516.patch
@@ -0,0 +1,35 @@
+From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Wed, 21 Apr 2021 13:23:27 +0200
+Subject: [PATCH] Fix use-after-free with `xmllint --html --push`
+
+Call htmlCtxtUseOptions to make sure that names aren't stored in
+dictionaries.
+
+Note that this issue only affects xmllint using the HTML push parser.
+
+Fixes #230.
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539]
+CVE: CVE-2021-3516
+Signed-off-by: Vijay Anusuri 
+---
+ xmllint.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xmllint.c b/xmllint.c
+index 6ca1bf54d..dbef273a8 100644
+--- a/xmllint.c
 b/xmllint.c
+@@ -2213,7 +2213,7 @@ static void parseAndPrintFile(char *filename, 
xmlParserCtxtPtr rectxt) {
+ if (res > 0) {
+ ctxt = htmlCreatePushParserCtxt(NULL, NULL,
+ chars, res, filename, XML_CHAR_ENCODING_NONE);
+-xmlCtxtUseOptions(ctxt, options);
++htmlCtxtUseOptions(ctxt, options);
+ while ((res = fread(chars, 1, pushsize, f)) > 0) {
+ htmlParseChunk(ctxt, chars, res, 0);
+ }
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb 
b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 5eac864098..aa17cd8cca 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -41,6 +41,7 @@ SRC_URI += 
"http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
file://CVE-2023-39615-pre.patch \
file://CVE-2023-39615-0001.patch \
file://CVE-2023-39615-0002.patch \
+   file://CVE-2021-3516.patch \
"
 
 SRC_URI[archive.sha256sum] = 
"593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192599): 
https://lists.openembedded.org/g/openembedded-core/message/192599
Mute This Topic: https://lists.openembedded.org/mt/103237528/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] flac: Backport fix for CVE-2021-0561

2023-12-18 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be]

Signed-off-by: Vijay Anusuri 
---
 .../flac/files/CVE-2021-0561.patch| 34 +++
 meta/recipes-multimedia/flac/flac_1.3.3.bb|  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-multimedia/flac/files/CVE-2021-0561.patch

diff --git a/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch 
b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch
new file mode 100644
index 00..e19833a5ad
--- /dev/null
+++ b/meta/recipes-multimedia/flac/files/CVE-2021-0561.patch
@@ -0,0 +1,34 @@
+From e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be Mon Sep 17 00:00:00 2001
+From: Neelkamal Semwal 
+Date: Fri, 18 Dec 2020 22:28:36 +0530
+Subject: [PATCH] libFlac: Exit at EOS in verify mode
+
+When verify mode is enabled, once decoder flags end of stream,
+encode processing is considered complete.
+
+CVE-2021-0561
+
+Signed-off-by: Ralph Giles 
+
+Upstream-Status: Backport 
[https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be]
+CVE: CVE-2021-0561
+Signed-off-by: Vijay Anusuri 
+---
+ src/libFLAC/stream_encoder.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247fe8..7109802c27 100644
+--- a/src/libFLAC/stream_encoder.c
 b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder 
*encoder, uint32_t samples, FLAC
+   encoder->private_->verify.needs_magic_hack = true;
+   }
+   else {
+-  
if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++  
if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++  || (!is_last_block
++  && 
(FLAC__stream_encoder_get_verify_decoder_state(encoder) == 
FLAC__STREAM_DECODER_END_OF_STREAM))) {
+   
FLAC__bitwriter_release_buffer(encoder->private_->frame);
+   FLAC__bitwriter_clear(encoder->private_->frame);
+   if(encoder->protected_->state != 
FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff --git a/meta/recipes-multimedia/flac/flac_1.3.3.bb 
b/meta/recipes-multimedia/flac/flac_1.3.3.bb
index ca04f36d1a..e593727ac8 100644
--- a/meta/recipes-multimedia/flac/flac_1.3.3.bb
+++ b/meta/recipes-multimedia/flac/flac_1.3.3.bb
@@ -16,6 +16,7 @@ DEPENDS = "libogg"
 
 SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \
file://CVE-2020-22219.patch \
+   file://CVE-2021-0561.patch \
 "
 
 SRC_URI[md5sum] = "26703ed2858c1fc9ffc05136d13daa69"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192691): 
https://lists.openembedded.org/g/openembedded-core/message/192691
Mute This Topic: https://lists.openembedded.org/mt/103257634/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] openssh: backport Debian patch for CVE-2023-48795

2023-12-22 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-48795

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches?h=ubuntu%2Ffocal-security
Upstream commit 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]

Reference: https://ubuntu.com/security/CVE-2023-48795

Signed-off-by: Vijay Anusuri 
---
 .../openssh/openssh/CVE-2023-48795.patch  | 468 ++
 .../openssh/openssh_8.2p1.bb  |   1 +
 2 files changed, 469 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
new file mode 100644
index 00..57c45e3d93
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
@@ -0,0 +1,468 @@
+(modified to not remove ssh_packet_read_expect(), to add to
+KexAlgorithms in sshd.c and sshconnect2.c as this version pre-dates
+kex_proposal_populate_entries(), replace debug*_f() with debug*(),
+error*_f() with error*(), and fatal_f() with fatal())
+
+Backport of:
+
+From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" 
+Date: Mon, 18 Dec 2023 14:45:17 +
+Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
+
+This adds a protocol extension to improve the integrity of the SSH
+transport protocol, particular in and around the initial key exchange
+(KEX) phase.
+
+Full details of the extension are in the PROTOCOL file.
+
+with markus@
+
+OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2023-48795.patch?h=ubuntu/focal-security
+Upstream commit 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]
+CVE: CVE-2023-48795
+Signed-off-by: Vijay Anusuri 
+---
+ PROTOCOL  | 26 +
+ kex.c | 68 +---
+ kex.h |  1 +
+ packet.c  | 78 ++-
+ sshconnect2.c | 14 +++--
+ sshd.c|  7 +++--
+ 6 files changed, 146 insertions(+), 48 deletions(-)
+
+diff --git a/PROTOCOL b/PROTOCOL
+index f75c1c0..89bddfe 100644
+--- a/PROTOCOL
 b/PROTOCOL
+@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key 
exchange as
+ described at:
+ 
http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha...@libssh.org.txt?h=curve25519
+ 
++1.9 transport: strict key exchange extension
++
++OpenSSH supports a number of transport-layer hardening measures under
++a "strict KEX" feature. This feature is signalled similarly to the
++RFC8308 ext-info feature: by including a additional algorithm in the
++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
++"kex-strict-c-...@openssh.com" to its kex_algorithms and the server
++may append "kex-strict-s-...@openssh.com". These pseudo-algorithms
++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
++if they are present in subsequent SSH2_MSG_KEXINIT packets.
++
++When an endpoint that supports this extension observes this algorithm
++name in a peer's KEXINIT packet, it MUST make the following changes to
++the the protocol:
++
++a) During initial KEX, terminate the connection if any unexpected or
++   out-of-sequence packet is received. This includes terminating the
++   connection if the first packet received is not SSH2_MSG_KEXINIT.
++   Unexpected packets for the purpose of strict KEX include messages
++   that are otherwise valid at any time during the connection such as
++   SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
++   packet sequence number to zero. This behaviour persists for the
++   duration of the connection (i.e. not just the first
++   SSH2_MSG_NEWKEYS).
++
+ 2. Connection protocol changes
+ 
+ 2.1. connection: Channel write close extension "e...@openssh.com"
+diff --git a/kex.c b/kex.c
+index ce85f04..3129a4e 100644
+--- a/kex.c
 b/kex.c
+@@ -63,7 +63,7 @@
+ #include "digest.h"
+ 
+ /* prototype */
+-static int kex_choose_conf(struct ssh *);
++static int kex_choose_conf(struct ssh *, uint32_t seq);
+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+ 
+ static const char *proposal_names[PROPOSAL_MAX] = {
+@@ -173,6 +173,18 @@ kex_names_valid(const char *names)
+   return 1;
+ }
+ 
++/* returns non-zero if proposal contains any algorithm from algs */
++static int
++has_any_alg(const char *proposal, const char *algs)
++{
++  char *cp;
++
++  if ((cp = match_list(proposal, algs, NULL)) == NULL)
++  return 0;
++  free(cp);
++  return 1;
++}
++
+ /*
+  * Concatenate algorithm names, avoiding duplicates in the

[OE-core][kirkstone][PATCH] openssh: backport Debian patch for CVE-2023-48795

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 fix-authorized-principals-command
 CVE-2023-48795

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/openssh/openssh-portable/commit/fcd78e31cdd45a7e69ccfe6d8a3b1037dc1de290
&
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]

Reference: https://ubuntu.com/security/CVE-2023-48795

Signed-off-by: Vijay Anusuri 
---
 .../openssh/openssh/CVE-2023-48795.patch  | 476 ++
 .../fix-authorized-principals-command.patch   |  30 ++
 .../openssh/openssh_8.9p1.bb  |   2 +
 3 files changed, 508 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/fix-authorized-principals-command.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
new file mode 100644
index 00..6b2f927779
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
@@ -0,0 +1,476 @@
+(modified to not remove ssh_packet_read_expect() and to add to
+KexAlgorithms in sshd.c and sshconnect2.c as this version pre-dates
+kex_proposal_populate_entries())
+
+Backport of:
+
+From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" 
+Date: Mon, 18 Dec 2023 14:45:17 +
+Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
+
+This adds a protocol extension to improve the integrity of the SSH
+transport protocol, particular in and around the initial key exchange
+(KEX) phase.
+
+Full details of the extension are in the PROTOCOL file.
+
+with markus@
+
+OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/openssh/tree/debian/patches/CVE-2023-48795.patch?h=ubuntu/jammy-security
+Upstream commit 
https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5]
+CVE: CVE-2023-48795
+Signed-off-by: Vijay Anusuri 
+---
+ PROTOCOL  | 26 +
+ kex.c | 72 +++
+ kex.h |  1 +
+ packet.c  | 78 ++-
+ sshconnect2.c | 14 +++--
+ sshd.c|  7 +++--
+ 6 files changed, 142 insertions(+), 56 deletions(-)
+
+diff --git a/PROTOCOL b/PROTOCOL
+index e6a7d60..971f01e 100644
+--- a/PROTOCOL
 b/PROTOCOL
+@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key 
exchange as
+ described at:
+ 
http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha...@libssh.org.txt?h=curve25519
+ 
++1.9 transport: strict key exchange extension
++
++OpenSSH supports a number of transport-layer hardening measures under
++a "strict KEX" feature. This feature is signalled similarly to the
++RFC8308 ext-info feature: by including a additional algorithm in the
++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
++"kex-strict-c-...@openssh.com" to its kex_algorithms and the server
++may append "kex-strict-s-...@openssh.com". These pseudo-algorithms
++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
++if they are present in subsequent SSH2_MSG_KEXINIT packets.
++
++When an endpoint that supports this extension observes this algorithm
++name in a peer's KEXINIT packet, it MUST make the following changes to
++the the protocol:
++
++a) During initial KEX, terminate the connection if any unexpected or
++   out-of-sequence packet is received. This includes terminating the
++   connection if the first packet received is not SSH2_MSG_KEXINIT.
++   Unexpected packets for the purpose of strict KEX include messages
++   that are otherwise valid at any time during the connection such as
++   SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
++   packet sequence number to zero. This behaviour persists for the
++   duration of the connection (i.e. not just the first
++   SSH2_MSG_NEWKEYS).
++
+ 2. Connection protocol changes
+ 
+ 2.1. connection: Channel write close extension "e...@openssh.com"
+diff --git a/kex.c b/kex.c
+index 0bcd27d..e7b2d4d 100644
+--- a/kex.c
 b/kex.c
+@@ -63,7 +63,7 @@
+ #include "digest.h"
+ 
+ /* prototype */
+-static int kex_choose_conf(struct ssh *);
++static int kex_choose_conf(struct ssh *, uint32_t seq);
+ static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+ 
+ static const char * const proposal_names[PROPOSAL_MAX] = {
+@@ -175,6 +175,18 @@ kex_names_valid(const char *names)
+   return 1;
+ }
+ 
++/* returns non-zero if proposal contains any algorithm from algs */
++static int
++has_any_alg(const char *proposal, const char *algs)
++{
++

[OE-core][kirkstone][PATCH 2/4] libssh: add ptest

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Results:
$ ptest-runner libssh
START: ptest-runner
2023-03-16T02:56
BEGIN: /usr/lib/libssh/ptest
PASS: torture_bind_config
PASS: torture_buffer
PASS: torture_bytearray
PASS: torture_callbacks
PASS: torture_channel
PASS: torture_config
PASS: torture_crypto
PASS: torture_hashes
PASS: torture_init
PASS: torture_isipaddr
PASS: torture_keyfiles
PASS: torture_knownhosts_parsing
PASS: torture_list
PASS: torture_misc
PASS: torture_moduli
PASS: torture_options
PASS: torture_packet
PASS: torture_packet_filter
PASS: torture_pki
PASS: torture_pki_ecdsa
PASS: torture_pki_ed25519
PASS: torture_pki_rsa
PASS: torture_push_pop_dir
PASS: torture_rand
PASS: torture_session_keys
PASS: torture_temp_dir
PASS: torture_temp_file
PASS: torture_threads_buffer
PASS: torture_threads_crypto
PASS: torture_threads_init
PASS: torture_threads_pki_rsa
PASS: torture_tokens
DURATION: 24
END: /usr/lib/libssh/ptest
2023-03-16T02:56
STOP: ptest-runner
TOTAL: 1 FAIL: 0

Signed-off-by: Yi Zhao 

Ref: 
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=bf49bdea290ba8cf18f3fd6b47d1d71dfe499948

Signed-off-by: Vijay Anusuri 
---
 txt-do-not-search-ssh-sshd-commands.patch | 38 +
 .../recipes-support/libssh/libssh/run-ptest   | 53 +++
 .../recipes-support/libssh/libssh_0.10.4.bb   | 21 ++--
 3 files changed, 109 insertions(+), 3 deletions(-)
 create mode 100644 
meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch
 create mode 100644 meta-oe/recipes-support/libssh/libssh/run-ptest

diff --git 
a/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch
 
b/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch
new file mode 100644
index 0..0c7f53029
--- /dev/null
+++ 
b/meta-oe/recipes-support/libssh/libssh/0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch
@@ -0,0 +1,38 @@
+From d2525ba0bc7b11de12c54ea1a3d1eb862537136d Mon Sep 17 00:00:00 2001
+From: Yi Zhao 
+Date: Wed, 15 Mar 2023 16:51:58 +0800
+Subject: [PATCH] tests/CMakeLists.txt: do not search ssh/sshd commands on host
+
+It will search ssh/sshd commands on host when configure. Since they are
+not required by unittests, we can skip the search.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao 
+---
+ tests/CMakeLists.txt | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
+index 22a36f37..aa32ca2e 100644
+--- a/tests/CMakeLists.txt
 b/tests/CMakeLists.txt
+@@ -86,6 +86,7 @@ set(TEST_TARGET_LIBRARIES
+ 
+ add_subdirectory(unittests)
+ 
++if (CLIENT_TESTING OR SERVER_TESTING)
+ # OpenSSH Capabilities are required for all unit tests
+ find_program(SSH_EXECUTABLE NAMES ssh)
+ if (SSH_EXECUTABLE)
+@@ -293,6 +294,7 @@ if (CLIENT_TESTING OR SERVER_TESTING)
+ 
+ message(STATUS "TORTURE_ENVIRONMENT=${TORTURE_ENVIRONMENT}")
+ endif ()
++endif ()
+ 
+ configure_file(tests_config.h.cmake 
${CMAKE_CURRENT_BINARY_DIR}/tests_config.h)
+ 
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-support/libssh/libssh/run-ptest 
b/meta-oe/recipes-support/libssh/libssh/run-ptest
new file mode 100644
index 0..159994e9b
--- /dev/null
+++ b/meta-oe/recipes-support/libssh/libssh/run-ptest
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# Valid tests to run
+tests="torture_bind_config \
+   torture_buffer \
+   torture_bytearray \
+   torture_callbacks \
+   torture_channel \
+   torture_config \
+   torture_crypto \
+   torture_hashes \
+   torture_init \
+   torture_isipaddr \
+   torture_keyfiles \
+   torture_knownhosts_parsing \
+   torture_list \
+   torture_misc \
+   torture_moduli \
+   torture_options \
+   torture_packet \
+   torture_packet_filter \
+   torture_pki \
+   torture_pki_ecdsa \
+   torture_pki_ed25519 \
+   torture_pki_rsa \
+   torture_push_pop_dir \
+   torture_rand \
+   torture_session_keys \
+   torture_temp_dir \
+   torture_temp_file \
+   torture_threads_buffer \
+   torture_threads_crypto \
+   torture_threads_init \
+   torture_threads_pki_rsa \
+   torture_tokens \
+ "
+
+ptestdir=$(dirname "$(readlink -f "$0")")
+cd "$ptestdir"/tests || exit
+
+# Run specified tests
+for f in $tests
+do
+if test -e ./"$f"; then
+if ./"$f" > ./"$f".out 2> ./"$f".err; then
+echo "PASS: $f"
+else
+echo "FAIL: $f"
+fi
+else
+echo "SKIP: $f"
+fi
+done
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb 
b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
index 3a57a728a..801644d95 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
@@ -6,16 +6,20 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0"

[OE-core][kirkstone][PATCH 3/4] libssh: Fix build with clang16

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Signed-off-by: Khem Raj 

Ref: 
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=9323b287ef588f41c13f3520de85eb198f6eaf83

Signed-off-by: Vijay Anusuri 
---
 ...prototype-of-des3_encrypt-des3_decry.patch | 46 +++
 .../recipes-support/libssh/libssh_0.10.4.bb   |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 
meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch

diff --git 
a/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch
 
b/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch
new file mode 100644
index 0..19775fa52
--- /dev/null
+++ 
b/meta-oe/recipes-support/libssh/libssh/0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch
@@ -0,0 +1,46 @@
+From 0cade4573334571055127a2d4fe3641e2397948d Mon Sep 17 00:00:00 2001
+From: Khem Raj 
+Date: Mon, 20 Mar 2023 21:59:19 -0700
+Subject: [PATCH] libgcrypt.c: Fix prototype of des3_encrypt/des3_decrypt
+
+This is to match the prototype for callback functions which are now emitted as
+errors by clang16
+
+Fixes
+
+TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/libssh/0.10.4-r0/git/src/libgcrypt.c:903:20:
 error: incompatible function pointer types initializing 'void (*)(struct 
ssh_cipher_struct *, void *, void *, size_t)' (aka 'void (*)(struct 
ssh_cipher_struct *, void *, void *, unsigned int)') with an expression of type 
'void (struct ssh_cipher_struct *, void *, void *, unsigned long)' 
[-Wincompatible-function-pointer-types]
+.encrypt = des3_encrypt,
+   ^~~~
+TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/libssh/0.10.4-r0/git/src/libgcrypt.c:904:20:
 error: incompatible function pointer types initializing 'void (*)(struct 
ssh_cipher_struct *, void *, void *, size_t)' (aka 'void (*)(struct 
ssh_cipher_struct *, void *, void *, unsigned int)') with an expression of type 
'void (struct ssh_cipher_struct *, void *, void *, unsigned long)' 
[-Wincompatible-function-pointer-types]
+.decrypt = des3_decrypt
+   ^~~~
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj 
+---
+ src/libgcrypt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libgcrypt.c b/src/libgcrypt.c
+index da5588ad..e482b654 100644
+--- a/src/libgcrypt.c
 b/src/libgcrypt.c
+@@ -469,12 +469,12 @@ static int des3_set_key(struct ssh_cipher_struct 
*cipher, void *key, void *IV) {
+ }
+ 
+ static void des3_encrypt(struct ssh_cipher_struct *cipher, void *in,
+-void *out, unsigned long len) {
++void *out, size_t len) {
+   gcry_cipher_encrypt(cipher->key[0], out, len, in, len);
+ }
+ 
+ static void des3_decrypt(struct ssh_cipher_struct *cipher, void *in,
+-void *out, unsigned long len) {
++void *out, size_t len) {
+   gcry_cipher_decrypt(cipher->key[0], out, len, in, len);
+ }
+ 
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb 
b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
index 801644d95..4b2ced5e5 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
@@ -8,6 +8,7 @@ DEPENDS = "zlib openssl"
 
 SRC_URI = 
"git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.10 \

file://0001-tests-CMakeLists.txt-do-not-search-ssh-sshd-commands.patch \
+   
file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
file://run-ptest \
   "
 SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192775): 
https://lists.openembedded.org/g/openembedded-core/message/192775
Mute This Topic: https://lists.openembedded.org/mt/103277610/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 4/4] libssh: upgrade 0.10.4 -> 0.10.5

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Changelog:
https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.10.5

* Generate cases list dynamically in run-ptest.
* Install missing file to fix ptest failure.

Signed-off-by: Yi Zhao 

Ref: 
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=b0833f1f3ec78f16a79d9ff66cdd19da93496018

Signed-off-by: Vijay Anusuri 
---
 .../recipes-support/libssh/libssh/run-ptest   | 42 ++-
 .../{libssh_0.10.4.bb => libssh_0.10.5.bb}|  5 ++-
 2 files changed, 7 insertions(+), 40 deletions(-)
 rename meta-oe/recipes-support/libssh/{libssh_0.10.4.bb => libssh_0.10.5.bb} 
(85%)

diff --git a/meta-oe/recipes-support/libssh/libssh/run-ptest 
b/meta-oe/recipes-support/libssh/libssh/run-ptest
index 159994e9b..6346b72d5 100644
--- a/meta-oe/recipes-support/libssh/libssh/run-ptest
+++ b/meta-oe/recipes-support/libssh/libssh/run-ptest
@@ -1,53 +1,17 @@
 #!/bin/sh
 
-# Valid tests to run
-tests="torture_bind_config \
-   torture_buffer \
-   torture_bytearray \
-   torture_callbacks \
-   torture_channel \
-   torture_config \
-   torture_crypto \
-   torture_hashes \
-   torture_init \
-   torture_isipaddr \
-   torture_keyfiles \
-   torture_knownhosts_parsing \
-   torture_list \
-   torture_misc \
-   torture_moduli \
-   torture_options \
-   torture_packet \
-   torture_packet_filter \
-   torture_pki \
-   torture_pki_ecdsa \
-   torture_pki_ed25519 \
-   torture_pki_rsa \
-   torture_push_pop_dir \
-   torture_rand \
-   torture_session_keys \
-   torture_temp_dir \
-   torture_temp_file \
-   torture_threads_buffer \
-   torture_threads_crypto \
-   torture_threads_init \
-   torture_threads_pki_rsa \
-   torture_tokens \
- "
-
 ptestdir=$(dirname "$(readlink -f "$0")")
 cd "$ptestdir"/tests || exit
 
-# Run specified tests
+tests=$(find * -type f -name 'torture_*')
+
 for f in $tests
 do
-if test -e ./"$f"; then
+if test -x ./"$f"; then
 if ./"$f" > ./"$f".out 2> ./"$f".err; then
 echo "PASS: $f"
 else
 echo "FAIL: $f"
 fi
-else
-echo "SKIP: $f"
 fi
 done
diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb 
b/meta-oe/recipes-support/libssh/libssh_0.10.5.bb
similarity index 85%
rename from meta-oe/recipes-support/libssh/libssh_0.10.4.bb
rename to meta-oe/recipes-support/libssh/libssh_0.10.5.bb
index 4b2ced5e5..f33987acf 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.5.bb
@@ -11,7 +11,7 @@ SRC_URI = 
"git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable

file://0001-libgcrypt.c-Fix-prototype-of-des3_encrypt-des3_decry.patch \
file://run-ptest \
   "
-SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85"
+SRCREV = "479eca1346b43e68c52186e3783f06ae6f34"
 
 S = "${WORKDIR}/git"
 
@@ -34,12 +34,15 @@ EXTRA_OECMAKE = " \
 do_compile:prepend () {
 if [ ${PTEST_ENABLED} = "1" ]; then
 sed -i -e 's|${B}|${PTEST_PATH}|g' ${B}/config.h
+sed -i -e 's|${S}|${PTEST_PATH}|g' ${B}/config.h
 fi
 }
 
 do_install_ptest () {
 install -d ${D}${PTEST_PATH}/tests
 cp -f ${B}/tests/unittests/torture_* ${D}${PTEST_PATH}/tests/
+install -d ${D}${PTEST_PATH}/tests/unittests
+cp -f ${S}/tests/unittests/hello*.sh ${D}${PTEST_PATH}/tests/unittests/
 }
 
 BBCLASSEXTEND = "native nativesdk"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192776): 
https://lists.openembedded.org/g/openembedded-core/message/192776
Mute This Topic: https://lists.openembedded.org/mt/103277611/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH 1/4] libssh: upgrade 0.8.9 -> 0.10.4

2023-12-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

ChangeLog:
https://git.libssh.org/projects/libssh.git/tree/CHANGELOG?h=libssh-0.10.4

Drop CVE-2020-16135.patch

Ref: 
https://git.openembedded.org/meta-openembedded-contrib/commit/?h=stable/nanbield-nut=4b7e4341327e867208bfc3d8ba1954af66641e60

Signed-off-by: Vijay Anusuri 
---
 .../libssh/libssh/CVE-2020-16135.patch| 44 ---
 .../{libssh_0.8.9.bb => libssh_0.10.4.bb} | 16 ++-
 2 files changed, 3 insertions(+), 57 deletions(-)
 delete mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch
 rename meta-oe/recipes-support/libssh/{libssh_0.8.9.bb => libssh_0.10.4.bb} 
(62%)

diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch 
b/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch
deleted file mode 100644
index 63b78688d..0
--- a/meta-oe/recipes-support/libssh/libssh/CVE-2020-16135.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 0a9268a60f2d3748ca69bde5651f20e72761058c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider 
-Date: Wed, 3 Jun 2020 10:04:09 +0200
-Subject: CVE-2020-16135: Add missing NULL check for ssh_buffer_new()
-
-Add a missing NULL check for the pointer returned by ssh_buffer_new() in
-sftpserver.c.
-
-Thanks to Ramin Farajpour Cami for spotting this.
-
-Fixes T232
-
-Signed-off-by: Andreas Schneider 
-Reviewed-by: Anderson Toshiyuki Sasaki 
-Reviewed-by: Jakub Jelen 
-(cherry picked from commit 533d881b0f4b24c72b35ecc97fa35d295d063e53)
-
-Upstream-Status: Backport 
[https://git.libssh.org/projects/libssh.git/patch/?id=0a9268a60f2d3748ca69bde5651f20e72761058c]
-CVE: CVE-2020-16135
-Signed-off-by: Hitendra Prajapati 

- src/sftpserver.c | 6 ++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/sftpserver.c b/src/sftpserver.c
-index 1717aa417..1af8a0e76 100644
 a/src/sftpserver.c
-+++ b/src/sftpserver.c
-@@ -64,6 +64,12 @@ sftp_client_message sftp_get_client_message(sftp_session 
sftp) {
- 
-   /* take a copy of the whole packet */
-   msg->complete_message = ssh_buffer_new();
-+  if (msg->complete_message == NULL) {
-+  ssh_set_error_oom(session);
-+  sftp_client_message_free(msg);
-+  return NULL;
-+  }
-+
-   ssh_buffer_add_data(msg->complete_message,
-   ssh_buffer_get(payload),
-   ssh_buffer_get_len(payload));
--- 
-2.25.1
-
diff --git a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb 
b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
similarity index 62%
rename from meta-oe/recipes-support/libssh/libssh_0.8.9.bb
rename to meta-oe/recipes-support/libssh/libssh_0.10.4.bb
index 061f13912..3a57a728a 100644
--- a/meta-oe/recipes-support/libssh/libssh_0.8.9.bb
+++ b/meta-oe/recipes-support/libssh/libssh_0.10.4.bb
@@ -6,10 +6,8 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=dabb4958b830e5df11d2b0ed8ea255a0"
 
 DEPENDS = "zlib openssl"
 
-SRC_URI = 
"git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.8 \
-   file://CVE-2020-16135.patch \
-  "
-SRCREV = "04685a74df9ce1db1bc116a83a0da78b4f4fa1f8"
+SRC_URI = 
"git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable-0.10"
+SRCREV = "e8322817a9e5aaef0698d779ddd467a209a85d85"
 
 S = "${WORKDIR}/git"
 
@@ -25,15 +23,7 @@ EXTRA_OECMAKE = " \
 -DWITH_PCAP=1 \
 -DWITH_SFTP=1 \
 -DWITH_ZLIB=1 \
--DLIB_SUFFIX=${@d.getVar('baselib').replace('lib', '')} \
+-DWITH_EXAMPLES=0 \
 "
 
-do_configure:prepend () {
-# Disable building of examples
-sed -i -e '/add_subdirectory(examples)/s/^/#DONOTWANT/' 
${S}/CMakeLists.txt \
-|| bbfatal "Failed to disable examples"
-}
-
-TOOLCHAIN = "gcc"
-
 BBCLASSEXTEND = "native nativesdk"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192773): 
https://lists.openembedded.org/g/openembedded-core/message/192773
Mute This Topic: https://lists.openembedded.org/mt/103277608/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] ghostscript: Backport fix for CVE-2023-46751

2023-12-12 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5d2da96e81c7455338302c71a291088a8396245a]

Signed-off-by: Vijay Anusuri 
---
 .../ghostscript/CVE-2023-46751.patch  | 41 +++
 .../ghostscript/ghostscript_9.55.0.bb |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46751.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46751.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46751.patch
new file mode 100644
index 00..6fe5590892
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46751.patch
@@ -0,0 +1,41 @@
+From 5d2da96e81c7455338302c71a291088a8396245a Mon Sep 17 00:00:00 2001
+From: Chris Liddell 
+Date: Mon, 16 Oct 2023 16:49:40 +0100
+Subject: [PATCH] Bug 707264: Fix tiffsep(1) requirement for seekable output
+ files
+
+In the device initialization redesign, tiffsep and tiffsep1 lost the 
requirement
+for the output files to be seekable.
+
+Fixing that highlighted a problem with the error handling in
+gdev_prn_open_printer_seekable() where closing the erroring file would leave a
+dangling pointer, and lead to a crash.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5d2da96e81c7455338302c71a291088a8396245a]
+CVE: CVE-2023-46751
+Signed-off-by: Vijay Anusuri 
+---
+ base/gdevprn.c | 1 +
+ devices/gdevtsep.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/base/gdevprn.c
 b/base/gdevprn.c
+@@ -1251,6 +1251,7 @@ gdev_prn_open_printer_seekable(gx_device
+   && !IS_LIBCTX_STDERR(pdev->memory, gp_get_file(ppdev->file))) {
+ 
+ code = gx_device_close_output_file(pdev, ppdev->fname, 
ppdev->file);
++ppdev->file = NULL;
+ if (code < 0)
+ return code;
+ }
+--- a/devices/gdevtsep.c
 b/devices/gdevtsep.c
+@@ -738,6 +738,7 @@ tiffsep_initialize_device_procs(gx_devic
+ {
+ gdev_prn_initialize_device_procs(dev);
+ 
++set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+ set_dev_proc(dev, open_device, tiffsep_prn_open);
+ set_dev_proc(dev, close_device, tiffsep_prn_close);
+ set_dev_proc(dev, map_color_rgb, tiffsep_decode_color);
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb 
b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 7f4050755c..e0d1e4618f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -42,6 +42,7 @@ SRC_URI_BASE = 
"https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
 file://CVE-2023-36664-0002.patch \
 file://CVE-2023-38559.patch \
 file://CVE-2023-43115.patch \
+file://CVE-2023-46751.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192266): 
https://lists.openembedded.org/g/openembedded-core/message/192266
Mute This Topic: https://lists.openembedded.org/mt/103144322/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][master][PATCH] avahi: backport CVE-2023-1981 & CVE's follow-up patches

2023-12-12 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-1981
 CVE-2023-38469-2
 CVE-2023-38470-2
 CVE-2023-38471-2

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]

Ref: 
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/nanbield-nut=a9203c46cd64c3ec5e5b00e381bbac85733f85df

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  | 10 ++-
 .../avahi/files/CVE-2023-1981.patch   | 58 +
 ...023-38469.patch => CVE-2023-38469-1.patch} |  0
 .../avahi/files/CVE-2023-38469-2.patch| 65 +++
 ...023-38470.patch => CVE-2023-38470-1.patch} |  0
 .../avahi/files/CVE-2023-38470-2.patch| 52 +++
 ...023-38471.patch => CVE-2023-38471-1.patch} |  0
 .../avahi/files/CVE-2023-38471-2.patch| 52 +++
 .../avahi/files/CVE-2023-38472.patch  | 44 ++---
 9 files changed, 256 insertions(+), 25 deletions(-)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38469.patch => 
CVE-2023-38469-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38470.patch => 
CVE-2023-38470-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38471.patch => 
CVE-2023-38471-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb 
b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 7295c4e05b..1f18d4491d 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -26,9 +26,13 @@ SRC_URI = 
"${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
file://handle-hup.patch \
file://local-ping.patch \
file://invalid-service.patch \
-   file://CVE-2023-38469.patch \
-   file://CVE-2023-38470.patch \
-   file://CVE-2023-38471.patch \
+   file://CVE-2023-1981.patch \
+   file://CVE-2023-38469-1.patch \
+   file://CVE-2023-38469-2.patch \
+   file://CVE-2023-38470-1.patch \
+   file://CVE-2023-38470-2.patch \
+   file://CVE-2023-38471-1.patch \
+   file://CVE-2023-38471-2.patch \
file://CVE-2023-38472.patch \
file://CVE-2023-38473.patch \
"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 00..4d7924d13a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,58 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= 
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security
+Upstream commit 
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-daemon/dbus-protocol.c | 20 ++--
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687bc..406d0b441 100644
+--- a/avahi-daemon/dbus-protocol.c
 b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult 
dbus_get_alternative_host_name(DBusConnection *c, DBusM
+ }
+ 
+ t = avahi_alternative_host_name(n);
+-avahi_dbus_respond_string(c, m, t);
+-avahi_free(t);
++if (t) {
++avahi_dbus_respond_string(c, m, t);
++avahi_free(t);
+ 
+-return DBUS_HANDLER_RESULT_HANDLED;
++return DBUS_HANDLER_RESULT_HANDLED;
++} else {
++return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname 
not found");
++}
+ }
+ 
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, 
DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult 
dbus_get_alternative_service_name(DBusConnection *c, DB
+

[OE-core][dunfell][PATCH] go: Fix CVE-2023-39326

2023-12-26 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326
https://security-tracker.debian.org/tracker/CVE-2023-39326

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |   1 +
 .../go/go-1.14/CVE-2023-39326.patch   | 181 ++
 2 files changed, 182 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index 091b778de8..b827a3606d 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -82,6 +82,7 @@ SRC_URI += "\
 file://CVE-2023-24536_3.patch \
 file://CVE-2023-39318.patch \
 file://CVE-2023-39319.patch \
+file://CVE-2023-39326.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch
new file mode 100644
index 00..998af361e8
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-39326.patch
@@ -0,0 +1,181 @@
+From 6446af942e2e2b161c4ec1b60d9703a2b55dc4dd Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Tue, 7 Nov 2023 10:47:56 -0800
+Subject: [PATCH] [release-branch.go1.20] net/http: limit chunked data overhead
+
+The chunked transfer encoding adds some overhead to
+the content transferred. When writing one byte per
+chunk, for example, there are five bytes of overhead
+per byte of data transferred: "1\r\nX\r\n" to send "X".
+
+Chunks may include "chunk extensions",
+which we skip over and do not use.
+For example: "1;chunk extension here\r\nX\r\n".
+
+A malicious sender can use chunk extensions to add
+about 4k of overhead per byte of data.
+(The maximum chunk header line size we will accept.)
+
+Track the amount of overhead read in chunked data,
+and produce an error if it seems excessive.
+
+Updates #64433
+Fixes #64434
+Fixes CVE-2023-39326
+
+Change-Id: I40f8d70eb6f9575fb43f506eb19132ccedafcf39
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2076135
+Reviewed-by: Tatiana Bradley 
+Reviewed-by: Roland Shoemaker 
+(cherry picked from commit 3473ae72ee66c60744665a24b2fde143e8964d4f)
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2095407
+Run-TryBot: Roland Shoemaker 
+TryBot-Result: Security TryBots 

+Reviewed-by: Damien Neil 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/547355
+Reviewed-by: Dmitri Shuralyov 
+LUCI-TryBot-Result: Go LUCI 

+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd]
+CVE: CVE-2023-39326
+Signed-off-by: Vijay Anusuri 
+---
+ src/net/http/internal/chunked.go  | 36 +---
+ src/net/http/internal/chunked_test.go | 59 +++
+ 2 files changed, 89 insertions(+), 6 deletions(-)
+
+diff --git a/src/net/http/internal/chunked.go 
b/src/net/http/internal/chunked.go
+index f06e572..ddbaacb 100644
+--- a/src/net/http/internal/chunked.go
 b/src/net/http/internal/chunked.go
+@@ -39,7 +39,8 @@ type chunkedReader struct {
+   nuint64 // unread bytes in chunk
+   err  error
+   buf  [2]byte
+-  checkEnd bool // whether need to check for \r\n chunk footer
++  checkEnd bool  // whether need to check for \r\n chunk footer
++  excess   int64 // "excessive" chunk overhead, for malicious sender 
detection
+ }
+ 
+ func (cr *chunkedReader) beginChunk() {
+@@ -49,10 +50,38 @@ func (cr *chunkedReader) beginChunk() {
+   if cr.err != nil {
+   return
+   }
++  cr.excess += int64(len(line)) + 2 // header, plus \r\n after the chunk 
data
++  line = trimTrailingWhitespace(line)
++  line, cr.err = removeChunkExtension(line)
++  if cr.err != nil {
++  return
++  }
+   cr.n, cr.err = parseHexUint(line)
+   if cr.err != nil {
+   return
+   }
++  // A sender who sends one byte per chunk will send 5 bytes of overhead
++  // for every byte of data. ("1\r\nX\r\n" to send "X".)
++  // We want to allow this, since streaming a byte at a

[OE-core][dunfell][PATCH] qemu: Fix CVE-2023-5088

2023-12-28 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

A bug in QEMU could cause a guest I/O operation otherwise
addressed to an arbitrary disk offset to be targeted to
offset 0 instead (potentially overwriting the VM's boot code).

This change is to fix CVE-2023-5088.

Link: 
https://gitlab.com/qemu-project/qemu/-/commit/7d7512019fc40c577e2bdd61f114f31a9eb84a8e

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/qemu/qemu.inc   |   1 +
 .../qemu/qemu/CVE-2023-5088.patch | 114 ++
 2 files changed, 115 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 9dd90e8789..4f856c749e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -141,6 +141,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-3354.patch \
   file://CVE-2023-3180.patch \
file://CVE-2020-24165.patch \
+   file://CVE-2023-5088.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch
new file mode 100644
index 00..db02210fa4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch
@@ -0,0 +1,114 @@
+From 7d7512019fc40c577e2bdd61f114f31a9eb84a8e Mon Sep 17 00:00:00 2001
+From: Fiona Ebner 
+Date: Wed, 6 Sep 2023 15:09:21 +0200
+Subject: [PATCH] hw/ide: reset: cancel async DMA operation before resetting
+ state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If there is a pending DMA operation during ide_bus_reset(), the fact
+that the IDEState is already reset before the operation is canceled
+can be problematic. In particular, ide_dma_cb() might be called and
+then use the reset IDEState which contains the signature after the
+reset. When used to construct the IO operation this leads to
+ide_get_sector() returning 0 and nsector being 1. This is particularly
+bad, because a write command will thus destroy the first sector which
+often contains a partition table or similar.
+
+Traces showing the unsolicited write happening with IDEState
+0x5595af6949d0 being used after reset:
+
+> ahci_port_write ahci(0x5595af6923f0)[0]: port write [reg:PxSCTL] @ 0x2c: 
0x0300
+> ahci_reset_port ahci(0x5595af6923f0)[0]: reset port
+> ide_reset IDEstate 0x5595af6949d0
+> ide_reset IDEstate 0x5595af694da8
+> ide_bus_reset_aio aio_cancel
+> dma_aio_cancel dbs=0x7f64600089a0
+> dma_blk_cb dbs=0x7f64600089a0 ret=0
+> dma_complete dbs=0x7f64600089a0 ret=0 cb=0x5595acd40b30
+> ahci_populate_sglist ahci(0x5595af6923f0)[0]
+> ahci_dma_prepare_buf ahci(0x5595af6923f0)[0]: prepare buf limit=512 
prepared=512
+> ide_dma_cb IDEState 0x5595af6949d0; sector_num=0 n=1 cmd=DMA WRITE
+> dma_blk_io dbs=0x7f6420802010 bs=0x5595ae2c6c30 offset=0 to_dev=1
+> dma_blk_cb dbs=0x7f6420802010 ret=0
+
+> (gdb) p *qiov
+> $11 = {iov = 0x7f647c76d840, niov = 1, {{nalloc = 1, local_iov = {iov_base = 
0x0,
+>   iov_len = 512}}, {__pad = 
"\001\000\000\000\000\000\000\000\000\000\000",
+>   size = 512}}}
+> (gdb) bt
+> #0  blk_aio_pwritev (blk=0x5595ae2c6c30, offset=0, qiov=0x7f6420802070, 
flags=0,
+> cb=0x5595ace6f0b0 , opaque=0x7f6420802010)
+> at ../block/block-backend.c:1682
+> #1  0x5595ace6f185 in dma_blk_cb (opaque=0x7f6420802010, ret=)
+> at ../softmmu/dma-helpers.c:179
+> #2  0x5595ace6f778 in dma_blk_io (ctx=0x5595ae0609f0,
+> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
+> io_func=io_func@entry=0x5595ace6ee30 ,
+> io_func_opaque=io_func_opaque@entry=0x5595ae2c6c30,
+> cb=0x5595acd40b30 , opaque=0x5595af6949d0,
+> dir=DMA_DIRECTION_TO_DEVICE) at ../softmmu/dma-helpers.c:244
+> #3  0x5595ace6f90a in dma_blk_write (blk=0x5595ae2c6c30,
+> sg=sg@entry=0x5595af694d00, offset=offset@entry=0, align=align@entry=512,
+> cb=cb@entry=0x5595acd40b30 , 
opaque=opaque@entry=0x5595af6949d0)
+> at ../softmmu/dma-helpers.c:280
+> #4  0x5595acd40e18 in ide_dma_cb (opaque=0x5595af6949d0, ret=)
+> at ../hw/ide/core.c:953
+> #5  0x5595ace6f319 in dma_complete (ret=0, dbs=0x7f64600089a0)
+> at ../softmmu/dma-helpers.c:107
+> #6  dma_blk_cb (opaque=0x7f64600089a0, ret=0) at ../softmmu/dma-helpers.c:127
+> #7  0x5595ad12227d in blk_aio_complete (acb=0x7f6460005b10)
+> at ../block/block-backend.c:1527
+> #8  blk_aio_complete (acb=0x7f6460005b10) at ../block/block-backend.c:1524
+> #9  blk_aio_write_entry (opaque=0x7f6460005b10) at 
../block/block-backend.c:1594
+> #10 0x5595ad258cfb in coroutine_trampoline (i0=,
+> i1=) at ../util/coroutine-ucontext.c:177
+
+Signed-off-by: Fiona Ebner 
+Reviewed-by: Philippe Mathieu-Daudé 
+Tested-by: simon.r...@nutanix.com
+Message-ID: <20230906130922.142845-1-f.eb...@proxmox.com>
+Signed-off-by:

[OE-core][kirkstone][PATCH] gnutls: Backport fix for CVE-2023-5981

2023-12-11 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport [import from debian 
https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.7.3-4ubuntu1.3/gnutls28_3.7.3-4ubuntu1.3.debian.tar.xz
Upstream-Commit: 
https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]

References:
https://ubuntu.com/security/CVE-2023-5981

Signed-off-by: Vijay Anusuri 
---
 .../gnutls/gnutls/CVE-2023-5981.patch | 206 ++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   1 +
 2 files changed, 207 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
new file mode 100644
index 00..33e498b8e5
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
+Backport of:
+
+From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno 
+Date: Mon, 23 Oct 2023 09:26:57 +0900
+Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
+
+This removes branching that depends on secret data, porting changes
+for regular RSA key exchange from
+4804febddc2ed958e5ae774de2a8f85edeeff538 and
+80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
+allow_wrong_pms as it was used sorely to control debug output
+depending on the branching.
+
+Signed-off-by: Daiki Ueno 
+
+Upstream-Status: Backport [import from debian 
https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.7.3-4ubuntu1.3/gnutls28_3.7.3-4ubuntu1.3.debian.tar.xz
+Upstream-Commit: 
https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
+CVE: CVE-2023-5981
+Signed-off-by: Vijay Anusuri 
+---
+ lib/auth/rsa.c |  2 +-
+ lib/auth/rsa_psk.c | 90 ++
+ lib/gnutls_int.h   |  4 ---
+ lib/priority.c |  1 -
+ 4 files changed, 35 insertions(+), 62 deletions(-)
+
+--- a/lib/auth/rsa.c
 b/lib/auth/rsa.c
+@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
+session->key.key.size);
+   /* After this point, any conditional on failure that cause differences
+* in execution may create a timing or cache access pattern side
+-   * channel that can be used as an oracle, so treat very carefully */
++   * channel that can be used as an oracle, so tread carefully */
+ 
+   /* Error handling logic:
+* In case decryption fails then don't inform the peer. Just use the
+--- a/lib/auth/rsa_psk.c
 b/lib/auth/rsa_psk.c
+@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+ {
+   gnutls_datum_t username;
+   psk_auth_info_t info;
+-  gnutls_datum_t plaintext;
+   gnutls_datum_t ciphertext;
+   gnutls_datum_t pwd_psk = { NULL, 0 };
+   int ret, dsize;
+-  int randomize_key = 0;
+   ssize_t data_size = _data_size;
+   gnutls_psk_server_credentials_t cred;
+   gnutls_datum_t premaster_secret = { NULL, 0 };
++  volatile uint8_t ver_maj, ver_min;
+ 
+   cred = (gnutls_psk_server_credentials_t)
+   _gnutls_get_cred(session, GNUTLS_CRD_PSK);
+@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+   }
+   ciphertext.size = dsize;
+ 
+-  ret =
+-  gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
+-  , );
+-  if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
+-  /* In case decryption fails then don't inform
+-   * the peer. Just use a random key. (in order to avoid
+-   * attack against pkcs-1 formatting).
+-   */
+-  gnutls_assert();
+-  _gnutls_debug_log
+-  ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+-  if (ret >= 0) {
+-  gnutls_free(plaintext.data);
+-  }
+-  randomize_key = 1;
+-  } else {
+-  /* If the secret was properly formatted, then
+-   * check the version number.
+-   */
+-  if (_gnutls_get_adv_version_major(session) !=
+-  plaintext.data[0]
+-  || (session->internals.allow_wrong_pms == 0
+-  && _gnutls_get_adv_version_minor(session) !=
+-  plaintext.data[1])) {
+-  /* No error is returned here, if the version number 
check
+-   * fails. We proceed normally.
+-   * That is to defend against the attack described in 
the paper
+-   * "Attacking RSA-based sessions in SSL/TLS" by 
Vlastimil Klima,
+-   * Ondej Pokorny and Tomas Rosa.
+-   */
+-  gnutls_assert();
+-  _gnutls_debug_log
+-  ("auth_rsa: Possible PKCS #1 version check format

[OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478

2024-01-04 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
&
https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-6377.patch  | 79 +++
 .../xserver-xorg/CVE-2023-6478.patch  | 63 +++
 .../xorg-xserver/xserver-xorg_21.1.8.bb   |  2 +
 3 files changed, 144 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
new file mode 100644
index 00..0abd5914fa
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
@@ -0,0 +1,79 @@
+From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd]
+CVE: CVE-2023-6377
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/exevents.c | 12 ++--
+ dix/devices.c | 10 ++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
 b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr 
to)
+ }
+ 
+ if (from->button->xkb_acts) {
+-if (!to->button->xkb_acts) {
+-to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-if (!to->button->xkb_acts)
+-FatalError("[Xi] not enough memory for xkb_acts.\n");
+-}
++size_t maxbuttons = max(to->button->numButtons, 
from->button->numButtons);
++to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++   maxbuttons,
++   sizeof(XkbAction));
++memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+ memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-   sizeof(XkbAction));
++   from->button->numButtons * sizeof(XkbAction));
+ }
+ else {
+ free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index b063128df0..3f3224d626 100644
+--- a/dix/devices.c
 b/dix/devices.c
+@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+ if (master->button && master->button->numButtons != maxbuttons) {
+ int i;
++int last_num_buttons = master->button->numButtons;
++
+ DeviceChangedEvent event = {
+ .header = ET_Internal,
+ .type = ET_DeviceChanged,
+@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ };
+ 
+ master->button->numButtons = maxbuttons;
++if (last_num_buttons < maxbuttons) {
++master->button->xkb_acts = 
xnfreallocarray(master->button->xkb_acts,
++   maxbuttons,
++   sizeof(XkbAction));
++memset(>button->xkb_acts[last_num_buttons],
++   0,
++   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++}
+ 
+ memcpy(, master->button->labels, maxbuttons *
+sizeof(Atom));
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
new file mode 100644
index 00..6392eae3f8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
+From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting

[OE-core][dunfell][PATCH v2] go: Backport fix for CVE-2023-45287

2024-01-04 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255
&
https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3
&
https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807
&
https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |4 +
 .../go/go-1.14/CVE-2023-45287-pre1.patch  |  393 
 .../go/go-1.14/CVE-2023-45287-pre2.patch  |  401 
 .../go/go-1.14/CVE-2023-45287-pre3.patch  |   86 +
 .../go/go-1.14/CVE-2023-45287.patch   | 1697 +
 5 files changed, 2581 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index b827a3606d..42a9ac8435 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -83,6 +83,10 @@ SRC_URI += "\
 file://CVE-2023-39318.patch \
 file://CVE-2023-39319.patch \
 file://CVE-2023-39326.patch \
+file://CVE-2023-45287-pre1.patch \
+file://CVE-2023-45287-pre2.patch \
+file://CVE-2023-45287-pre3.patch \
+file://CVE-2023-45287.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
new file mode 100644
index 00..4d65180253
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
@@ -0,0 +1,393 @@
+From 9baafabac9a84813a336f068862207d2bb06d255 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda 
+Date: Wed, 1 Apr 2020 17:25:40 -0400
+Subject: [PATCH] crypto/rsa: refactor RSA-PSS signing and verification
+
+Cleaned up for readability and consistency.
+
+There is one tiny behavioral change: when PSSSaltLengthEqualsHash is
+used and both hash and opts.Hash were set, hash.Size() was used for the
+salt length instead of opts.Hash.Size(). That's clearly wrong because
+opts.Hash is documented to override hash.
+
+Change-Id: I3e25dad933961eac827c6d2e3bbfe45fc5a6fb0e
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226937
+Run-TryBot: Filippo Valsorda 
+TryBot-Result: Gobot Gobot 
+Reviewed-by: Katie Hockman 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255]
+CVE: CVE-2023-45287 #Dependency Patch1
+Signed-off-by: Vijay Anusuri 
+---
+ src/crypto/rsa/pss.go | 173 ++
+ src/crypto/rsa/rsa.go |   9 ++-
+ 2 files changed, 96 insertions(+), 86 deletions(-)
+
+diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
+index 3ff0c2f4d0076..f9844d87329a8 100644
+--- a/src/crypto/rsa/pss.go
 b/src/crypto/rsa/pss.go
+@@ -4,9 +4,7 @@
+ 
+ package rsa
+ 
+-// This file implements the PSS signature scheme [1].
+-//
+-// [1] 
https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf
++// This file implements the RSASSA-PSS signature scheme according to RFC 8017.
+ 
+ import (
+   "bytes"
+@@ -17,8 +15,22 @@ import (
+   "math/big"
+ )
+ 
++// Per RFC 8017, Section 9.1
++//
++// EM = MGF1 xor DB || H( 8*0x00 || mHash || salt ) || 0xbc
++//
++// where
++//
++// DB = PS || 0x01 || salt
++//
++// and PS can be empty so
++//
++// emLen = dbLen + hLen + 1 = psLen + sLen + hLen + 2
++//
++
+ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) 
([]byte, error) {
+-  // See [1], section 9.1.1
++  // See RFC 8017, Section 9.1.1.
++
+   hLen := hash.Size()
+   sLen := len(salt)
+   emLen := (emBits + 7) / 8
+@@ -30,7 +42,7 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, 
hash hash.Hash) ([]byt
+   // 2.  Let mHash = Hash(M), an octet string of length hLen.
+ 
+   if len(mHash) != hLen {
+-  return nil, errors.New("crypto/rsa: input must be hashed 
message")
++  return nil, errors.New("crypto/rsa: input must be hashed with 
given hash")
+   }
+ 
+   // 3.  If emLen < hLen + sLen + 2, output "encoding error" and stop.
+@@ -40,8 +52,9 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, 
hash hash.Hash) ([]byt
+   }
+ 
+   em := make([]byte, emLen)
+-  db := em[:emLen-sLen-hLen-2+1+sLen]
+-  h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
++  psLen := emLen - sLen - hLen - 2
++  db := em[:psLen+1+sLen]
++  h := em[psLen+1+sLen : emLen-1]
+ 
+   // 4.  Generate a random octet string salt of length sLen; if sLen = 0,
+   // then salt is the

[OE-core][dunfell][PATCH] go: Backport fix for CVE-2023-45287

2024-01-03 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255
&
https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3
&
https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807
&
https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |4 +
 .../go/go-1.14/CVE-2023-45287-pre1.patch  |  393 
 .../go/go-1.14/CVE-2023-45287-pre2.patch  |  401 
 .../go/go-1.14/CVE-2023-45287-pre3.patch  |   86 +
 .../go/go-1.14/CVE-2023-45287.patch   | 1697 +
 5 files changed, 2581 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index b827a3606d..42a9ac8435 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -83,6 +83,10 @@ SRC_URI += "\
 file://CVE-2023-39318.patch \
 file://CVE-2023-39319.patch \
 file://CVE-2023-39326.patch \
+file://CVE-2023-45287-pre1.patch \
+file://CVE-2023-45287-pre2.patch \
+file://CVE-2023-45287-pre3.patch \
+file://CVE-2023-45287.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
new file mode 100644
index 00..4d65180253
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
@@ -0,0 +1,393 @@
+From 9baafabac9a84813a336f068862207d2bb06d255 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda 
+Date: Wed, 1 Apr 2020 17:25:40 -0400
+Subject: [PATCH] crypto/rsa: refactor RSA-PSS signing and verification
+
+Cleaned up for readability and consistency.
+
+There is one tiny behavioral change: when PSSSaltLengthEqualsHash is
+used and both hash and opts.Hash were set, hash.Size() was used for the
+salt length instead of opts.Hash.Size(). That's clearly wrong because
+opts.Hash is documented to override hash.
+
+Change-Id: I3e25dad933961eac827c6d2e3bbfe45fc5a6fb0e
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226937
+Run-TryBot: Filippo Valsorda 
+TryBot-Result: Gobot Gobot 
+Reviewed-by: Katie Hockman 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255]
+CVE: CVE-2023-45287 #Dependency Patch1
+Signed-off-by: Vijay Anusuri 
+---
+ src/crypto/rsa/pss.go | 173 ++
+ src/crypto/rsa/rsa.go |   9 ++-
+ 2 files changed, 96 insertions(+), 86 deletions(-)
+
+diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
+index 3ff0c2f4d0076..f9844d87329a8 100644
+--- a/src/crypto/rsa/pss.go
 b/src/crypto/rsa/pss.go
+@@ -4,9 +4,7 @@
+ 
+ package rsa
+ 
+-// This file implements the PSS signature scheme [1].
+-//
+-// [1] 
https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf
++// This file implements the RSASSA-PSS signature scheme according to RFC 8017.
+ 
+ import (
+   "bytes"
+@@ -17,8 +15,22 @@ import (
+   "math/big"
+ )
+ 
++// Per RFC 8017, Section 9.1
++//
++// EM = MGF1 xor DB || H( 8*0x00 || mHash || salt ) || 0xbc
++//
++// where
++//
++// DB = PS || 0x01 || salt
++//
++// and PS can be empty so
++//
++// emLen = dbLen + hLen + 1 = psLen + sLen + hLen + 2
++//
++
+ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) 
([]byte, error) {
+-  // See [1], section 9.1.1
++  // See RFC 8017, Section 9.1.1.
++
+   hLen := hash.Size()
+   sLen := len(salt)
+   emLen := (emBits + 7) / 8
+@@ -30,7 +42,7 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, 
hash hash.Hash) ([]byt
+   // 2.  Let mHash = Hash(M), an octet string of length hLen.
+ 
+   if len(mHash) != hLen {
+-  return nil, errors.New("crypto/rsa: input must be hashed 
message")
++  return nil, errors.New("crypto/rsa: input must be hashed with 
given hash")
+   }
+ 
+   // 3.  If emLen < hLen + sLen + 2, output "encoding error" and stop.
+@@ -40,8 +52,9 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, 
hash hash.Hash) ([]byt
+   }
+ 
+   em := make([]byte, emLen)
+-  db := em[:emLen-sLen-hLen-2+1+sLen]
+-  h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
++  psLen := emLen - sLen - hLen - 2
++  db := em[:psLen+1+sLen]
++  h := em[psLen+1+sLen : emLen-1]
+ 
+   // 4.  Generate a random octet string salt of length sLen; if sLen = 0,
+   // then salt is the

[OE-core][dunfell][PATCH] libxml2: Fix for CVE-2023-45322

2024-01-11 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344

The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).

Signed-off-by: Vijay Anusuri 
---
 .../libxml/libxml2/CVE-2023-45322-1.patch | 50 
 .../libxml/libxml2/CVE-2023-45322-2.patch | 80 +++
 meta/recipes-core/libxml/libxml2_2.9.10.bb|  2 +
 3 files changed, 132 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 00..182bb29abd
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,50 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+
+Signed-off-by: Peter Marko 
+Signed-off-by: Vijay Anusuri 
+---
+ tree.c | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
 b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   }
+   if (doc->intSubset == NULL) {
+   q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-  if (q == NULL) return(NULL);
++  if (q == NULL) goto error;
+   q->doc = doc;
+   q->parent = parent;
+   doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   } else
+ #endif /* LIBXML_TREE_ENABLED */
+   q = xmlStaticCopyNode(node, doc, parent, 1);
+-  if (q == NULL) return(NULL);
++  if (q == NULL) goto error;
+   if (ret == NULL) {
+   q->prev = NULL;
+   ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   node = node->next;
+ }
+ return(ret);
++error:
++xmlFreeNodeList(ret);
++return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 00..c7e9681e6a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,80 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+
+CVE: CVE-2023-45322
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+
+Signed-off-by: Peter Marko 
+Signed-off-by: Vijay Anusuri 
+---
+ tree.c | 31 ---
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
 b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ xmlNodePtr ret = NULL;
+ xmlNodePtr p = NULL,q;
++xmlDtdPtr newSubset = NULL;
+ 
+ while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+   if (node->type == XML_DTD_NODE ) {
+-  if (doc == NULL) {
++#ifdef LIBXML_TREE_ENABLED
++  if ((doc == NULL) || (doc->intSubset != NULL)) {
+   node = node->next;
+   continue;
+   }
+-  if (doc->intSubset == NULL) {
+-  q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-  if (q == NULL) goto error;
+-  q->doc = doc;
+-  q->parent = parent;
+-  doc->intSubset = (xmlDtdPtr) q;
+-  xmlAddChild(parent, q);
+-  } else {
+-  q = (xmlNodePtr) doc->intSubset;
+-  xmlAddChild(parent, q);
+-  }
+-  } else
++q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
++if (q == NULL) goto error;
++

[OE-core][dunfell][PATCH] qemu: Backport fix for CVE-2023-2861

2024-01-15 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Updated 0012-fix-libcap-header-issue-on-some-distro.patch to resolve
patch fuzz caused by the CVE-2023-2861 patch

Upstream-Status: Backport
[https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b
&
https://gitlab.com/qemu-project/qemu/-/commit/f6b0de53fb87ddefed348a39284c8e2f28dc4eda]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/qemu/qemu.inc   |   2 +
 ...x-libcap-header-issue-on-some-distro.patch |   9 +-
 ...e-O_NOATIME-if-we-don-t-have-permiss.patch |  63 +++
 .../qemu/qemu/CVE-2023-2861.patch | 178 ++
 4 files changed, 249 insertions(+), 3 deletions(-)
 create mode 100644 
meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 4f856c749e..59ff69d51d 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -142,6 +142,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
   file://CVE-2023-3180.patch \
file://CVE-2020-24165.patch \
file://CVE-2023-5088.patch \
+   file://9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch \
+   file://CVE-2023-2861.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git 
a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
 
b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
index 3a7d7bbd33..3789f1edea 100644
--- 
a/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
+++ 
b/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
@@ -60,7 +60,7 @@ Signed-off-by: Hongxu Jia 
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
-index 6f132c5f..8329950c 100644
+index 300c9765..2823db7d 100644
 --- a/fsdev/virtfs-proxy-helper.c
 +++ b/fsdev/virtfs-proxy-helper.c
 @@ -13,7 +13,6 @@
@@ -71,9 +71,9 @@ index 6f132c5f..8329950c 100644
  #include 
  #include 
  #include 
-@@ -27,7 +26,11 @@
- #include "9p-iov-marshal.h"
+@@ -28,7 +27,11 @@
  #include "hw/9pfs/9p-proxy.h"
+ #include "hw/9pfs/9p-util.h"
  #include "fsdev/9p-iov-marshal.h"
 -
 +/*
@@ -84,3 +84,6 @@ index 6f132c5f..8329950c 100644
  #define PROGNAME "virtfs-proxy-helper"
  
  #ifndef XFS_SUPER_MAGIC
+-- 
+2.25.1
+
diff --git 
a/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
 
b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
new file mode 100644
index 00..72d9c47bde
--- /dev/null
+++ 
b/meta/recipes-devtools/qemu/qemu/9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
@@ -0,0 +1,63 @@
+From a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b Mon Sep 17 00:00:00 2001
+From: Omar Sandoval 
+Date: Thu, 14 May 2020 08:06:43 +0200
+Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions
+
+QEMU's local 9pfs server passes through O_NOATIME from the client. If
+the QEMU process doesn't have permissions to use O_NOATIME (namely, it
+does not own the file nor have the CAP_FOWNER capability), the open will
+fail. This causes issues when from the client's point of view, it
+believes it has permissions to use O_NOATIME (e.g., a process running as
+root in the virtual machine). Additionally, overlayfs on Linux opens
+files on the lower layer using O_NOATIME, so in this case a 9pfs mount
+can't be used as a lower layer for overlayfs (cf.
+https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
+and https://github.com/NixOS/nixpkgs/issues/54509).
+
+Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
+network filesystems. open(2) notes that O_NOATIME "may not be effective
+on all filesystems. One example is NFS, where the server maintains the
+access time." This means that we can honor it when possible but fall
+back to ignoring it.
+
+Acked-by: Christian Schoenebeck 
+Signed-off-by: Omar Sandoval 
+Message-Id: 

+Signed-off-by: Greg Kurz 
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b]
+Signed-off-by: Vijay Anusuri 
+---
+ hw/9pfs/9p-util.h | 13 +
+ 1 file changed, 13 insertions(+)
+
+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
+index 79ed6b233e5..546f46dc7dc 100644
+--- a/hw/9pfs/9p-util.h
 b/hw/9pfs/9p-util.h
+@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, 
int flags,
+ {
+ int fd, serrno, ret;
+ 
++again:
+ fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
+ mode);
+ if (fd == -1) {
++if (errno == EPERM && (flags & O_NOATIME)) {
++/*
++

Re: [oe-core][kirkstone][PATCH 1/1] openssh: fix CVE-2023-48795

2024-01-17 Thread Vijay Anusuri via lists.openembedded.org 
Hi Meenali Gupta,

Already CVE-2023-48795 patch for openssh recipe has been merged to
kirkstone branch.

Please find the below links

https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/kirkstone-nut=df5dc8d67e67a2aebf1a552c3e22374e305270bf

https://lists.openembedded.org/g/openembedded-core/message/192819

Thanks & Regards,
Vijay

On Wed, Jan 17, 2024 at 12:38 PM Meenali Gupta via lists.openembedded.org
 wrote:

> From: Meenali Gupta 
>
> A flaw was found in the SSH channel integrity.By manipulating sequence
> numbers during the handshake,an attacker can remove the initial messages
> on the secure channel without causing a MAC failure. For example,an
> attacker
> could disable the ping extension and thus disable the new countermeasure in
> OpenSSH 9.5 against keystroke timing attacks.
>
> This CVE fix included function kex_proposal_populate_entries in kex.c file
> which
> is not present in 8.9p, so ignored this change.
>
> Signed-off-by: Meenali Gupta 
> ---
>  .../openssh/openssh/CVE-2023-48795.patch  | 503 ++
>  .../openssh/openssh_8.9p1.bb  |   1 +
>  2 files changed, 504 insertions(+)
>  create mode 100644
> meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
>
> diff --git
> a/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
> b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
> new file mode 100644
> index 00..b1b16d5641
> --- /dev/null
> +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
> @@ -0,0 +1,503 @@
> +From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
> +From: "d...@openbsd.org" 
> +Date: Mon, 18 Dec 2023 14:45:17 +
> +Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
> + This adds a protocol extension to improve the integrity of the SSH
> transport
> + protocol, particular in and around the initial key exchange (KEX) phase.
> +
> +Full details of the extension are in the PROTOCOL file.
> +
> +with markus@
> +
> +OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
> +
> +CVE: CVE-2023-48795
> +Upstream-Status: Backport [
> https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
> ]
> +
> +Signed-off-by: Meenali Gupta 
> +---
> + PROTOCOL  |  28 +-
> + kex.c |  71 +-
> + kex.h |   3 +-
> + packet.c  | 103 +-
> + packet.h  |   3 +-
> + sshconnect2.c |  12 ++
> + 6 files changed, 137 insertions(+), 83 deletions(-)
> +
> +diff --git a/PROTOCOL b/PROTOCOL
> +index e6a7d60..68912ce 100644
> +--- a/PROTOCOL
>  b/PROTOCOL
> +@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for
> key exchange as
> + described at:
> +
> http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha...@libssh.org.txt?h=curve25519
> +
> ++1.9 transport: strict key exchange extension
> ++
> ++OpenSSH supports a number of transport-layer hardening measures under
> ++a "strict KEX" feature. This feature is signalled similarly to the
> ++RFC8308 ext-info feature: by including a additional algorithm in the
> ++initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
> ++"kex-strict-c-...@openssh.com" to its kex_algorithms and the server
> ++may append "kex-strict-s-...@openssh.com". These pseudo-algorithms
> ++are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
> ++if they are present in subsequent SSH2_MSG_KEXINIT packets.
> ++
> ++When an endpoint that supports this extension observes this algorithm
> ++name in a peer's KEXINIT packet, it MUST make the following changes to
> ++the the protocol:
> ++
> ++a) During initial KEX, terminate the connection if any unexpected or
> ++   out-of-sequence packet is received. This includes terminating the
> ++   connection if the first packet received is not SSH2_MSG_KEXINIT.
> ++   Unexpected packets for the purpose of strict KEX include messages
> ++   that are otherwise valid at any time during the connection such as
> ++   SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
> ++b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
> ++   packet sequence number to zero. This behaviour persists for the
> ++   duration of the connection (i.e. not just the first
> ++   SSH2_MSG_NEWKEYS).
> ++
> + 2. Connection protocol changes
> +
> + 2.1. connection: Channel write close extension "e...@openssh.com"
> +@@ -612,4 +638,4 @@ master instance and later clients.
> + OpenSSH extends the usual agent protocol. These changes are documented
> + in the PROTOCOL.agent file.
> +
> +-$OpenBSD: PROTOCOL,v 1.43 2021/12/19 22:15:42 djm Exp $
> ++$OpenBSD: PROTOCOL,v 1.50 2023/12/18 14:45:17 djm Exp $
> +diff --git a/kex.c b/kex.c
> +index 0bcd27d..da16568 100644
> +--- a/kex.c
>  b/kex.c
> +@@ -1,4 +1,4 @@
> +-/* $OpenBSD: kex.c,v 1.172 2022/02/01 23:32:51 djm Exp $ */
> ++/* $OpenBSD: kex.c,v 1.183 2023/12/18

[OE-core][dunfell][PATCH] openssh: Backport fix for CVE-2023-51385

2024-01-17 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]

Signed-off-by: Vijay Anusuri 
---
 .../openssh/openssh/CVE-2023-51385.patch  | 96 +++
 .../openssh/openssh_8.2p1.bb  |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 00..ae084053f8
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,96 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" 
+Date: Mon, 18 Dec 2023 14:47:44 +
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+
+This makes ssh(1) refuse user or host names provided on the
+commandline that contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+Upstream-Status: Backport 
[https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+CVE: CVE-2023-51385
+Signed-off-by: Vijay Anusuri 
+---
+ ssh.c | 39 +++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index 15aee56..2cf0b64 100644
+--- a/ssh.c
 b/ssh.c
+@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs, int port)
+   }
+ }
+ 
++static int
++valid_hostname(const char *s)
++{
++  size_t i;
++
++  if (*s == '-')
++  return 0;
++  for (i = 0; s[i] != 0; i++) {
++  if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++  isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++  return 0;
++  }
++  return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++  size_t i;
++
++  if (*s == '-')
++  return 0;
++  for (i = 0; s[i] != 0; i++) {
++  if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++  return 0;
++  /* Disallow '-' after whitespace */
++  if (isspace((u_char)s[i]) && s[i + 1] == '-')
++  return 0;
++  /* Disallow \ in last position */
++  if (s[i] == '\\' && s[i + 1] == '\0')
++  return 0;
++  }
++  return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1067,6 +1102,10 @@ main(int ac, char **av)
+   if (!host)
+   usage();
+ 
++  if (!valid_hostname(host))
++  fatal("hostname contains invalid characters");
++  if (options.user != NULL && !valid_ruser(options.user))
++  fatal("remote username contains invalid characters");
+   host_arg = xstrdup(host);
+ 
+   /* Initialize the command to execute on remote host. */
+-- 
+2.25.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb 
b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index eb3089cd8a..9d6cf7da6c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -40,6 +40,7 @@ SRC_URI = 
"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2023-38408-11.patch \
file://CVE-2023-38408-12.patch \
file://CVE-2023-48795.patch \
+   file://CVE-2023-51385.patch \
"
 SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
 SRC_URI[sha256sum] = 
"43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193953): 
https://lists.openembedded.org/g/openembedded-core/message/193953
Mute This Topic: https://lists.openembedded.org/mt/103801024/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]

[OE-core][dunfell][PATCH] sqlite3: Backport fix for CVE-2023-7104

2024-01-18 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Backport https://sqlite.org/src/info/0e4e7a05c4204b47

Signed-off-by: Vijay Anusuri 
---
 .../sqlite/files/CVE-2023-7104.patch  | 46 +++
 meta/recipes-support/sqlite/sqlite3_3.31.1.bb |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-7104.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch 
b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
new file mode 100644
index 00..01ff29ff5e
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,46 @@
+From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
+From: dan 
+Date: Thu, 7 Sep 2023 13:53:09 +
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could 
occur when processing a corrupt changeset.
+
+Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
+CVE: CVE-2023-7104
+Signed-off-by: Vijay Anusuri 
+---
+ sqlite3.c | 18 +++---
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 972ef18..c645ac8 100644
+--- a/sqlite3.c
 b/sqlite3.c
+@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
+ }
+   }
+   if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-sqlite3_int64 v = sessionGetI64(aVal);
+-if( eType==SQLITE_INTEGER ){
+-  sqlite3VdbeMemSetInt64(apOut[i], v);
++  if( (pIn->nData-pIn->iNext)<8 ){
++rc = SQLITE_CORRUPT_BKPT;
+ }else{
+-  double d;
+-  memcpy(, , 8);
+-  sqlite3VdbeMemSetDouble(apOut[i], d);
++sqlite3_int64 v = sessionGetI64(aVal);
++if( eType==SQLITE_INTEGER ){
++  sqlite3VdbeMemSetInt64(apOut[i], v);
++}else{
++  double d;
++  memcpy(, , 8);
++  sqlite3VdbeMemSetDouble(apOut[i], d);
++}
++pIn->iNext += 8;
+ }
+-pIn->iNext += 8;
+   }
+ }
+   }
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb 
b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index ef12ef0db2..0e7bcfa5a7 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -17,6 +17,7 @@ SRC_URI = 
"http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2020-35525.patch \
file://CVE-2020-35527.patch \
file://CVE-2021-20223.patch \
+   file://CVE-2023-7104.patch \
"
 SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
 SRC_URI[sha256sum] = 
"62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194004): 
https://lists.openembedded.org/g/openembedded-core/message/194004
Mute This Topic: https://lists.openembedded.org/mt/103823315/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] gnutls: Fix for CVE-2024-0553 and CVE-2024-0567

2024-01-18 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed 
ciphertexts in RSA-PSK ClientKeyExchange differ from response times of 
ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote 
attacker to perform a timing side-channel attack in the RSA-PSK key exchange, 
potentially leading to the leakage of sensitive data. CVE-2024-0553 is 
designated as an incomplete resolution for CVE-2023-5981.

CVE-2024-0567
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) 
rejects a certificate chain with distributed trust. This issue occurs when 
validating a certificate chain with cockpit-certificate-ensure. This flaw 
allows an unauthenticated, remote client or attacker to initiate a denial of 
service attack.

Upstream-Status: Backport
[https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e
&
https://gitlab.com/gnutls/gnutls/-/commit/9edbdaa84e38b1bfb53a7d72c1de44f8de373405]

Reference: https://ubuntu.com/security/CVE-2024-0553
   https://ubuntu.com/security/CVE-2024-0567

Signed-off-by: Vijay Anusuri 
---
 .../gnutls/gnutls/CVE-2024-0553.patch | 125 
 .../gnutls/gnutls/CVE-2024-0567.patch | 184 ++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   2 +
 3 files changed, 311 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 00..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno 
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno 
+
+Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
+CVE: CVE-2024-0553
+Signed-off-by: Vijay Anusuri 
+---
+ lib/auth/rsa_psk.c | 68 --
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..c6cfb92 100644
+--- a/lib/auth/rsa_psk.c
 b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, 
uint8_t * data,
+   int ret, dsize;
+   ssize_t data_size = _data_size;
+   gnutls_psk_server_credentials_t cred;
+-  gnutls_datum_t premaster_secret = { NULL, 0 };
+   volatile uint8_t ver_maj, ver_min;
+ 
+   cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, 
uint8_t * data,
+   ver_maj = _gnutls_get_adv_version_major(session);
+   ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-  premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-  if (premaster_secret.data == NULL) {
++  /* Find the key of this username. A random value will be
++   * filled in if the key is not found.
++   */
++  ret = _gnutls_psk_pwd_find_entry(session, info->username,
++   strlen(info->username), _psk);
++  if (ret < 0)
++  return gnutls_assert_val(ret);
++
++  /* Allocate memory for premaster secret, and fill in the
++   * fields except the decryption result.
++   */
++  session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
++  session->key.key.data = gnutls_malloc(session->key.key.size);
++  if (session->key.key.data == NULL) {
+   gnutls_assert();
++  _gnutls_free_key_datum(_psk);
++  /* No need to zeroize, as the secret is not copied in yet */
++  _gnutls_free_datum(>key.key);
+   return GNUTLS_E_MEMORY_ERROR;
+   }
+-  premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+   /* Fallback value when decryption fails. Needs to be unpredictable. */
+-  ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-   premaster_secret.size);
++  ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
++   GNUTLS_MASTER_SIZE);
+   if (ret < 0) {
+   gnutls_assert();
+-  goto cleanup;
++  _gnutls_free_key_datum(_psk);
++  /* No need to zeroize, as the secret is not copied in yet */
++  _gnutls_free_datum(>key.key);
++  return ret;
+   }
+ 
++  _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
++

[OE-core][dunfell][PATCH] xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478

2024-01-09 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
& 
https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632]

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-6377.patch  | 79 +++
 .../xserver-xorg/CVE-2023-6478.patch  | 63 +++
 .../xorg-xserver/xserver-xorg_1.20.14.bb  |  2 +
 3 files changed, 144 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
new file mode 100644
index 00..0abd5914fa
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
@@ -0,0 +1,79 @@
+From 0c1a93d319558fe3ab2d94f51d174b4f93810afd Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Tue, 28 Nov 2023 15:19:04 +1000
+Subject: [PATCH] Xi: allocate enough XkbActions for our buttons
+
+button->xkb_acts is supposed to be an array sufficiently large for all
+our buttons, not just a single XkbActions struct. Allocating
+insufficient memory here means when we memcpy() later in
+XkbSetDeviceInfo we write into memory that wasn't ours to begin with,
+leading to the usual security ooopsiedaisies.
+
+CVE-2023-6377, ZDI-CAN-22412, ZDI-CAN-22413
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd]
+CVE: CVE-2023-6377
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/exevents.c | 12 ++--
+ dix/devices.c | 10 ++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index dcd4efb3bc..54ea11a938 100644
+--- a/Xi/exevents.c
 b/Xi/exevents.c
+@@ -611,13 +611,13 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr 
to)
+ }
+ 
+ if (from->button->xkb_acts) {
+-if (!to->button->xkb_acts) {
+-to->button->xkb_acts = calloc(1, sizeof(XkbAction));
+-if (!to->button->xkb_acts)
+-FatalError("[Xi] not enough memory for xkb_acts.\n");
+-}
++size_t maxbuttons = max(to->button->numButtons, 
from->button->numButtons);
++to->button->xkb_acts = xnfreallocarray(to->button->xkb_acts,
++   maxbuttons,
++   sizeof(XkbAction));
++memset(to->button->xkb_acts, 0, maxbuttons * sizeof(XkbAction));
+ memcpy(to->button->xkb_acts, from->button->xkb_acts,
+-   sizeof(XkbAction));
++   from->button->numButtons * sizeof(XkbAction));
+ }
+ else {
+ free(to->button->xkb_acts);
+diff --git a/dix/devices.c b/dix/devices.c
+index b063128df0..3f3224d626 100644
+--- a/dix/devices.c
 b/dix/devices.c
+@@ -2539,6 +2539,8 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ 
+ if (master->button && master->button->numButtons != maxbuttons) {
+ int i;
++int last_num_buttons = master->button->numButtons;
++
+ DeviceChangedEvent event = {
+ .header = ET_Internal,
+ .type = ET_DeviceChanged,
+@@ -2549,6 +2551,14 @@ RecalculateMasterButtons(DeviceIntPtr slave)
+ };
+ 
+ master->button->numButtons = maxbuttons;
++if (last_num_buttons < maxbuttons) {
++master->button->xkb_acts = 
xnfreallocarray(master->button->xkb_acts,
++   maxbuttons,
++   sizeof(XkbAction));
++memset(>button->xkb_acts[last_num_buttons],
++   0,
++   (maxbuttons - last_num_buttons) * sizeof(XkbAction));
++}
+ 
+ memcpy(, master->button->labels, maxbuttons *
+sizeof(Atom));
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
new file mode 100644
index 00..6392eae3f8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
@@ -0,0 +1,63 @@
+From 14f480010a93ff962fef66a16412fafff81ad632 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Mon, 27 Nov 2023 16:27:49 +1000
+Subject: [PATCH] randr: avoid integer truncation in length check of
+ ProcRRChange*Property
+
+Affected are ProcRRChangeProviderProperty and ProcRRChangeOutputProperty.
+See also xserver@8f454b79 where this same bug was fixed for the core
+protocol and XI.
+
+This fixes an OOB read and the resulting

[OE-core][dunfell][PATCH v3] go: Backport fix for CVE-2023-45287

2024-01-05 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255
&
https://github.com/golang/go/commit/c9d5f60eaa4450ccf1ce878d55b4c6a12843f2f3
&
https://github.com/golang/go/commit/8f676144ad7b7c91adb0c6e1ec89aaa6283c6807
&
https://github.com/golang/go/commit/8a81fdf165facdcefa06531de5af98a4db343035]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |4 +
 .../go/go-1.14/CVE-2023-45287-pre1.patch  |  393 
 .../go/go-1.14/CVE-2023-45287-pre2.patch  |  401 
 .../go/go-1.14/CVE-2023-45287-pre3.patch  |   86 +
 .../go/go-1.14/CVE-2023-45287.patch   | 1697 +
 5 files changed, 2581 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45287.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index b827a3606d..42a9ac8435 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -83,6 +83,10 @@ SRC_URI += "\
 file://CVE-2023-39318.patch \
 file://CVE-2023-39319.patch \
 file://CVE-2023-39326.patch \
+file://CVE-2023-45287-pre1.patch \
+file://CVE-2023-45287-pre2.patch \
+file://CVE-2023-45287-pre3.patch \
+file://CVE-2023-45287.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
new file mode 100644
index 00..4d65180253
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45287-pre1.patch
@@ -0,0 +1,393 @@
+From 9baafabac9a84813a336f068862207d2bb06d255 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda 
+Date: Wed, 1 Apr 2020 17:25:40 -0400
+Subject: [PATCH] crypto/rsa: refactor RSA-PSS signing and verification
+
+Cleaned up for readability and consistency.
+
+There is one tiny behavioral change: when PSSSaltLengthEqualsHash is
+used and both hash and opts.Hash were set, hash.Size() was used for the
+salt length instead of opts.Hash.Size(). That's clearly wrong because
+opts.Hash is documented to override hash.
+
+Change-Id: I3e25dad933961eac827c6d2e3bbfe45fc5a6fb0e
+Reviewed-on: https://go-review.googlesource.com/c/go/+/226937
+Run-TryBot: Filippo Valsorda 
+TryBot-Result: Gobot Gobot 
+Reviewed-by: Katie Hockman 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/9baafabac9a84813a336f068862207d2bb06d255]
+CVE: CVE-2023-45287 #Dependency Patch1
+Signed-off-by: Vijay Anusuri 
+---
+ src/crypto/rsa/pss.go | 173 ++
+ src/crypto/rsa/rsa.go |   9 ++-
+ 2 files changed, 96 insertions(+), 86 deletions(-)
+
+diff --git a/src/crypto/rsa/pss.go b/src/crypto/rsa/pss.go
+index 3ff0c2f4d0076..f9844d87329a8 100644
+--- a/src/crypto/rsa/pss.go
 b/src/crypto/rsa/pss.go
+@@ -4,9 +4,7 @@
+ 
+ package rsa
+ 
+-// This file implements the PSS signature scheme [1].
+-//
+-// [1] 
https://www.emc.com/collateral/white-papers/h11300-pkcs-1v2-2-rsa-cryptography-standard-wp.pdf
++// This file implements the RSASSA-PSS signature scheme according to RFC 8017.
+ 
+ import (
+   "bytes"
+@@ -17,8 +15,22 @@ import (
+   "math/big"
+ )
+ 
++// Per RFC 8017, Section 9.1
++//
++// EM = MGF1 xor DB || H( 8*0x00 || mHash || salt ) || 0xbc
++//
++// where
++//
++// DB = PS || 0x01 || salt
++//
++// and PS can be empty so
++//
++// emLen = dbLen + hLen + 1 = psLen + sLen + hLen + 2
++//
++
+ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, hash hash.Hash) 
([]byte, error) {
+-  // See [1], section 9.1.1
++  // See RFC 8017, Section 9.1.1.
++
+   hLen := hash.Size()
+   sLen := len(salt)
+   emLen := (emBits + 7) / 8
+@@ -30,7 +42,7 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, 
hash hash.Hash) ([]byt
+   // 2.  Let mHash = Hash(M), an octet string of length hLen.
+ 
+   if len(mHash) != hLen {
+-  return nil, errors.New("crypto/rsa: input must be hashed 
message")
++  return nil, errors.New("crypto/rsa: input must be hashed with 
given hash")
+   }
+ 
+   // 3.  If emLen < hLen + sLen + 2, output "encoding error" and stop.
+@@ -40,8 +52,9 @@ func emsaPSSEncode(mHash []byte, emBits int, salt []byte, 
hash hash.Hash) ([]byt
+   }
+ 
+   em := make([]byte, emLen)
+-  db := em[:emLen-sLen-hLen-2+1+sLen]
+-  h := em[emLen-sLen-hLen-2+1+sLen : emLen-1]
++  psLen := emLen - sLen - hLen - 2
++  db := em[:psLen+1+sLen]
++  h := em[psLen+1+sLen : emLen-1]
+ 
+   // 4.  Generate a random octet string salt of length sLen; if sLen = 0,
+   // then salt is the

[OE-core][dunfell][PATCH] tiff: backport Debian patch to fix CVE-2022-40090

2023-11-28 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patch from ubuntu to fix
 CVE-2022-40090

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41]

Signed-off-by: Vijay Anusuri 
---
 .../libtiff/files/CVE-2022-40090.patch| 548 ++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   1 +
 2 files changed, 549 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
new file mode 100644
index 00..0a88f59553
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-40090.patch
@@ -0,0 +1,548 @@
+From d385738335deb0c4bb70449f12e411f2203c0d01 Mon Sep 17 00:00:00 2001
+From: Su_Laus 
+Date: Fri, 2 Sep 2022 21:20:28 +0200
+Subject: [PATCH 1/4] Improved IFD-Loop Handling (fixes #455)
+
+Basic approach:
+- The order in the entire chain must be checked, and not only whether an 
offset has already been read once.
+- To do this, pairs of directory number and offset are stored and checked.
+- The offset of a directory number can change.
+- TIFFAdvanceDirectory() must also perform an IFD loop check.
+- TIFFCheckDirOffset() is replaced by _TIFFCheckDirNumberAndOffset().
+
+Rules for the check:
+- If an offset is already in the list, it must have the same IFD number. 
Otherwise it is an IDF loop.
+- If the offset is not in the list and the IFD number is greater than there 
are list entries, a new list entry is added.
+- Otherwise, the offset of the IFD number is updated.
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2022-40090.patch?h=ubuntu/focal-security
+Upstream commit
+https://gitlab.com/libtiff/libtiff/-/commit/c7caec9a4d8f24c17e667480d2c7d0d51c9fae41]
+CVE: CVE-2022-40090
+Signed-off-by: Vijay Anusuri 
+---
+ libtiff/tif_close.c   |  6 ++-
+ libtiff/tif_dir.c | 91 +
+ libtiff/tif_dir.h |  1 +
+ libtiff/tif_dirread.c | 94 ++-
+ libtiff/tif_open.c|  3 +-
+ libtiff/tiffiop.h |  3 +-
+ 6 files changed, 131 insertions(+), 67 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_close.c
 tiff-4.1.0+git191117/libtiff/tif_close.c
+@@ -52,8 +52,10 @@ TIFFCleanup(TIFF* tif)
+   (*tif->tif_cleanup)(tif);
+   TIFFFreeDirectory(tif);
+ 
+-  if (tif->tif_dirlist)
+-  _TIFFfree(tif->tif_dirlist);
++  if (tif->tif_dirlistoff)
++  _TIFFfree(tif->tif_dirlistoff);
++  if (tif->tif_dirlistdirn)
++  _TIFFfree(tif->tif_dirlistdirn);
+ 
+   /*
+  * Clean up client info links.
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.c
 tiff-4.1.0+git191117/libtiff/tif_dir.c
+@@ -1463,12 +1463,22 @@ TIFFDefaultDirectory(TIFF* tif)
+ }
+ 
+ static int
+-TIFFAdvanceDirectory(TIFF* tif, uint64* nextdir, uint64* off)
++TIFFAdvanceDirectory(TIFF* tif, uint64* nextdiroff, uint64* off, uint16* 
nextdirnum)
+ {
+   static const char module[] = "TIFFAdvanceDirectory";
++
++  /* Add this directory to the directory list, if not already in. */
++  if (!_TIFFCheckDirNumberAndOffset(tif, *nextdirnum, *nextdiroff)) {
++  TIFFErrorExt(tif->tif_clientdata, module, "Starting directory 
%hu at offset 0x%lx (%lu) might cause an IFD loop",
++  *nextdirnum, *nextdiroff, *nextdiroff);
++  *nextdiroff = 0;
++  *nextdirnum = 0;
++  return(0);
++  }
++
+   if (isMapped(tif))
+   {
+-  uint64 poff=*nextdir;
++  uint64 poff=*nextdiroff;
+   if (!(tif->tif_flags_BIGTIFF))
+   {
+   tmsize_t poffa,poffb,poffc,poffd;
+@@ -1479,7 +1489,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+   if 
(((uint64)poffa!=poff)||(poffbtif->tif_size))
+   {
+   TIFFErrorExt(tif->tif_clientdata,module,"Error 
fetching directory count");
+-  *nextdir=0;
++  *nextdiroff=0;
+   return(0);
+   }
+   
_TIFFmemcpy(,tif->tif_base+poffa,sizeof(uint16));
+@@ -1497,7 +1507,7 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+   
_TIFFmemcpy(,tif->tif_base+poffc,sizeof(uint32));
+   if (tif->tif_flags_SWAB)
+   TIFFSwabLong();
+-  *nextdir=nextdir32;
++  *nextdiroff=nextdir32;
+   }
+   else
+   {
+@@ -1529,11 +1539,10 @@ TIFFAdvanceDirectory(TIFF* tif, uint64*
+   }
+   if

[OE-core][dunfell][PATCH] shadow: backport patch to fix CVE-2023-29383

2023-11-22 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.

(From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa)

Upstream-Status: Backport
[https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
&
https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]

Signed-off-by: Vijay Anusuri 
---
 .../files/0001-Overhaul-valid_field.patch | 66 +++
 .../shadow/files/CVE-2023-29383.patch | 54 +++
 meta/recipes-extended/shadow/shadow.inc   |  2 +
 3 files changed, 122 insertions(+)
 create mode 100644 
meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch

diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch 
b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 00..aea07ff361
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,66 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= 
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+
+Upstream-Status: Backport 
[https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+
+Signed-off-by: Xiangyu Chen 
+Signed-off-by: Vijay Anusuri 
+---
+ lib/fields.c | 24 ++--
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+ 
+   /* For each character of field, search if it appears in the list
+* of illegal characters. */
++  if (illegal && NULL != strpbrk (field, illegal)) {
++  return -1;
++  }
++
++  /* Search if there are non-printable or control characters */
+   for (cp = field; '\0' != *cp; cp++) {
+-  if (strchr (illegal, *cp) != NULL) {
++  unsigned char c = *cp;
++  if (!isprint (c)) {
++  err = 1;
++  }
++  if (iscntrl (c)) {
+   err = -1;
+   break;
+   }
+   }
+ 
+-  if (0 == err) {
+-  /* Search if there are non-printable or control characters */
+-  for (cp = field; '\0' != *cp; cp++) {
+-  if (!isprint (*cp)) {
+-  err = 1;
+-  }
+-  if (!iscntrl (*cp)) {
+-  err = -1;
+-  break;
+-  }
+-  }
+-  }
+-
+   return err;
+ }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch 
b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 00..dbf4a508e9
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,54 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderl...@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters 
are present.
+
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+
+Signed-off-by: Xiangyu Chen 
+Signed-off-by: Vijay Anusuri 
+---
+ lib/fields.c | 11 +++
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
 b/lib/fields.c
+@@ -21,9 +21,9 @@
+  *
+  * The supplied field is scanned for non-printable and other illegal
+  * characters.
+- *  + -1 is returned if an illegal character is present.
+- *  +  1 is returned if no illegal characters are present, but the field
+- *   contains a non-printable character.
++ *  + -1 is returned if an illegal or control character is present.
++ *  +  1 is returned if no illegal or control characters are present,
++ *   but the field contains a non-printable character.
+  *  +  0 is returned otherwise.
+  */
+ int valid_field (const char *field, const char *illegal)

[OE-core][kirkstone][PATCH] avahi: backport CVE-2023-1981 & CVE's follow-up patches

2023-12-07 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-1981
 CVE-2023-38469-2
 CVE-2023-38470-2
 CVE-2023-38471-2

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460]

Ref: 
https://git.openembedded.org/openembedded-core-contrib/commit/?h=stable/nanbield-nut=a9203c46cd64c3ec5e5b00e381bbac85733f85df

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  | 10 ++-
 .../avahi/files/CVE-2023-1981.patch   | 58 +
 ...023-38469.patch => CVE-2023-38469-1.patch} |  0
 .../avahi/files/CVE-2023-38469-2.patch| 65 +++
 ...023-38470.patch => CVE-2023-38470-1.patch} |  0
 .../avahi/files/CVE-2023-38470-2.patch| 52 +++
 ...023-38471.patch => CVE-2023-38471-1.patch} |  0
 .../avahi/files/CVE-2023-38471-2.patch| 52 +++
 .../avahi/files/CVE-2023-38472.patch  | 44 ++---
 9 files changed, 256 insertions(+), 25 deletions(-)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38469.patch => 
CVE-2023-38469-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38470.patch => 
CVE-2023-38470-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 rename meta/recipes-connectivity/avahi/files/{CVE-2023-38471.patch => 
CVE-2023-38471-1.patch} (100%)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb 
b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index af5284a252..5d1c86978a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -26,9 +26,13 @@ SRC_URI = 
"https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
file://0001-Fix-opening-etc-resolv.conf-error.patch \
file://handle-hup.patch \
file://local-ping.patch \
-   file://CVE-2023-38471.patch \
-   file://CVE-2023-38470.patch \
-   file://CVE-2023-38469.patch \
+   file://CVE-2023-1981.patch \
+   file://CVE-2023-38469-1.patch \
+   file://CVE-2023-38469-2.patch \
+   file://CVE-2023-38470-1.patch \
+   file://CVE-2023-38470-2.patch \
+   file://CVE-2023-38471-1.patch \
+   file://CVE-2023-38471-2.patch \
file://CVE-2023-38472.patch \
file://CVE-2023-38473.patch \
"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 00..4d7924d13a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,58 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= 
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security
+Upstream commit 
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-daemon/dbus-protocol.c | 20 ++--
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687bc..406d0b441 100644
+--- a/avahi-daemon/dbus-protocol.c
 b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult 
dbus_get_alternative_host_name(DBusConnection *c, DBusM
+ }
+ 
+ t = avahi_alternative_host_name(n);
+-avahi_dbus_respond_string(c, m, t);
+-avahi_free(t);
++if (t) {
++avahi_dbus_respond_string(c, m, t);
++avahi_free(t);
+ 
+-return DBUS_HANDLER_RESULT_HANDLED;
++return DBUS_HANDLER_RESULT_HANDLED;
++} else {
++return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname 
not found");
++}
+ }
+ 
+ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, 
DBusMessage *m, DBusError *error) {
+@@ -389,10 +393,14 @@ static DBusHandlerResult

[OE-core][dunfell][PATCH] bind: Backport fix for CVE-2023-3341

2023-11-26 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]

Signed-off-by: Vijay Anusuri 
---
 .../bind/bind/CVE-2023-3341.patch | 175 ++
 .../recipes-connectivity/bind/bind_9.11.37.bb |   1 +
 2 files changed, 176 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch 
b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
new file mode 100644
index 00..be479cb00e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch
@@ -0,0 +1,175 @@
+From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001
+From: Mark Andrews 
+Date: Tue, 20 Jun 2023 15:21:36 +1000
+Subject: [PATCH] Limit isccc_cc_fromwire recursion depth
+
+Named and rndc do not need a lot of recursion so the depth is
+set to 10.
+
+Taken from BIND 9.16.44 change.
+
+Upstream-Status: Backport 
[https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71]
+CVE: CVE-2023-3341
+Signed-off-by: Vijay Anusuri 
+---
+ lib/isccc/cc.c   | 38 +++-
+ lib/isccc/include/isccc/result.h |  4 +++-
+ lib/isccc/result.c   |  4 +++-
+ 3 files changed, 34 insertions(+), 12 deletions(-)
+
+diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
+index e012685..8eac3d6 100644
+--- a/lib/isccc/cc.c
 b/lib/isccc/cc.c
+@@ -53,6 +53,10 @@
+ 
+ #define MAX_TAGS  256
+ #define DUP_LIFETIME  900
++#ifndef ISCCC_MAXDEPTH
++#define ISCCC_MAXDEPTH \
++  10 /* Big enough for rndc which just sends a string each way. */
++#endif
+ 
+ typedef isccc_sexpr_t *sexpr_ptr;
+ 
+@@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, 
unsigned int length,
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+- uint32_t algorithm, isccc_sexpr_t **alistp);
++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp);
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
++list_fromwire(isccc_region_t *source, unsigned int depth,
++isccc_sexpr_t **listp);
+ 
+ static isc_result_t
+-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) {
++value_fromwire(isccc_region_t *source, unsigned int depth,
++ isccc_sexpr_t **valuep) {
+   unsigned int msgtype;
+   uint32_t len;
+   isccc_sexpr_t *value;
+   isccc_region_t active;
+   isc_result_t result;
+ 
++  if (depth > ISCCC_MAXDEPTH) {
++  return (ISCCC_R_MAXDEPTH);
++  }
++
+   if (REGION_SIZE(*source) < 1 + 4)
+   return (ISC_R_UNEXPECTEDEND);
+   GET8(msgtype, source->rstart);
+@@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t 
**valuep) {
+   } else
+   result = ISC_R_NOMEMORY;
+   } else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+-  result = table_fromwire(, NULL, 0, valuep);
++  result = table_fromwire(, NULL, 0, depth + 1, valuep);
+   else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+-  result = list_fromwire(, valuep);
++  result = list_fromwire(, depth + 1, valuep);
+   else
+   result = ISCCC_R_SYNTAX;
+ 
+@@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t 
**valuep) {
+ 
+ static isc_result_t
+ table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+- uint32_t algorithm, isccc_sexpr_t **alistp)
++ uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp)
+ {
+   char key[256];
+   uint32_t len;
+@@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t 
*secret,
+ 
+   REQUIRE(alistp != NULL && *alistp == NULL);
+ 
++  if (depth > ISCCC_MAXDEPTH) {
++  return (ISCCC_R_MAXDEPTH);
++  }
++
+   checksum_rstart = NULL;
+   first_tag = true;
+   alist = isccc_alist_create();
+@@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t 
*secret,
+   GET_MEM(key, len, source->rstart);
+   key[len] = '\0';/* Ensure NUL termination. */
+   value = NULL;
+-  result = value_fromwire(source, );
++  result = value_fromwire(source, depth + 1, );
+   if (result != ISC_R_SUCCESS)
+   goto bad;
+   if (isccc_alist_define(alist, key, value) == NULL) {
+@@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t 
*secret,
+ }
+ 
+ static isc_result_t
+-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) {
++list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t 
**listp) {
+   isccc_sexpr_t *list, *value;
+   isc_result_t result;
+ 
++  if (depth > ISCCC_MAXDEPTH) {
++

[OE-core][nanbield][PATCH] avahi: backport Debian patches to fix multiple CVE's

2023-11-27 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-1981
 CVE-2023-38469
 CVE-2023-38470
 CVE-2023-38471
 CVE-2023-38472
 CVE-2023-38473

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f
&
https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24
&
https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
&
https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460
&
https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
&
https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   8 ++
 .../avahi/files/CVE-2023-1981.patch   |  58 ++
 .../avahi/files/CVE-2023-38469-1.patch|  48 
 .../avahi/files/CVE-2023-38469-2.patch|  65 +++
 .../avahi/files/CVE-2023-38470-1.patch|  57 +
 .../avahi/files/CVE-2023-38470-2.patch|  52 +
 .../avahi/files/CVE-2023-38471-1.patch|  73 
 .../avahi/files/CVE-2023-38471-2.patch|  52 +
 .../avahi/files/CVE-2023-38472.patch  |  45 
 .../avahi/files/CVE-2023-38473.patch  | 109 ++
 10 files changed, 567 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb 
b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 4c830cc058..aa395beaf9 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -26,6 +26,14 @@ SRC_URI = 
"${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
file://handle-hup.patch \
file://local-ping.patch \
file://invalid-service.patch \
+   file://CVE-2023-1981.patch \
+   file://CVE-2023-38469-1.patch \
+   file://CVE-2023-38469-2.patch \
+   file://CVE-2023-38470-1.patch \
+   file://CVE-2023-38470-2.patch \
+   file://CVE-2023-38471-1.patch \
+   file://CVE-2023-38471-2.patch \
+   file://CVE-2023-38472.patch \
"
 
 GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 00..4d7924d13a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,58 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= 
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security
+Upstream commit 
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-daemon/dbus-protocol.c | 20 ++--
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687bc..406d0b441 100644
+--- a/avahi-daemon/dbus-protocol.c
 b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult 
dbus_get_alternative_host_name(DBusConnection *c, DBusM
+ }
+ 
+ t = avahi_alternative_host_name(n);
+-avahi_dbus_respond_string(c, m, t);
+-avahi_free(t);
++if (t) {
++avahi_dbus_respond_string(c, m, t);
++avahi_free(t);
+ 
+-return DBUS_HANDLER_RESULT_HANDLED;
++return

[OE-core][dunfell][PATCH] gnutls: Backport fix for CVE-2023-5981

2024-01-21 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport [import from ubuntu 
https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
Upstream-Commit: 
https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]

References:
https://ubuntu.com/security/CVE-2023-5981

Signed-off-by: Vijay Anusuri 
---
 .../gnutls/gnutls/CVE-2023-5981.patch | 206 ++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 2 files changed, 207 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
new file mode 100644
index 00..c518cfa0ac
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
+Backport of:
+
+From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno 
+Date: Mon, 23 Oct 2023 09:26:57 +0900
+Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
+
+This removes branching that depends on secret data, porting changes
+for regular RSA key exchange from
+4804febddc2ed958e5ae774de2a8f85edeeff538 and
+80a6ce8ddb02477cd724cd5b2944791aaddb702a.  This also removes the
+allow_wrong_pms as it was used sorely to control debug output
+depending on the branching.
+
+Signed-off-by: Daiki Ueno 
+
+Upstream-Status: Backport 
[https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
+Upstream-Commit: 
https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
+CVE: CVE-2023-5981
+Signed-off-by: Vijay Anusuri 
+---
+ lib/auth/rsa.c |  2 +-
+ lib/auth/rsa_psk.c | 90 ++
+ lib/gnutls_int.h   |  4 ---
+ lib/priority.c |  1 -
+ 4 files changed, 35 insertions(+), 62 deletions(-)
+
+--- a/lib/auth/rsa.c
 b/lib/auth/rsa.c
+@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
+session->key.key.size);
+   /* After this point, any conditional on failure that cause differences
+* in execution may create a timing or cache access pattern side
+-   * channel that can be used as an oracle, so treat very carefully */
++   * channel that can be used as an oracle, so tread carefully */
+ 
+   /* Error handling logic:
+* In case decryption fails then don't inform the peer. Just use the
+--- a/lib/auth/rsa_psk.c
 b/lib/auth/rsa_psk.c
+@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+ {
+   gnutls_datum_t username;
+   psk_auth_info_t info;
+-  gnutls_datum_t plaintext;
+   gnutls_datum_t ciphertext;
+   gnutls_datum_t pwd_psk = { NULL, 0 };
+   int ret, dsize;
+-  int randomize_key = 0;
+   ssize_t data_size = _data_size;
+   gnutls_psk_server_credentials_t cred;
+   gnutls_datum_t premaster_secret = { NULL, 0 };
++  volatile uint8_t ver_maj, ver_min;
+ 
+   cred = (gnutls_psk_server_credentials_t)
+   _gnutls_get_cred(session, GNUTLS_CRD_PSK);
+@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+   }
+   ciphertext.size = dsize;
+ 
+-  ret =
+-  gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
+-  , );
+-  if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
+-  /* In case decryption fails then don't inform
+-   * the peer. Just use a random key. (in order to avoid
+-   * attack against pkcs-1 formatting).
+-   */
+-  gnutls_assert();
+-  _gnutls_debug_log
+-  ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+-  if (ret >= 0) {
+-  gnutls_free(plaintext.data);
+-  }
+-  randomize_key = 1;
+-  } else {
+-  /* If the secret was properly formatted, then
+-   * check the version number.
+-   */
+-  if (_gnutls_get_adv_version_major(session) !=
+-  plaintext.data[0]
+-  || (session->internals.allow_wrong_pms == 0
+-  && _gnutls_get_adv_version_minor(session) !=
+-  plaintext.data[1])) {
+-  /* No error is returned here, if the version number 
check
+-   * fails. We proceed normally.
+-   * That is to defend against the attack described in 
the paper
+-   * "Attacking RSA-based sessions in SSL/TLS" by 
Vlastimil Klima,
+-   * Ondej Pokorny and Tomas Rosa.
+-   */
+-  gnutls_assert();
+-  _gnutls_debug_log
+-  ("auth_rsa: Possible PKCS #1 version check format 
attack\n");
+-

[OE-core][dunfell][PATCH] gnutls: Backport fix for CVE-2024-0553

2024-01-22 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed 
ciphertexts in RSA-PSK ClientKeyExchange differ from response times of 
ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote 
attacker to perform a timing side-channel attack in the RSA-PSK key exchange, 
potentially leading to the leakage of sensitive data. CVE-2024-0553 is 
designated as an incomplete resolution for CVE-2023-5981.

Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]

Signed-off-by: Vijay Anusuri 
---
 .../gnutls/gnutls/CVE-2024-0553.patch | 125 ++
 meta/recipes-support/gnutls/gnutls_3.6.14.bb  |   1 +
 2 files changed, 126 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 00..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno 
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption.  This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno 
+
+Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
+CVE: CVE-2024-0553
+Signed-off-by: Vijay Anusuri 
+---
+ lib/auth/rsa_psk.c | 68 --
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..c6cfb92 100644
+--- a/lib/auth/rsa_psk.c
 b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, 
uint8_t * data,
+   int ret, dsize;
+   ssize_t data_size = _data_size;
+   gnutls_psk_server_credentials_t cred;
+-  gnutls_datum_t premaster_secret = { NULL, 0 };
+   volatile uint8_t ver_maj, ver_min;
+ 
+   cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, 
uint8_t * data,
+   ver_maj = _gnutls_get_adv_version_major(session);
+   ver_min = _gnutls_get_adv_version_minor(session);
+ 
+-  premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+-  if (premaster_secret.data == NULL) {
++  /* Find the key of this username. A random value will be
++   * filled in if the key is not found.
++   */
++  ret = _gnutls_psk_pwd_find_entry(session, info->username,
++   strlen(info->username), _psk);
++  if (ret < 0)
++  return gnutls_assert_val(ret);
++
++  /* Allocate memory for premaster secret, and fill in the
++   * fields except the decryption result.
++   */
++  session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
++  session->key.key.data = gnutls_malloc(session->key.key.size);
++  if (session->key.key.data == NULL) {
+   gnutls_assert();
++  _gnutls_free_key_datum(_psk);
++  /* No need to zeroize, as the secret is not copied in yet */
++  _gnutls_free_datum(>key.key);
+   return GNUTLS_E_MEMORY_ERROR;
+   }
+-  premaster_secret.size = GNUTLS_MASTER_SIZE;
+ 
+   /* Fallback value when decryption fails. Needs to be unpredictable. */
+-  ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+-   premaster_secret.size);
++  ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
++   GNUTLS_MASTER_SIZE);
+   if (ret < 0) {
+   gnutls_assert();
+-  goto cleanup;
++  _gnutls_free_key_datum(_psk);
++  /* No need to zeroize, as the secret is not copied in yet */
++  _gnutls_free_datum(>key.key);
++  return ret;
+   }
+ 
++  _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
++  _gnutls_write_uint16(pwd_psk.size,
++   >key.key.data[2 + GNUTLS_MASTER_SIZE]);
++  memcpy(>key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
++ pwd_psk.size);
++  _gnutls_free_key_datum(_psk);
++
+   gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+-   , premaster_secret.data,
+-   premaster_secret.size);
++   , session->key.key.data + 2,
++   GNUTLS_MASTER_SIZE);
+   /* After this point, any conditional on failure that cause differences
+* in execution may

[OE-core][dunfell][PATCH] xserver-xorg: Multiple CVE fixes

2024-01-24 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-6816.patch  |  55 +
 .../xserver-xorg/CVE-2024-0229-1.patch|  87 +++
 .../xserver-xorg/CVE-2024-0229-2.patch| 221 ++
 .../xserver-xorg/CVE-2024-0229-3.patch|  41 
 .../xserver-xorg/CVE-2024-0229-4.patch|  45 
 .../xserver-xorg/CVE-2024-0408.patch  |  64 +
 .../xserver-xorg/CVE-2024-0409.patch  |  46 
 .../xserver-xorg/CVE-2024-21885.patch | 113 +
 .../xserver-xorg/CVE-2024-21886-1.patch   |  74 ++
 .../xserver-xorg/CVE-2024-21886-2.patch   |  57 +
 .../xorg-xserver/xserver-xorg_1.20.14.bb  |  10 +
 11 files changed, 813 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
new file mode 100644
index 00..0bfff268e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
@@ -0,0 +1,55 @@
+From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3]
+CVE: CVE-2023-6816
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c| 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
 b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+ if (pDev->button) {
+ int i;
+ 
+-rep.buttons_len =
+-bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
++rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map 
up to 255 */
+ rep.length += rep.buttons_len;
+ buttons = calloc(rep.buttons_len, 4);
+ if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
 b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int 
detail,
+ 
+ mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+ 
+-/* XI 2 event */
+-btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
++/* XI 2 event contains the logical button map - maps are CARD8
++ * so we need 256 bits for the possibly maximum mapping */
++btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+ btlen = bytes_to_int32(btlen);
+ len = sizeof(xXIFocusInEvent) + btlen * 4;
+ 
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
new file mode 100644
index 00..80ebc64e59
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
@@ -0,0 +1,87 @@
+From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Mon, 18 Dec 2023 14:27:50 +1000
+Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
+
+If a device has both a button class and a key class and numButtons is
+zero, we can get an OOB write due to event under-allocation.
+
+This function seems to assume a device has either keys or buttons, not
+both. It has two virtually identical code paths, both of which

[OE-core][kirkstone][PATCH] xserver-xorg: Multiple CVE fixes

2024-01-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2023-6816.patch  |  55 +
 .../xserver-xorg/CVE-2024-0229-1.patch|  87 +++
 .../xserver-xorg/CVE-2024-0229-2.patch| 221 ++
 .../xserver-xorg/CVE-2024-0229-3.patch|  41 
 .../xserver-xorg/CVE-2024-0229-4.patch|  45 
 .../xserver-xorg/CVE-2024-0408.patch  |  64 +
 .../xserver-xorg/CVE-2024-0409.patch  |  46 
 .../xserver-xorg/CVE-2024-21885.patch | 113 +
 .../xserver-xorg/CVE-2024-21886-1.patch   |  74 ++
 .../xserver-xorg/CVE-2024-21886-2.patch   |  57 +
 .../xorg-xserver/xserver-xorg_21.1.8.bb   |  10 +
 11 files changed, 813 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
new file mode 100644
index 00..0bfff268e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
@@ -0,0 +1,55 @@
+From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3]
+CVE: CVE-2023-6816
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c| 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
 b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+ if (pDev->button) {
+ int i;
+ 
+-rep.buttons_len =
+-bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
++rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map 
up to 255 */
+ rep.length += rep.buttons_len;
+ buttons = calloc(rep.buttons_len, 4);
+ if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
 b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int 
detail,
+ 
+ mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+ 
+-/* XI 2 event */
+-btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
++/* XI 2 event contains the logical button map - maps are CARD8
++ * so we need 256 bits for the possibly maximum mapping */
++btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+ btlen = bytes_to_int32(btlen);
+ len = sizeof(xXIFocusInEvent) + btlen * 4;
+ 
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
new file mode 100644
index 00..80ebc64e59
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
@@ -0,0 +1,87 @@
+From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Mon, 18 Dec 2023 14:27:50 +1000
+Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
+
+If a device has both a button class and a key class and numButtons is
+zero, we can get an OOB write due to event under-allocation.
+
+This function seems to assume a device has either keys or buttons, not
+both. It has two virtually identical code paths, both of which

[OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's

2023-11-15 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Patches to fix:
 CVE-2023-38469
 CVE-2023-38470
 CVE-2023-38471
 CVE-2023-38472
 CVE-2023-38473

Upstream-Status: Backport 
[https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
&
https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
&
https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   6 +
 .../avahi/files/CVE-2023-38469-1.patch|  47 
 .../avahi/files/CVE-2023-38469-2.patch|  65 +++
 .../avahi/files/CVE-2023-38470.patch  |  56 +
 .../avahi/files/CVE-2023-38471.patch  |  72 
 .../avahi/files/CVE-2023-38472.patch  |  47 
 .../avahi/files/CVE-2023-38473.patch  | 108 ++
 7 files changed, 401 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb 
b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index b5c966c102..772fb43939 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -26,6 +26,12 @@ SRC_URI = 
"https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
file://0001-Fix-opening-etc-resolv.conf-error.patch \
file://handle-hup.patch \
file://local-ping.patch \
+   file://CVE-2023-38469-1.patch \
+   file://CVE-2023-38469-2.patch \
+   file://CVE-2023-38470.patch \
+   file://CVE-2023-38471.patch \
+   file://CVE-2023-38472.patch \
+   file://CVE-2023-38473.patch \
"
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 00..99c717daf3
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,47 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin 
+Date: Mon, 23 Oct 2023 20:29:31 +
+Subject: [PATCH] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+
+Upstream-Status: Backport 
[https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-core/rr.c | 9 -
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 2bb89244..9c04ebbd 100644
+--- a/avahi-core/rr.c
 b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include 
+ #include 
+ 
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+ case AVAHI_DNS_TYPE_TXT: {
+ 
+ AvahiStringList *strlst;
++size_t used = 0;
+ 
+-for (strlst = r->data.txt.string_list; strlst; strlst = 
strlst->next)
++for (strlst = r->data.txt.string_list; strlst; strlst = 
strlst->next) {
+ if (strlst->size > 255 || strlst->size <= 0)
+ return 0;
+ 
++used += 1+strlst->size;
++if (used > AVAHI_DNS_RDATA_MAX)
++return 0;
++}
++
+ return 1;
+ }
+ }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 00..b83a70e29b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin 
+Date: Wed, 25 Oct 2023 18:15:42 +
+Subject: [PATCH] tests: pass overly long TXT resource records
+
+to make sure they don't crash avahi any more.
+
+It reproduces https://github.com/lathiat/avahi/issues/455
+
+Upstream-Status: Backport 
[https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-client/client-test.c | 14 ++
+ 1 file

[OE-core][master][PATCH] avahi: Fix for multiple CVE's

2023-11-20 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Patches to fix:
 CVE-2023-38469
 CVE-2023-38470
 CVE-2023-38471
 CVE-2023-38472
 CVE-2023-38473

Upstream-Status: Backport 
[https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
&
https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
&
https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   6 +
 .../avahi/files/CVE-2023-38469-1.patch|  47 
 .../avahi/files/CVE-2023-38469-2.patch|  65 +++
 .../avahi/files/CVE-2023-38470.patch  |  56 +
 .../avahi/files/CVE-2023-38471.patch  |  72 
 .../avahi/files/CVE-2023-38472.patch  |  47 
 .../avahi/files/CVE-2023-38473.patch  | 108 ++
 7 files changed, 401 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb 
b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 4c830cc058..e07c1f2f0e 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -26,6 +26,12 @@ SRC_URI = 
"${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
file://handle-hup.patch \
file://local-ping.patch \
file://invalid-service.patch \
+   file://CVE-2023-38469-1.patch \
+   file://CVE-2023-38469-2.patch \
+   file://CVE-2023-38470.patch \
+   file://CVE-2023-38471.patch \
+   file://CVE-2023-38472.patch \
+   file://CVE-2023-38473.patch \
"
 
 GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
new file mode 100644
index 00..99c717daf3
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
@@ -0,0 +1,47 @@
+From a337a1ba7d15853fb56deef1f464529af6e3a1cf Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin 
+Date: Mon, 23 Oct 2023 20:29:31 +
+Subject: [PATCH] core: reject overly long TXT resource records
+
+Closes https://github.com/lathiat/avahi/issues/455
+
+CVE-2023-38469
+
+Upstream-Status: Backport 
[https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-core/rr.c | 9 -
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-core/rr.c b/avahi-core/rr.c
+index 2bb89244..9c04ebbd 100644
+--- a/avahi-core/rr.c
 b/avahi-core/rr.c
+@@ -32,6 +32,7 @@
+ #include 
+ #include 
+ 
++#include "dns.h"
+ #include "rr.h"
+ #include "log.h"
+ #include "util.h"
+@@ -689,11 +690,17 @@ int avahi_record_is_valid(AvahiRecord *r) {
+ case AVAHI_DNS_TYPE_TXT: {
+ 
+ AvahiStringList *strlst;
++size_t used = 0;
+ 
+-for (strlst = r->data.txt.string_list; strlst; strlst = 
strlst->next)
++for (strlst = r->data.txt.string_list; strlst; strlst = 
strlst->next) {
+ if (strlst->size > 255 || strlst->size <= 0)
+ return 0;
+ 
++used += 1+strlst->size;
++if (used > AVAHI_DNS_RDATA_MAX)
++return 0;
++}
++
+ return 1;
+ }
+ }
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
new file mode 100644
index 00..b83a70e29b
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
@@ -0,0 +1,65 @@
+From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin 
+Date: Wed, 25 Oct 2023 18:15:42 +
+Subject: [PATCH] tests: pass overly long TXT resource records
+
+to make sure they don't crash avahi any more.
+
+It reproduces https://github.com/lathiat/avahi/issues/455
+
+Upstream-Status: Backport 
[https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237]
+CVE: CVE-2023-38469
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-client/client-test.c | 14 ++
+ 1 file changed, 14 insertions(+)
+
+diff --git

Re: [OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's

2023-11-20 Thread Vijay Anusuri via lists.openembedded.org 
Hi Ross and Steve,

Please consider this patch for the Kirkstone branch.

As discussed again with Meenali, I will be sending patches to remaining
branches.

Thanks & Regards,
Vijay

On Fri, Nov 17, 2023 at 10:13 PM Randy MacLeod 
wrote:

> Add Hari who will inform WR developers on his team once the CVE
> co-ordination scheme is available.
> Add Marta.
>
> On 2023-11-17 9:11 a.m., Meenali Gupta via lists.openembedded.org wrote:
>
> Hi Ross,
>
> As discussed with Vijay,  we'll cooperate on this CVE fixes.
>
> Marta,
>
>
> Do you have a wiki page set-up?
>
>
> I see:
>
>https://wiki.yoctoproject.org/wiki/Synchronization_CVEs
>
> and it mentions, but does not point to, "A synchronization wiki page".
>
>
>
> ../Randy
>
>
>
> Regards
> Meenali
> --
> *From:* Vijay Anusuri  
> *Sent:* 16 November 2023 21:31
> *To:* jpuhl...@mvista.com  ;
> Ross Burton  ; Gupta, Meenali
>  
> *Cc:* openembedded-core@lists.openembedded.org
> 
> 
> *Subject:* Re: [OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's
>
> *CAUTION: This email comes from a non Wind River email account!*
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
> Hi Ross,
>
> As discussed with Meenali, I agreed she was going to do this work.
> She has already submitted patches for multiple branches ( master,
> mickledore and kirkstone ).
>
> For CVE-2023-38469, we need to include 2 commits to fix the CVE. Meenali
> will send the v2 patch for CVE-2023-38469 which will include 2 patches for
> all the branches.
>
> Thank you Meenali for your timely response.
>
> Thanks & Regards,
> Vijay
>
> On Thu, Nov 16, 2023 at 7:56 PM Jeremy Puhlman via lists.openembedded.org
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwKv5R-0$>
>  wrote:
>
>
>
> On 11/16/2023 3:22 AM, Ross Burton wrote:
> > Hi Vijay and Meenali,
> >
> > Hopefully this will show everyone - especially WR and Montavista - that
> we need to communicate better when working on CVEs.  In the short term at
> least, Marta proposed a wiki page which can be updated via a tool and when
> someone is working on an issue that can be marked to avoid duplication of
> effort.  Would that be acceptable to both of your companies?
>
> Yeah, I think something like that would be great on our end, provided
> its automated and the data can be extracted, so it can be consolidated
> in internal CVE tracking that we are currently required to.
>
> >
> > I’ve not checked that the fixes are identical, but apparently I need to
> remind everyone that we take fixes in *master first* and then backport to
> the releases in order.
> There should also be an agree upon change decoration to indicate
> non-applicability/differently addressed in earlier releases.
>
> With 4 year LTS releases many issues are just not going to be applicable
> to master. Also there may well be very good reasons to fix a given set
> of CVEs in
> completely different ways, but making sure they are addressed in both is
> important. Setting aside this example, in almost all cases on master
> moving to the fixed version, is almost always the right answer, where as
> on say dunfell, moving to the new version may have too many knock on
> effects to make sense.
> In this instance, Khem has already indicated moving to the new release
> may make sense for both kirkstone and master.
>
> >
> > Luckily the avahi recipe is fairly untouched so this should be trivial.
> Can you both discuss and agree who is going to do this?
> Vijay can you work with Meenali to consolidate this patch.
> >
> > Ross
> >
> >> On 16 Nov 2023, at 04:05, Vijay Anusuri via lists.openembedded.org
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPwKv5R-0$>
>  wrote:
> >>
> >> From: Vijay Anusuri 
> >>
> >> Patches to fix:
> >> CVE-2023-38469
> >> CVE-2023-38470
> >> CVE-2023-38471
> >> CVE-2023-38472
> >> CVE-2023-38473
> >>
> >> Upstream-Status: Backport [
> https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
> <https://urldefense.com/v3/__https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf__;!!AjveYdw8EvQ!YPO7NIVZeFhisahLwBZhGe79g5KJTQ1xZy2oR8nOiu1HFt04VXa4FsGlVur74kFZ8fbQ-9H_LG6OXVHPSO96cKo$>
> >> &
> >>
> h

Re: [OE-core][kirkstone][PATCH] avahi: Fix for multiple CVE's

2023-11-16 Thread Vijay Anusuri via lists.openembedded.org 
Hi Ross,

As discussed with Meenali, I agreed she was going to do this work.
She has already submitted patches for multiple branches ( master,
mickledore and kirkstone ).

For CVE-2023-38469, we need to include 2 commits to fix the CVE. Meenali
will send the v2 patch for CVE-2023-38469 which will include 2 patches for
all the branches.

Thank you Meenali for your timely response.

Thanks & Regards,
Vijay

On Thu, Nov 16, 2023 at 7:56 PM Jeremy Puhlman via lists.openembedded.org
 wrote:

>
>
> On 11/16/2023 3:22 AM, Ross Burton wrote:
> > Hi Vijay and Meenali,
> >
> > Hopefully this will show everyone - especially WR and Montavista - that
> we need to communicate better when working on CVEs.  In the short term at
> least, Marta proposed a wiki page which can be updated via a tool and when
> someone is working on an issue that can be marked to avoid duplication of
> effort.  Would that be acceptable to both of your companies?
>
> Yeah, I think something like that would be great on our end, provided
> its automated and the data can be extracted, so it can be consolidated
> in internal CVE tracking that we are currently required to.
>
> >
> > I’ve not checked that the fixes are identical, but apparently I need to
> remind everyone that we take fixes in *master first* and then backport to
> the releases in order.
> There should also be an agree upon change decoration to indicate
> non-applicability/differently addressed in earlier releases.
>
> With 4 year LTS releases many issues are just not going to be applicable
> to master. Also there may well be very good reasons to fix a given set
> of CVEs in
> completely different ways, but making sure they are addressed in both is
> important. Setting aside this example, in almost all cases on master
> moving to the fixed version, is almost always the right answer, where as
> on say dunfell, moving to the new version may have too many knock on
> effects to make sense.
> In this instance, Khem has already indicated moving to the new release
> may make sense for both kirkstone and master.
>
> >
> > Luckily the avahi recipe is fairly untouched so this should be trivial.
> Can you both discuss and agree who is going to do this?
> Vijay can you work with Meenali to consolidate this patch.
> >
> > Ross
> >
> >> On 16 Nov 2023, at 04:05, Vijay Anusuri via lists.openembedded.org
>  wrote:
> >>
> >> From: Vijay Anusuri 
> >>
> >> Patches to fix:
> >> CVE-2023-38469
> >> CVE-2023-38470
> >> CVE-2023-38471
> >> CVE-2023-38472
> >> CVE-2023-38473
> >>
> >> Upstream-Status: Backport [
> https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
> >> &
> >>
> https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
> >> &
> >>
> https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
> >> &
> >>
> https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
> >> &
> >>
> https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
> >> &
> >>
> https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797
> ]
> >>
> >> Signed-off-by: Vijay Anusuri 
> >> ---
> >> meta/recipes-connectivity/avahi/avahi_0.8.bb  |   6 +
> >> .../avahi/files/CVE-2023-38469-1.patch|  47 
> >> .../avahi/files/CVE-2023-38469-2.patch|  65 +++
> >> .../avahi/files/CVE-2023-38470.patch  |  56 +
> >> .../avahi/files/CVE-2023-38471.patch  |  72 
> >> .../avahi/files/CVE-2023-38472.patch  |  47 
> >> .../avahi/files/CVE-2023-38473.patch  | 108 ++
> >> 7 files changed, 401 insertions(+)
> >> create mode 100644
> meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
> >> create mode 100644
> meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
> >> create mode 100644
> meta/recipes-connectivity/avahi/files/CVE-2023-38470.patch
> >> create mode 100644
> meta/recipes-connectivity/avahi/files/CVE-2023-38471.patch
> >> create mode 100644
> meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
> >> create mode 100644
> meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch
> >>
> >> diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb
> b/meta/recipes-connectivity/avahi/avahi_0.8.bb
> >> index b5c966c102..772fb43939 100644
> >> --- a/meta/recipes-connectivity/

[OE-core][dunfell][PATCH] libx11: backport Debian patches to fix CVE-2023-43785 CVE-43786 and CVE-2023-43787

2023-11-14 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-43785
 CVE-2023-43786
 CVE-2023-43787

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]

Reference: https://launchpad.net/ubuntu/+source/libx11/2:1.6.9-2ubuntu1.6

Signed-off-by: Vijay Anusuri 
---
 .../xorg-lib/libx11/CVE-2023-43785.patch  | 63 ++
 .../xorg-lib/libx11/CVE-2023-43786-1.patch| 42 
 .../xorg-lib/libx11/CVE-2023-43786-2.patch| 46 +
 .../xorg-lib/libx11/CVE-2023-43787-1.patch| 52 +++
 .../xorg-lib/libx11/CVE-2023-43787-2.patch| 64 +++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |  5 ++
 6 files changed, 272 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 00..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
+From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Sun, 17 Sep 2023 14:19:40 -0700
+Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
+ _XkbReadKeySyms()
+
+Make sure we allocate enough memory in the first place, and
+also handle error returns from _XkbReadBufferCopyKeySyms() when
+it detects out-of-bounds issues.
+
+Reported-by: Gregory James DUCK 
+Signed-off-by: Alan Coopersmith 
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
+Upstream commit 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
+CVE: CVE-2023-43785
+Signed-off-by: Vijay Anusuri 
+---
+ src/xkb/XKBGetMap.c | 14 +-
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 2891d21e..31199e4a 100644
+--- a/src/xkb/XKBGetMap.c
 b/src/xkb/XKBGetMap.c
+@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ if (offset + newMap->nSyms >= map->size_syms) {
+ register int sz;
+ 
+-sz = map->size_syms + 128;
++sz = offset + newMap->nSyms;
++sz = ((sz + (unsigned) 128) / 128) * 128;
+ _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
+ if (map->syms == NULL) {
+ map->size_syms = 0;
+@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ map->size_syms = sz;
+ }
+ if (newMap->nSyms > 0) {
+-_XkbReadBufferCopyKeySyms(buf, (KeySym *) >syms[offset],
+-  newMap->nSyms);
++if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) 
>syms[offset],
++  newMap->nSyms) == 0)
++return BadLength;
+ offset += newMap->nSyms;
+ }
+ else {
+@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
+ if (newSyms == NULL)
+ return BadAlloc;
+-if (newMap->nSyms > 0)
+-_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
++if (newMap->nSyms > 0) {
++if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 
0)
++return BadLength;
++}
+ else
+ newSyms[0] = NoSymbol;
+ oldMap->kt_index[0] = newMap->ktIndex[0];
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
new file mode 100644
index

[OE-core][dunfell][PATCH v2] libx11: backport Debian patches to fix CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787

2023-11-14 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-43785
 CVE-2023-43786
 CVE-2023-43787

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]

Reference: https://launchpad.net/ubuntu/+source/libx11/2:1.6.9-2ubuntu1.6

Signed-off-by: Vijay Anusuri 
---
 .../xorg-lib/libx11/CVE-2023-43785.patch  | 63 ++
 .../xorg-lib/libx11/CVE-2023-43786-1.patch| 42 
 .../xorg-lib/libx11/CVE-2023-43786-2.patch| 46 +
 .../xorg-lib/libx11/CVE-2023-43787-1.patch| 52 +++
 .../xorg-lib/libx11/CVE-2023-43787-2.patch| 64 +++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |  5 ++
 6 files changed, 272 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 00..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
+From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Sun, 17 Sep 2023 14:19:40 -0700
+Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
+ _XkbReadKeySyms()
+
+Make sure we allocate enough memory in the first place, and
+also handle error returns from _XkbReadBufferCopyKeySyms() when
+it detects out-of-bounds issues.
+
+Reported-by: Gregory James DUCK 
+Signed-off-by: Alan Coopersmith 
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
+Upstream commit 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
+CVE: CVE-2023-43785
+Signed-off-by: Vijay Anusuri 
+---
+ src/xkb/XKBGetMap.c | 14 +-
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 2891d21e..31199e4a 100644
+--- a/src/xkb/XKBGetMap.c
 b/src/xkb/XKBGetMap.c
+@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ if (offset + newMap->nSyms >= map->size_syms) {
+ register int sz;
+ 
+-sz = map->size_syms + 128;
++sz = offset + newMap->nSyms;
++sz = ((sz + (unsigned) 128) / 128) * 128;
+ _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
+ if (map->syms == NULL) {
+ map->size_syms = 0;
+@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ map->size_syms = sz;
+ }
+ if (newMap->nSyms > 0) {
+-_XkbReadBufferCopyKeySyms(buf, (KeySym *) >syms[offset],
+-  newMap->nSyms);
++if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) 
>syms[offset],
++  newMap->nSyms) == 0)
++return BadLength;
+ offset += newMap->nSyms;
+ }
+ else {
+@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
+ if (newSyms == NULL)
+ return BadAlloc;
+-if (newMap->nSyms > 0)
+-_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
++if (newMap->nSyms > 0) {
++if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 
0)
++return BadLength;
++}
+ else
+ newSyms[0] = NoSymbol;
+ oldMap->kt_index[0] = newMap->ktIndex[0];
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
new file mode 100644
index

[OE-core][dunfell][PATCH v3] libx11: Fix for CVE-2023-43785 CVE-2023-43786 and CVE-2023-43787

2023-11-14 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-43785
 CVE-2023-43786
 CVE-2023-43787

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/204c3393c4c90a29ed6bef64e43849536e863a86
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b
&
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0]

Reference: https://launchpad.net/ubuntu/+source/libx11/2:1.6.9-2ubuntu1.6

Signed-off-by: Vijay Anusuri 
---
 .../xorg-lib/libx11/CVE-2023-43785.patch  | 63 ++
 .../xorg-lib/libx11/CVE-2023-43786-1.patch| 42 
 .../xorg-lib/libx11/CVE-2023-43786-2.patch| 46 +
 .../xorg-lib/libx11/CVE-2023-43787-1.patch| 52 +++
 .../xorg-lib/libx11/CVE-2023-43787-2.patch| 64 +++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |  5 ++
 6 files changed, 272 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-2.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-1.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787-2.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
new file mode 100644
index 00..dbdf096fc8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
@@ -0,0 +1,63 @@
+From 6858d468d9ca55fb4c5fd70b223dbc78a3358a7f Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Sun, 17 Sep 2023 14:19:40 -0700
+Subject: [PATCH libX11 1/5] CVE-2023-43785: out-of-bounds memory access in
+ _XkbReadKeySyms()
+
+Make sure we allocate enough memory in the first place, and
+also handle error returns from _XkbReadBufferCopyKeySyms() when
+it detects out-of-bounds issues.
+
+Reported-by: Gregory James DUCK 
+Signed-off-by: Alan Coopersmith 
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/libx11/tree/debian/patches/0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch?h=ubuntu/focal-security
+Upstream commit 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/6858d468d9ca55fb4c5fd70b223dbc78a3358a7f]
+CVE: CVE-2023-43785
+Signed-off-by: Vijay Anusuri 
+---
+ src/xkb/XKBGetMap.c | 14 +-
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 2891d21e..31199e4a 100644
+--- a/src/xkb/XKBGetMap.c
 b/src/xkb/XKBGetMap.c
+@@ -182,7 +182,8 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ if (offset + newMap->nSyms >= map->size_syms) {
+ register int sz;
+ 
+-sz = map->size_syms + 128;
++sz = offset + newMap->nSyms;
++sz = ((sz + (unsigned) 128) / 128) * 128;
+ _XkbResizeArray(map->syms, map->size_syms, sz, KeySym);
+ if (map->syms == NULL) {
+ map->size_syms = 0;
+@@ -191,8 +192,9 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ map->size_syms = sz;
+ }
+ if (newMap->nSyms > 0) {
+-_XkbReadBufferCopyKeySyms(buf, (KeySym *) >syms[offset],
+-  newMap->nSyms);
++if (_XkbReadBufferCopyKeySyms(buf, (KeySym *) 
>syms[offset],
++  newMap->nSyms) == 0)
++return BadLength;
+ offset += newMap->nSyms;
+ }
+ else {
+@@ -222,8 +224,10 @@ _XkbReadKeySyms(XkbReadBufferPtr buf, XkbDescPtr xkb, 
xkbGetMapReply *rep)
+ newSyms = XkbResizeKeySyms(xkb, i + rep->firstKeySym, tmp);
+ if (newSyms == NULL)
+ return BadAlloc;
+-if (newMap->nSyms > 0)
+-_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms);
++if (newMap->nSyms > 0) {
++if (_XkbReadBufferCopyKeySyms(buf, newSyms, newMap->nSyms) == 
0)
++return BadLength;
++}
+ else
+ newSyms[0] = NoSymbol;
+ oldMap->kt_index[0] = newMap->ktIndex[0];
+-- 
+2.39.3
+
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-1.patch
new file mode 100644
index

[OE-core][dunfell][PATCH] avahi: backport Debian patches to fix multiple CVE's

2023-11-21 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-1981
 CVE-2023-38469
 CVE-2023-38470
 CVE-2023-38471
 CVE-2023-38472
 CVE-2023-38473

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f
&
https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24
&
https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
&
https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460
&
https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
&
https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/avahi/avahi.inc |   9 ++
 .../avahi/files/CVE-2023-1981.patch   |  60 ++
 .../avahi/files/CVE-2023-38469-1.patch|  48 
 .../avahi/files/CVE-2023-38469-2.patch|  65 +++
 .../avahi/files/CVE-2023-38470-1.patch|  57 +
 .../avahi/files/CVE-2023-38470-2.patch|  53 +
 .../avahi/files/CVE-2023-38471-1.patch|  73 
 .../avahi/files/CVE-2023-38471-2.patch|  52 +
 .../avahi/files/CVE-2023-38472.patch  |  45 
 .../avahi/files/CVE-2023-38473.patch  | 109 ++
 10 files changed, 571 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch

diff --git a/meta/recipes-connectivity/avahi/avahi.inc 
b/meta/recipes-connectivity/avahi/avahi.inc
index 25bb41b738..e1dfc7a861 100644
--- a/meta/recipes-connectivity/avahi/avahi.inc
+++ b/meta/recipes-connectivity/avahi/avahi.inc
@@ -22,6 +22,15 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
 SRC_URI = 
"https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}.tar.gz \
file://fix-CVE-2017-6519.patch \
file://CVE-2021-3468.patch \
+   file://CVE-2023-1981.patch \
+   file://CVE-2023-38469-1.patch \
+   file://CVE-2023-38469-2.patch \
+   file://CVE-2023-38470-1.patch \
+   file://CVE-2023-38470-2.patch \
+   file://CVE-2023-38471-1.patch \
+   file://CVE-2023-38471-2.patch \
+   file://CVE-2023-38472.patch \
+   file://CVE-2023-38473.patch \
"
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 00..1209864402
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,60 @@
+Backport of:
+
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= 
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/focal-security
+Upstream commit 
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-daemon/dbus-protocol.c | 20 ++--
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/avahi-daemon/dbus-protocol.c
 b/avahi-daemon/dbus-protocol.c
+@@ -391,10 +391,14 @@ static DBusHandlerResult msg_server_impl
+ }
+ 
+ t = avahi_alternative_host_name(n);
+-avahi_dbus_respond_string(c, m, t);
+-avahi_free(t);
+-
+-return DBUS_HANDLER_RESULT_HANDLED;
++if (t) {
++avahi_dbus_respond_string(c, m, t);
++avahi_free(t);
++
++return

[OE-core][mickledore][PATCH] avahi: backport Debian patches to fix multiple CVE's

2023-11-22 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-1981
 CVE-2023-38469
 CVE-2023-38470
 CVE-2023-38471
 CVE-2023-38472
 CVE-2023-38473

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f
&
https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf
&
https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237
&
https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c
&
https://github.com/lathiat/avahi/commit/20dec84b2480821704258bc908e7b2bd2e883b24
&
https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09
&
https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460
&
https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40
&
https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   9 ++
 .../avahi/files/CVE-2023-1981.patch   |  58 ++
 .../avahi/files/CVE-2023-38469-1.patch|  48 
 .../avahi/files/CVE-2023-38469-2.patch|  65 +++
 .../avahi/files/CVE-2023-38470-1.patch|  57 +
 .../avahi/files/CVE-2023-38470-2.patch|  52 +
 .../avahi/files/CVE-2023-38471-1.patch|  73 
 .../avahi/files/CVE-2023-38471-2.patch|  52 +
 .../avahi/files/CVE-2023-38472.patch  |  45 
 .../avahi/files/CVE-2023-38473.patch  | 109 ++
 10 files changed, 568 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb 
b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 3fb082cf3f..418b0c8ccf 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -27,6 +27,15 @@ SRC_URI = 
"${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
file://handle-hup.patch \
file://local-ping.patch \
file://invalid-service.patch \
+   file://CVE-2023-1981.patch \
+   file://CVE-2023-38469-1.patch \
+   file://CVE-2023-38469-2.patch \
+   file://CVE-2023-38470-1.patch \
+   file://CVE-2023-38470-2.patch \
+   file://CVE-2023-38471-1.patch \
+   file://CVE-2023-38471-2.patch \
+   file://CVE-2023-38472.patch \
+   file://CVE-2023-38473.patch \
"
 
 GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/;
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch 
b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
new file mode 100644
index 00..4d7924d13a
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch
@@ -0,0 +1,58 @@
+From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= 
+Date: Thu, 17 Nov 2022 01:51:53 +0100
+Subject: [PATCH] Emit error if requested service is not found
+
+It currently just crashes instead of replying with error. Check return
+value and emit error instead of passing NULL pointer to reply.
+
+Fixes #375
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security
+Upstream commit 
https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f]
+CVE: CVE-2023-1981
+Signed-off-by: Vijay Anusuri 
+---
+ avahi-daemon/dbus-protocol.c | 20 ++--
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c
+index 70d7687bc..406d0b441 100644
+--- a/avahi-daemon/dbus-protocol.c
 b/avahi-daemon/dbus-protocol.c
+@@ -375,10 +375,14 @@ static DBusHandlerResult 
dbus_get_alternative_host_name(DBusConnection *c, DBusM
+ }
+ 
+ t = avahi_alternative_host_name(n);
+-avahi_dbus_respond_string(c, m, t);
+-avahi_free(t);
++if (t) {
++avahi_dbus_respond_string(c, m, t);
++avahi_free(t);
+ 
+-return

[OE-core][dunfell][PATCH] libtiff: Fix for CVE-2023-6228

2024-01-16 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]

Signed-off-by: Vijay Anusuri 
---
 .../libtiff/files/CVE-2023-6228.patch | 30 +++
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |  1 +
 2 files changed, 31 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch
new file mode 100644
index 00..a777dea9b0
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6228.patch
@@ -0,0 +1,30 @@
+From 1e7d217a323eac701b134afc4ae39b6bdfdbc96a Mon Sep 17 00:00:00 2001
+From: Su_Laus 
+Date: Sat, 9 Sep 2023 15:45:47 +0200
+Subject: [PATCH] Check also if codec of input image is available,
+ independently from codec check of output image and return with error if not.
+ Fixes #606.
+
+Upstream-Status: Backport 
[https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a]
+CVE: CVE-2023-6228
+Signed-off-by: Vijay Anusuri 
+---
+ tools/tiffcp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/tiffcp.c b/tools/tiffcp.c
+index 007bd05..d2f7b66 100644
+--- a/tools/tiffcp.c
 b/tools/tiffcp.c
+@@ -628,6 +628,8 @@ tiffcp(TIFF* in, TIFF* out)
+   else
+   CopyField(TIFFTAG_COMPRESSION, compression);
+   TIFFGetFieldDefaulted(in, TIFFTAG_COMPRESSION, _compression);
++  if (!TIFFIsCODECConfigured(input_compression))
++  return FALSE;
+   TIFFGetFieldDefaulted(in, TIFFTAG_PHOTOMETRIC, _photometric);
+   if (input_compression == COMPRESSION_JPEG) {
+   /* Force conversion to RGB */
+-- 
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb 
b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 8b130826e3..c739f3a7fa 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -48,6 +48,7 @@ SRC_URI = 
"http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-40745.patch \
file://CVE-2023-41175.patch \
file://CVE-2022-40090.patch \
+   file://CVE-2023-6228.patch \
   "
 SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
 SRC_URI[sha256sum] = 
"5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193884): 
https://lists.openembedded.org/g/openembedded-core/message/193884
Mute This Topic: https://lists.openembedded.org/mt/103778770/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081

2024-04-09 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from
https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
& 
https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee

Signed-off-by: Vijay Anusuri 
---
 .../xserver-xorg/CVE-2024-31080.patch | 49 +++
 .../xserver-xorg/CVE-2024-31081.patch | 47 ++
 .../xorg-xserver/xserver-xorg_21.1.8.bb   |  2 +
 3 files changed, 98 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
new file mode 100644
index 00..40296903cd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
@@ -0,0 +1,49 @@
+From 96798fc1967491c80a4d0c8d9e0a80586cb2152b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Fri, 22 Mar 2024 18:51:45 -0700
+Subject: [PATCH] Xi: ProcXIGetSelectedEvents needs to use unswapped length to
+ send reply
+
+CVE-2024-31080
+
+Reported-by: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=69762
+Fixes: 53e821ab4 ("Xi: add request processing for XIGetSelectedEvents.")
+Signed-off-by: Alan Coopersmith 
+Part-of: 
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b]
+CVE: CVE-2024-31080
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xiselectev.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
+index edcb8a0d36..ac14949871 100644
+--- a/Xi/xiselectev.c
 b/Xi/xiselectev.c
+@@ -349,6 +349,7 @@ ProcXIGetSelectedEvents(ClientPtr client)
+ InputClientsPtr others = NULL;
+ xXIEventMask *evmask = NULL;
+ DeviceIntPtr dev;
++uint32_t length;
+ 
+ REQUEST(xXIGetSelectedEventsReq);
+ REQUEST_SIZE_MATCH(xXIGetSelectedEventsReq);
+@@ -418,10 +419,12 @@ ProcXIGetSelectedEvents(ClientPtr client)
+ }
+ }
+ 
++/* save the value before SRepXIGetSelectedEvents swaps it */
++length = reply.length;
+ WriteReplyToClient(client, sizeof(xXIGetSelectedEventsReply), );
+ 
+ if (reply.num_masks)
+-WriteToClient(client, reply.length * 4, buffer);
++WriteToClient(client, length * 4, buffer);
+ 
+ free(buffer);
+ return Success;
+-- 
+GitLab
+
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
new file mode 100644
index 00..4380004700
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch
@@ -0,0 +1,47 @@
+From 3e77295f888c67fc7645db5d0c00926a29ffecee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Fri, 22 Mar 2024 18:56:27 -0700
+Subject: [PATCH] Xi: ProcXIPassiveGrabDevice needs to use unswapped length to
+ send reply
+
+CVE-2024-31081
+
+Fixes: d220d6907 ("Xi: add GrabButton and GrabKeysym code.")
+Signed-off-by: Alan Coopersmith 
+Part-of: 
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee]
+CVE: CVE-2024-31081
+Signed-off-by: Vijay Anusuri 
+---
+ Xi/xipassivegrab.c | 5 -
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/Xi/xipassivegrab.c b/Xi/xipassivegrab.c
+index c9ac2f8553..896233bec2 100644
+--- a/Xi/xipassivegrab.c
 b/Xi/xipassivegrab.c
+@@ -93,6 +93,7 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ GrabParameters param;
+ void *tmp;
+ int mask_len;
++uint32_t length;
+ 
+ REQUEST(xXIPassiveGrabDeviceReq);
+ REQUEST_FIXED_SIZE(xXIPassiveGrabDeviceReq,
+@@ -247,9 +248,11 @@ ProcXIPassiveGrabDevice(ClientPtr client)
+ }
+ }
+ 
++/* save the value before SRepXIPassiveGrabDevice swaps it */
++length = rep.length;
+ WriteReplyToClient(client, sizeof(rep), );
+ if (rep.num_modifiers)
+-WriteToClient(client, rep.length * 4, modifiers_failed);
++WriteToClient(client, length * 4, modifiers_failed);
+ 
+  out:
+ free(modifiers_failed);
+-- 
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index e62babd4cb..b9eed92103 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -16,6 +16,8 @@ SRC_URI += 
"file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2024-21886-2.patch \
file://CVE-2024-0408.patch \
file://CVE-2024-0409.patch \
+

[OE-core][kirkstone][PATCH] go: Fix for CVE-2023-45288

2024-04-17 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from 
https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |  1 +
 .../go/go-1.18/CVE-2023-45288.patch   | 95 +++
 2 files changed, 96 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 768961de2c..95fb572362 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -55,6 +55,7 @@ SRC_URI += "\
 file://CVE-2023-45290.patch \
 file://CVE-2024-24784.patch \
 file://CVE-2024-24785.patch \
+file://CVE-2023-45288.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch 
b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch
new file mode 100644
index 00..741e7be89a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-45288.patch
@@ -0,0 +1,95 @@
+From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Thu, 28 Mar 2024 16:57:51 -0700
+Subject: [PATCH] [release-branch.go1.22] net/http: update bundled
+ golang.org/x/net/http2
+
+Disable cmd/internal/moddeps test, since this update includes PRIVATE
+track fixes.
+
+Fixes CVE-2023-45288
+For #65051
+Fixes #66298
+
+Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2197227
+Reviewed-by: Tatiana Bradley 
+Run-TryBot: Damien Neil 
+Reviewed-by: Dmitri Shuralyov 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/576076
+Auto-Submit: Dmitri Shuralyov 
+TryBot-Bypass: Dmitri Shuralyov 
+Reviewed-by: Than McIntosh 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b]
+CVE: CVE-2023-45288
+Signed-off-by: Vijay Anusuri 
+---
+ src/cmd/internal/moddeps/moddeps_test.go |  1 +
+ src/net/http/h2_bundle.go| 31 
+ 2 files changed, 32 insertions(+)
+
+diff --git a/src/cmd/internal/moddeps/moddeps_test.go 
b/src/cmd/internal/moddeps/moddeps_test.go
+index d48d43f..250bde4 100644
+--- a/src/cmd/internal/moddeps/moddeps_test.go
 b/src/cmd/internal/moddeps/moddeps_test.go
+@@ -34,6 +34,7 @@ import (
+ // See issues 36852, 41409, and 43687.
+ // (Also see golang.org/issue/27348.)
+ func TestAllDependencies(t *testing.T) {
++  t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from vendored 
modules")
+   t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from vendored 
modules")
+   t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from vendored 
modules")
+ 
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 9d6abd8..10ff193 100644
+--- a/src/net/http/h2_bundle.go
 b/src/net/http/h2_bundle.go
+@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf 
*http2HeadersFrame) (*http2MetaHeadersFr
+   if size > remainSize {
+   hdec.SetEmitEnabled(false)
+   mh.Truncated = true
++  remainSize = 0
+   return
+   }
+   remainSize -= size
+@@ -2854,6 +2855,36 @@ func (fr *http2Framer) readMetaFrame(hf 
*http2HeadersFrame) (*http2MetaHeadersFr
+   var hc http2headersOrContinuation = hf
+   for {
+   frag := hc.HeaderBlockFragment()
++
++  // Avoid parsing large amounts of headers that we will then 
discard.
++  // If the sender exceeds the max header list size by too much,
++  // skip parsing the fragment and close the connection.
++  //
++  // "Too much" is either any CONTINUATION frame after we've 
already
++  // exceeded the max header list size (in which case remainSize 
is 0),
++  // or a frame whose encoded size is more than twice the 
remaining
++  // header list bytes we're willing to accept.
++  if int64(len(frag)) > int64(2*remainSize) {
++  if http2VerboseLogs {
++  log.Printf("http2: header list too large")
++  }
++  // It would be nice to send a RST_STREAM before sending 
the GOAWAY,
++  // but the struture of the server's frame writer makes 
this difficult.
++  return nil, http2ConnectionError(http2ErrCodeProtocol)
++  }
++
++  // Also close the connection after any CONTINUATION frame 
following an
++  // invalid header, since we stop tracking the size of the 
headers after
++  // an invalid one.
++  if invalid != nil {
++  if http2VerboseLogs {
++

Re: [OE-core][kirkstone][PATCH 1/1] go: Fix CVE-2023-45288

2024-04-19 Thread Vijay Anusuri via lists.openembedded.org 
Hi Soumya,

I've already sent patch for the Kirkstone branch.

https://lists.openembedded.org/g/openembedded-core/message/198495

Thanks & Regards,
Vijay


On Fri, Apr 19, 2024 at 6:52 PM Soumya via lists.openembedded.org
 wrote:

> From: Soumya Sambu 
>
> An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of
> header data by sending an excessive number of CONTINUATION frames.
> Maintaining HPACK state requires parsing and processing all HEADERS
> and CONTINUATION frames on a connection. When a request's headers
> exceed MaxHeaderBytes, no memory is allocated to store the excess
> headers, but they are still parsed. This permits an attacker to cause
> an HTTP/2 endpoint to read arbitrary amounts of header data, all
> associated with a request which is going to be rejected. These headers
> can include Huffman-encoded data which is significantly more expensive
> for the receiver to decode than for an attacker to send. The fix sets
> a limit on the amount of excess header frames we will process before
> closing a connection.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-45288
>
> Signed-off-by: Soumya Sambu 
> ---
>  meta/recipes-devtools/go/go-1.17.13.inc   |  3 +-
>  .../go/go-1.22/CVE-2023-45288.patch   | 96 +++
>  2 files changed, 98 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch
>
> diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
> b/meta/recipes-devtools/go/go-1.17.13.inc
> index 768961de2c..b5566db1fe 100644
> --- a/meta/recipes-devtools/go/go-1.17.13.inc
> +++ b/meta/recipes-devtools/go/go-1.17.13.inc
> @@ -1,6 +1,6 @@
>  require go-common.inc
>
> -FILESEXTRAPATHS:prepend :=
> "${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:"
> +FILESEXTRAPATHS:prepend :=
> "${FILE_DIRNAME}/go-1.22:${FILE_DIRNAME}/go-1.21:${FILE_DIRNAME}/go-1.20:${FILE_DIRNAME}/go-1.19:${FILE_DIRNAME}/go-1.18:"
>
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707"
>
> @@ -55,6 +55,7 @@ SRC_URI += "\
>  file://CVE-2023-45290.patch \
>  file://CVE-2024-24784.patch \
>  file://CVE-2024-24785.patch \
> +file://CVE-2023-45288.patch \
>  "
>  SRC_URI[main.sha256sum] =
> "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
>
> diff --git a/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch
> b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch
> new file mode 100644
> index 00..ad84fb84d9
> --- /dev/null
> +++ b/meta/recipes-devtools/go/go-1.22/CVE-2023-45288.patch
> @@ -0,0 +1,96 @@
> +From e55d7cf8435ba4e58d4a5694e63b391821d4ee9b Mon Sep 17 00:00:00 2001
> +From: Damien Neil 
> +Date: Thu, 28 Mar 2024 16:57:51 -0700
> +Subject: [PATCH] [release-branch.go1.22] net/http: update bundled
> + golang.org/x/net/http2
> +
> +Disable cmd/internal/moddeps test, since this update includes PRIVATE
> +track fixes.
> +
> +Fixes CVE-2023-45288
> +For #65051
> +Fixes #66298
> +
> +Change-Id: I5bbf774ebe7651e4bb7e55139d3794bd2b8e8fa8
> +Reviewed-on:
> https://team-review.git.corp.google.com/c/golang/go-private/+/2197227
> +Reviewed-by
> :
> Tatiana Bradley 
> +Run-TryBot: Damien Neil 
> +Reviewed-by: Dmitri Shuralyov 
> +Reviewed-on: https://go-review.googlesource.com/c/go/+/576076
> +Auto-Submit: Dmitri Shuralyov 
> +TryBot-Bypass: Dmitri Shuralyov 
> +Reviewed-by: Than McIntosh 
> +
> +CVE: CVE-2023-45288
> +
> +Upstream-Status: Backport [
> https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b
> ]
> +
> +Signed-off-by: Soumya Sambu 
> +---
> + src/cmd/internal/moddeps/moddeps_test.go |  1 +
> + src/net/http/h2_bundle.go| 31 
> + 2 files changed, 32 insertions(+)
> +
> +diff --git a/src/cmd/internal/moddeps/moddeps_test.go
> b/src/cmd/internal/moddeps/moddeps_test.go
> +index d48d43f..ee6d455 100644
> +--- a/src/cmd/internal/moddeps/moddeps_test.go
>  b/src/cmd/internal/moddeps/moddeps_test.go
> +@@ -36,6 +36,7 @@ import (
> + func TestAllDependencies(t *testing.T) {
> +   t.Skip("TODO(#57009): 1.19.4 contains unreleased changes from
> vendored modules")
> +   t.Skip("TODO(#53977): 1.18.5 contains unreleased changes from
> vendored modules")
> ++  t.Skip("TODO(#65051): 1.22.2 contains unreleased changes from
> vendored modules")
> +
> +   goBin := testenv.GoToolPath(t)
> +
> +diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
> +index 9d6abd8..10ff193 100644
> +--- a/src/net/http/h2_bundle.go
>  b/src/net/http/h2_bundle.go
> +@@ -2842,6 +2842,7 @@ func (fr *http2Framer) readMetaFrame(hf
> *http2HeadersFrame) (*http2MetaHeadersFr
> +   if size > remainSize {
> +   hdec.SetEmitEnabled(false)
> +   mh.Truncated = true
> ++  remainSize = 0
> +

[OE-core][kirkstone][PATCH] bluez5: Fix CVE-2023-27349 CVE-2023-50229 & CVE-2023-50230

2024-05-10 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/bluez/bluez/commit/f54299a850676d92c3dafd83e9174fcfe420ccc9
&
https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-connectivity/bluez5/bluez5.inc   |  2 +
 .../bluez5/bluez5/CVE-2023-27349.patch| 48 +
 .../CVE-2023-50229_CVE-2023-50230.patch   | 67 +++
 3 files changed, 117 insertions(+)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch
 create mode 100644 
meta/recipes-connectivity/bluez5/bluez5/CVE-2023-50229_CVE-2023-50230.patch

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc 
b/meta/recipes-connectivity/bluez5/bluez5.inc
index 7786b65670..97193a5f1c 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -55,6 +55,8 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \

file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
   file://CVE-2023-45866.patch \
+  file://CVE-2023-27349.patch \
+  file://CVE-2023-50229_CVE-2023-50230.patch \
"
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch 
b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch
new file mode 100644
index 00..946208099a
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch
@@ -0,0 +1,48 @@
+From f54299a850676d92c3dafd83e9174fcfe420ccc9 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz 
+Date: Wed, 22 Mar 2023 11:34:24 -0700
+Subject: [PATCH] avrcp: Fix crash while handling unsupported events
+
+The following crash can be observed if the remote peer send and
+unsupported event:
+
+ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000148f11
+ at pc 0x559644552088 bp 0x7ffe28b3c7b0 sp 0x7ffe28b3c7a0
+ WRITE of size 1 at 0x60b000148f11 thread T0
+ #0 0x559644552087 in avrcp_handle_event profiles/audio/avrcp.c:3907
+ #1 0x559644536c22 in control_response profiles/audio/avctp.c:939
+ #2 0x5596445379ab in session_cb profiles/audio/avctp.c:1108
+ #3 0x7fbcb3e51c43 in g_main_context_dispatch 
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x55c43)
+ #4 0x7fbcb3ea66c7  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xaa6c7)
+ #5 0x7fbcb3e512b2 in g_main_loop_run 
(/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x552b2)
+ #6 0x559644754ab6 in mainloop_run src/shared/mainloop-glib.c:66
+ #7 0x559644755606 in mainloop_run_with_signal 
src/shared/mainloop-notify.c:188
+ #8 0x5596445bb963 in main src/main.c:1289
+ #9 0x7fbcb3bafd8f in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
+ #10 0x7fbcb3bafe3f in __libc_start_main_impl ../csu/libc-start.c:392
+ #11 0x5596444e8224 in _start 
(/usr/local/libexec/bluetooth/bluetoothd+0xf0224)
+
+Upstream-Status: Backport 
[https://github.com/bluez/bluez/commit/f54299a850676d92c3dafd83e9174fcfe420ccc9]
+CVE: CVE-2023-27349
+Signed-off-by: Vijay Anusuri 
+---
+ profiles/audio/avrcp.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
+index 80f34c7a77..dda9a303fb 100644
+--- a/profiles/audio/avrcp.c
 b/profiles/audio/avrcp.c
+@@ -3901,6 +3901,12 @@ static gboolean avrcp_handle_event(struct avctp *conn, 
uint8_t code,
+   case AVRCP_EVENT_UIDS_CHANGED:
+   avrcp_uids_changed(session, pdu);
+   break;
++  default:
++  if (event > AVRCP_EVENT_LAST) {
++  warn("Unsupported event: %u", event);
++  return FALSE;
++  }
++  break;
+   }
+ 
+   session->registered_events |= (1 << event);
diff --git 
a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-50229_CVE-2023-50230.patch 
b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-50229_CVE-2023-50230.patch
new file mode 100644
index 00..92684d8210
--- /dev/null
+++ 
b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-50229_CVE-2023-50230.patch
@@ -0,0 +1,67 @@
+From 5ab5352531a9cc7058cce569607f3a6831464443 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz 
+Date: Tue, 19 Sep 2023 12:14:01 -0700
+Subject: [PATCH] pbap: Fix not checking Primary/Secundary Counter length
+
+Primary/Secundary Counters are supposed to be 16 bytes values, if the
+server has implemented them incorrectly it may lead to the following
+crash:
+
+=
+==31860==ERROR: AddressSanitizer: heap-buffer-overflow on address
+0x60701878 at pc 0x7f95a1575638 bp 0x7fff58c6bb80 sp 0x7fff58c6b328
+
+ READ of size 48 at 0x60701878 thread T0
+ #0 0x7f95a1575637 in MemcmpInterceptorCommon(void*, int (*)(void const*, 
void const*, unsigned long), void const*, void const*, unsigned long)

[OE-core][kirkstone][PATCH] gstreamer1.0-plugins-bad: fix CVE-2023-50186

2024-05-10 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5]

Signed-off-by: Vijay Anusuri 
---
 .../CVE-2023-50186.patch  | 70 +++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch
new file mode 100644
index 00..86bae8fcaa
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch
@@ -0,0 +1,70 @@
+From a46737a73155fe1c19fa5115df40da35426f9fb5 Mon Sep 17 00:00:00 2001
+From: Seungha Yang 
+Date: Thu, 23 Nov 2023 20:24:42 +0900
+Subject: [PATCH] av1parser: Fix array sizes in scalability structure
+
+Since the AV1 specification is not explicitly mentioning about
+the array size bounds, array sizes in scalability structure
+should be defined as possible maximum sizes that can have.
+
+Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
+public header which is API break but the define is misleading
+and this patch is introducing ABI break already
+
+ZDI-CAN-22300
+
+Part-of: 

+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5]
+CVE: CVE-2023-50186
+Signed-off-by: Vijay Anusuri 
+---
+ gst-libs/gst/codecparsers/gstav1parser.h | 11 +--
+ gst/videoparsers/gstav1parse.c   |  2 +-
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.h 
b/gst-libs/gst/codecparsers/gstav1parser.h
+index 31f5945..ef6ce9e 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.h
 b/gst-libs/gst/codecparsers/gstav1parser.h
+@@ -71,9 +71,8 @@ G_BEGIN_DECLS
+ #define GST_AV1_MAX_TILE_COUNT 512
+ #define GST_AV1_MAX_OPERATING_POINTS\
+   (GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
+-#define GST_AV1_MAX_SPATIAL_LAYERS 2  /* correct? */
+-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE8  /* correct? */
+-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  8  /* correct? */
++#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE255
++#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  7
+ #define GST_AV1_MAX_NUM_Y_POINTS   16
+ #define GST_AV1_MAX_NUM_CB_POINTS  16
+ #define GST_AV1_MAX_NUM_CR_POINTS  16
+@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
+   gboolean spatial_layer_dimensions_present_flag;
+   gboolean spatial_layer_description_present_flag;
+   gboolean temporal_group_description_present_flag;
+-  guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
+-  guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
+-  guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
++  guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
++  guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
++  guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+   guint8 temporal_group_size;
+ 
+   guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
+diff --git a/gst/videoparsers/gstav1parse.c b/gst/videoparsers/gstav1parse.c
+index f127856..ef1bc74 100644
+--- a/gst/videoparsers/gstav1parse.c
 b/gst/videoparsers/gstav1parse.c
+@@ -1229,7 +1229,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, 
GstAV1OBU * obu)
+   }
+ 
+   val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
+-  for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
++  for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
+ if (val & (1 << i))
+   self->highest_spatial_id = i;
+   }
+-- 
+2.25.1
+
diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index 4151e54284..dbe2b64c32 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -16,6 +16,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
file://CVE-2023-44429.patch \
file://CVE-2024-0444.patch \
file://CVE-2023-6.patch \
+   file://CVE-2023-50186.patch \
"
 SRC_URI[sha256sum] = 
"87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199197): 
https://lists.openembedded.org/g/openembedded-core/message/199197
Mute This Topic: https://lists.openembedded.org/mt/106019031/21656
Group Owner:

[OE-core][kirkstone][PATCH] less: backport Debian patch for CVE-2024-32487

2024-05-06 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patch from ubuntu to fix
 CVE-2024-32487

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches?h=ubuntu/jammy-security
Upstream commit
https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33]

Signed-off-by: Vijay Anusuri 
---
 .../less/less/CVE-2024-32487.patch| 69 +++
 meta/recipes-extended/less/less_600.bb|  1 +
 2 files changed, 70 insertions(+)
 create mode 100644 meta/recipes-extended/less/less/CVE-2024-32487.patch

diff --git a/meta/recipes-extended/less/less/CVE-2024-32487.patch 
b/meta/recipes-extended/less/less/CVE-2024-32487.patch
new file mode 100644
index 00..d5c8b9ce31
--- /dev/null
+++ b/meta/recipes-extended/less/less/CVE-2024-32487.patch
@@ -0,0 +1,69 @@
+From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001
+From: Mark Nudelman 
+Date: Thu, 11 Apr 2024 17:49:48 -0700
+Subject: [PATCH] Fix bug when viewing a file whose name contains a newline.
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/less/tree/debian/patches/CVE-2024-32487.patch?h=ubuntu/jammy-security
+Upstream commit 
https://github.com/gwsw/less/commit/007521ac3c95bc76e3d59c6dbfe75d06c8075c33]
+CVE: CVE-2024-32487
+Signed-off-by: Vijay Anusuri 
+---
+ filename.c | 31 +--
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+--- a/filename.c
 b/filename.c
+@@ -136,6 +136,15 @@ metachar(c)
+ }
+ 
+ /*
++ * Must use quotes rather than escape char for this metachar?
++ */
++static int must_quote(char c)
++{
++  /* {{ Maybe the set of must_quote chars should be configurable? }} */
++  return (c == '\n');
++}
++
++/*
+  * Insert a backslash before each metacharacter in a string.
+  */
+   public char *
+@@ -168,6 +177,9 @@ shell_quote(s)
+* doesn't support escape chars.  Use quotes.
+*/
+   use_quotes = 1;
++  } else if (must_quote(*p))
++  {
++  len += 3; /* open quote + char + close quote */
+   } else
+   {
+   /*
+@@ -197,15 +209,22 @@ shell_quote(s)
+   {
+   while (*s != '\0')
+   {
+-  if (metachar(*s))
++  if (!metachar(*s))
+   {
+-  /*
+-   * Add the escape char.
+-   */
++  *p++ = *s++;
++  } else if (must_quote(*s))
++  {
++  /* Surround the char with quotes. */
++  *p++ = openquote;
++  *p++ = *s++;
++  *p++ = closequote;
++  } else
++  {
++  /* Insert an escape char before the char. */
+   strcpy(p, esc);
+   p += esclen;
++  *p++ = *s++;
+   }
+-  *p++ = *s++;
+   }
+   *p = '\0';
+   }
diff --git a/meta/recipes-extended/less/less_600.bb 
b/meta/recipes-extended/less/less_600.bb
index f88127a9e3..01fed7c065 100644
--- a/meta/recipes-extended/less/less_600.bb
+++ b/meta/recipes-extended/less/less_600.bb
@@ -28,6 +28,7 @@ DEPENDS = "ncurses"
 SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
file://CVE-2022-46663.patch \
file://CVE-2022-48624.patch \
+   file://CVE-2024-32487.patch \
  "
 
 SRC_URI[sha256sum] = 
"6633d6aa2b3cc717afb2c205778c7c42c4620f63b1d682f3d12c98af0be74d20"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199067): 
https://lists.openembedded.org/g/openembedded-core/message/199067
Mute This Topic: https://lists.openembedded.org/mt/105955401/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] libxml2: Backport fix for CVE-2024-25062

2024-03-06 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508
&
https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]

Signed-off-by: Vijay Anusuri 
---
 .../libxml/libxml2/CVE-2024-25062-pre1.patch  | 38 +++
 .../libxml/libxml2/CVE-2024-25062.patch   | 33 
 meta/recipes-core/libxml/libxml2_2.9.10.bb|  2 +
 3 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
new file mode 100644
index 00..31183399f8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062-pre1.patch
@@ -0,0 +1,38 @@
+From 31c6ce3b63f8a494ad9e31ca65187a73d8ad3508 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Mon, 9 Nov 2020 17:55:44 +0100
+Subject: [PATCH] Avoid call stack overflow with XML reader and recursive
+ XIncludes
+
+Don't process XIncludes in the result of another inclusion to avoid
+infinite recursion resulting in a call stack overflow.
+
+This is something the XInclude engine shouldn't allow but correct
+handling of intra-document includes would require major changes.
+
+Found by OSS-Fuzz.
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/31c6ce3b63f8a494ad9e31ca65187a73d8ad3508]
+CVE: CVE-2024-25062 #Dependency Patch
+Signed-off-by: Vijay Anusuri 
+---
+ xmlreader.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 01adf74f4..72e40b032 100644
+--- a/xmlreader.c
 b/xmlreader.c
+@@ -1585,7 +1585,8 @@ node_found:
+ /*
+  * Handle XInclude if asked for
+  */
+-if ((reader->xinclude) && (reader->node != NULL) &&
++if ((reader->xinclude) && (reader->in_xinclude == 0) &&
++(reader->node != NULL) &&
+   (reader->node->type == XML_ELEMENT_NODE) &&
+   (reader->node->ns != NULL) &&
+   ((xmlStrEqual(reader->node->ns->href, XINCLUDE_NS)) ||
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
new file mode 100644
index 00..5365d5546a
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
@@ -0,0 +1,33 @@
+From 2b0aac140d739905c7848a42efc60bfe783a39b7 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Sat, 14 Oct 2023 22:45:54 +0200
+Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when
+ backtracking
+
+Fixes a use-after-free if XML Reader if used with DTD validation and
+XInclude expansion.
+
+Fixes #604.
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/2b0aac140d739905c7848a42efc60bfe783a39b7]
+CVE: CVE-2024-25062
+Signed-off-by: Vijay Anusuri 
+---
+ xmlreader.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xmlreader.c b/xmlreader.c
+index 979385a13..fefd68e0b 100644
+--- a/xmlreader.c
 b/xmlreader.c
+@@ -1443,6 +1443,7 @@ node_found:
+  * Handle XInclude if asked for
+  */
+ if ((reader->xinclude) && (reader->in_xinclude == 0) &&
++(reader->state != XML_TEXTREADER_BACKTRACK) &&
+ (reader->node != NULL) &&
+   (reader->node->type == XML_ELEMENT_NODE) &&
+   (reader->node->ns != NULL) &&
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb 
b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 90d30f1ea7..72f830b6d3 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -44,6 +44,8 @@ SRC_URI += 
"http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
file://CVE-2021-3516.patch \
file://CVE-2023-45322-1.patch \
file://CVE-2023-45322-2.patch \
+   file://CVE-2024-25062-pre1.patch \
+   file://CVE-2024-25062.patch \
"
 
 SRC_URI[archive.sha256sum] = 
"593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196769): 
https://lists.openembedded.org/g/openembedded-core/message/196769
Mute This Topic: https://lists.openembedded.org/mt/104782686/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] qemu: Ignore multiple CVEs

2024-03-21 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

* CVE-2023-6683: not affected, introduced in v6.1.0-rc0
* CVE-2023-6693: not affected, introduced in v5.1.0-rc0
* CVE-2023-42467: not affected, introduced in v7.1.0-rc0 & v7.1.0-rc2
* CVE-2024-24474: not affected, introduced in v6.0.0-rc0
* CVE-2024-26328: not affected, introduced in v7.0.0-rc0

Ref: https://security-tracker.debian.org/tracker/CVE-2023-6683
 https://security-tracker.debian.org/tracker/CVE-2023-6693
 https://security-tracker.debian.org/tracker/CVE-2023-42467
 https://security-tracker.debian.org/tracker/CVE-2024-24474
 https://security-tracker.debian.org/tracker/CVE-2024-26328

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/qemu/qemu.inc | 15 +++
 1 file changed, 15 insertions(+)

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 59ff69d51d..829c347fe3 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -176,6 +176,21 @@ CVE_CHECK_WHITELIST += "CVE-2023-2680"
 # Affected only `qemu-kvm` shipped with Red Hat Enterprise Linux 8.3 release.
 CVE_CHECK_WHITELIST += "CVE-2021-20295"
 
+# the issue introduced in v6.1.0-rc0
+CVE_CHECK_WHITELIST += "CVE-2023-6683"
+
+# the issue introduced in v5.1.0-rc0
+CVE_CHECK_WHITELIST += "CVE-2023-6693"
+
+# the issue introduced in v7.1.0-rc0 & v7.1.0-rc2
+CVE_CHECK_WHITELIST += "CVE-2023-42467"
+
+# the issue introduced in v6.0.0-rc0
+CVE_CHECK_WHITELIST += "CVE-2024-24474"
+
+# the issue introduced in v7.0.0-rc0
+CVE_CHECK_WHITELIST += "CVE-2024-26328"
+
 COMPATIBLE_HOST_mipsarchn32 = "null"
 COMPATIBLE_HOST_mipsarchn64 = "null"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197433): 
https://lists.openembedded.org/g/openembedded-core/message/197433
Mute This Topic: https://lists.openembedded.org/mt/105079365/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] python3-cryptography: Backport fix for CVE-2024-26130

2024-03-19 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from 
https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55

Signed-off-by: Vijay Anusuri 
---
 .../python3-cryptography/CVE-2024-26130.patch | 66 +++
 .../python/python3-cryptography_36.0.2.bb |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 
meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch

diff --git 
a/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch 
b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
new file mode 100644
index 00..ff113e8cc7
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
@@ -0,0 +1,66 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor 
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+
+Upstream-Status: Backport 
[https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55]
+CVE: CVE-2024-26130
+Signed-off-by: Vijay Anusuri 
+---
+ .../hazmat/backends/openssl/backend.py |  9 +
+ tests/hazmat/primitives/test_pkcs12.py | 18 ++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py 
b/src/cryptography/hazmat/backends/openssl/backend.py
+index c43fea0..d687931 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
 b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2131,6 +2131,15 @@ class Backend(BackendInterface):
+ mac_iter,
+ 0,
+ )
++if p12 == self._ffi.NULL:
++errors = self._consume_errors()
++raise ValueError(
++(
++"Failed to create PKCS12 (does the key match the "
++"certificate?)"
++),
++errors,
++)
+ 
+ self.openssl_assert(p12 != self._ffi.NULL)
+ p12 = self._ffi.gc(p12, self._lib.PKCS12_free)
+diff --git a/tests/hazmat/primitives/test_pkcs12.py 
b/tests/hazmat/primitives/test_pkcs12.py
+index c5cfbc0..8af4c93 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
 b/tests/hazmat/primitives/test_pkcs12.py
+@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption
+ from ...utils import load_vectors_from_file
+ 
+ 
++   @pytest.mark.supported(
++   only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
++   skip_message="Requires OpenSSL with PKCS12_set_mac",
++   )
++   def test_set_mac_key_certificate_mismatch(self, backend):
++   cacert, _ = _load_ca(backend)
++   key = ec.generate_private_key(ec.SECP256R1())
++   encryption = (
++   serialization.PrivateFormat.PKCS12.encryption_builder()
++   .hmac_hash(hashes.SHA256())
++   .build(b"password")
++   )
++
++   with pytest.raises(ValueError):
++   serialize_key_and_certificates(
++   b"name", key, cacert, [], encryption
++   )
++
+ @pytest.mark.skip_fips(
+ reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
+ )
+-- 
+2.35.7
+
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb 
b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
index c429c75e1b..83381f225c 100644
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -19,6 +19,7 @@ SRC_URI += " \
 file://fix-leak-metric.patch \
 file://CVE-2023-23931.patch \
 file://CVE-2023-49083.patch \
+file://CVE-2024-26130.patch \
 "
 
 inherit pypi python_setuptools3_rust
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197321): 
https://lists.openembedded.org/g/openembedded-core/message/197321
Mute This Topic: https://lists.openembedded.org/mt/105022705/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356

2024-03-22 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patches from ubuntu to fix
 CVE-2023-6277
 CVE-2023-52356

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
&
https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa
&
https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3
&
https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a
&
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]

Signed-off-by: Vijay Anusuri 
---
 .../libtiff/files/CVE-2023-52356.patch|  53 +
 .../libtiff/files/CVE-2023-6277-1.patch   | 191 ++
 .../libtiff/files/CVE-2023-6277-2.patch   | 152 ++
 .../libtiff/files/CVE-2023-6277-3.patch   |  46 +
 .../libtiff/files/CVE-2023-6277-4.patch   |  94 +
 meta/recipes-multimedia/libtiff/tiff_4.1.0.bb |   5 +
 6 files changed, 541 insertions(+)
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch

diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
new file mode 100644
index 00..1b651e6529
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
@@ -0,0 +1,53 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault 
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
+Upstream commit  
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+CVE: CVE-2023-52356
+Signed-off-by: Vijay Anusuri 
+---
+ libtiff/tif_getimage.c | 15 +++
+ 1 file changed, 15 insertions(+)
+
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
 tiff-4.1.0+git191117/libtiff/tif_getimage.c
+@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
+ }
+ 
+ if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(, tif, 
stop_on_error, emsg)) {
++if (row >= img.height)
++{
++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++  "Invalid row passed to TIFFReadRGBAStrip().");
++TIFFRGBAImageEnd();
++return (0);
++}
+ 
+ img.row_offset = row;
+ img.col_offset = 0;
+@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
+   return( 0 );
+ }
+ 
++if (col >= img.width || row >= img.height)
++{
++TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++  "Invalid row/col passed to TIFFReadRGBATile().");
++TIFFRGBAImageEnd();
++return (0);
++}
++
+ /*
+  * The TIFFRGBAImageGet() function doesn't allow us to get off the
+  * edge of the image, even to fill an otherwise valid tile.  So we
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch 
b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
new file mode 100644
index 00..e955b3f2e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
@@ -0,0 +1,191 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . included inttypes.h header to support PRIu32 and PRIu64;
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist 
yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did 
not exist yet);
+ . calls to the check size, that is the idea of the patch, were added before
+   _TIFFCheckMalloc and may note match the original patch methods;
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus 
+Date: Tue, 31 Oct 2023 15:43:29 +
+Subject: [PATCH] Prevent some out-of-memory attacks
+
+Some small fuzzer files fake

[OE-core][dunfell][PATCH] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

2024-03-26 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1
&
https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0
&
https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |   3 +
 .../go/go-1.14/CVE-2023-45289.patch   | 121 
 .../go/go-1.14/CVE-2023-45290.patch   | 271 ++
 .../go/go-1.14/CVE-2024-24785.patch   | 197 +
 4 files changed, 592 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index 4fbf9d7590..69b65f3eb2 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -88,6 +88,9 @@ SRC_URI += "\
 file://CVE-2023-45287-pre2.patch \
 file://CVE-2023-45287-pre3.patch \
 file://CVE-2023-45287.patch \
+file://CVE-2023-45289.patch \
+file://CVE-2023-45290.patch \
+file://CVE-2024-24785.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
new file mode 100644
index 00..3bec62ab83
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
@@ -0,0 +1,121 @@
+From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Thu, 11 Jan 2024 11:31:57 -0800
+Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid
+ subdomain matches on IPv6 zones
+
+When deciding whether to forward cookies or sensitive headers
+across a redirect, do not attempt to interpret an IPv6 address
+as a domain name.
+
+Avoids a case where a maliciously-crafted redirect to an
+IPv6 address with a scoped addressing zone could be
+misinterpreted as a within-domain redirect. For example,
+we could interpret "::1%.www.example.com" as a subdomain
+of "www.example.com".
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes CVE-2023-45289
+Fixes #65385
+For #65065
+
+Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
+Reviewed-by: Tatiana Bradley 
+Reviewed-by: Roland Shoemaker 
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
+Reviewed-by: Carlos Amedee 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+Reviewed-by: Carlos Amedee 
+Auto-Submit: Michael Knyszek 
+TryBot-Bypass: Michael Knyszek 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1]
+CVE: CVE-45289
+Signed-off-by: Vijay Anusuri 
+---
+ src/net/http/client.go |  6 ++
+ src/net/http/client_test.go|  1 +
+ src/net/http/cookiejar/jar.go  |  7 +++
+ src/net/http/cookiejar/jar_test.go | 10 ++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index a496f1c..2031834 100644
+--- a/src/net/http/client.go
 b/src/net/http/client.go
+@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
+   if sub == parent {
+   return true
+   }
++  // If sub contains a :, it's probably an IPv6 address (and is 
definitely not a hostname).
++  // Don't check the suffix in this case, to avoid matching the contents 
of a IPv6 zone.
++  // For example, "::1%.www.example.com" is not a subdomain of 
"www.example.com".
++  if strings.ContainsAny(sub, ":%") {
++  return false
++  }
+   // If sub is "foo.example.com" and parent is "example.com",
+   // that means sub must end in "."+parent.
+   // Do it without allocating.
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 2b4f53f..442fe35 100644
+--- a/src/net/http/client_test.go
 b/src/net/http/client_test.go
+@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+   {"cookie2", "http://foo.com/;, "http://bar.com/;, false},
+   {"authorization", "http://foo.com/;, "http://bar.com/;, false},
+   {"www-authenticate", "http://foo.com/;, "http://bar.com/;, 
false},
++  {"authorization", "http://foo.com/;, 
"http://[::1%25.foo.com]/;, false},
+ 
+   // But subdomains should work:
+   {"www-authenticate", "http://foo.com/;, "http://foo.com/;, 
true},
+diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
+index 9f19917..18cbfc2 100644
+--- a/src/net/http/cookiejar/jar.go
 b/src/net/http/cookiejar/jar.go
+@@

Re: [OE-core][kirkstone][PATCH] util-linux: Fix for CVE-2024-28085

2024-03-29 Thread Vijay Anusuri via lists.openembedded.org 
Hi Steve,

Please ignore this patch.

Thanks & Regards,
Vijay

On Fri, Mar 29, 2024 at 4:44 PM Vijay Anusuri via lists.openembedded.org
 wrote:

> From: Vijay Anusuri 
>
> Upstream-Status: Backport from
>
> https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f
> &
> <https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f;>
>
> https://github.com/util-linux/util-linux/commit/27ee6446503af7ec0c2647704ca47ac4de3852ef
> &
> <https://github.com/util-linux/util-linux/commit/27ee6446503af7ec0c2647704ca47ac4de3852ef;>
>
> https://github.com/util-linux/util-linux/commit/aa13246a1bf1be9e4f6eb331f4d4d2dbc875e22f
> &
> <https://github.com/util-linux/util-linux/commit/aa13246a1bf1be9e4f6eb331f4d4d2dbc875e22f;>
> https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253
>
> Signed-off-by: Vijay Anusuri 
> ---
>  meta/recipes-core/util-linux/util-linux.inc   |   4 +
>  .../util-linux/CVE-2024-28085-pre1.patch  | 200 
>  .../util-linux/CVE-2024-28085-pre2.patch  | 171 ++
>  .../util-linux/CVE-2024-28085-pre3.patch  | 219 ++
>  .../util-linux/CVE-2024-28085.patch   |  30 +++
>  5 files changed, 624 insertions(+)
>  create mode 100644
> meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch
>  create mode 100644
> meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre2.patch
>  create mode 100644
> meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre3.patch
>  create mode 100644
> meta/recipes-core/util-linux/util-linux/CVE-2024-28085.patch
>
> diff --git a/meta/recipes-core/util-linux/util-linux.inc
> b/meta/recipes-core/util-linux/util-linux.inc
> index 982ec669a2..079359c55c 100644
> --- a/meta/recipes-core/util-linux/util-linux.inc
> +++ b/meta/recipes-core/util-linux/util-linux.inc
> @@ -35,6 +35,10 @@ SRC_URI =
> "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
> file://run-ptest \
> file://display_testname_for_subtest.patch \
> file://avoid_parallel_tests.patch \
> +   file://CVE-2024-28085-pre1.patch \
> +   file://CVE-2024-28085-pre2.patch \
> +   file://CVE-2024-28085-pre3.patch \
> +   file://CVE-2024-28085.patch \
> "
>
>  SRC_URI[sha256sum] =
> "634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"
> diff --git
> a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch
> b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch
> new file mode 100644
> index 00..ce3056eabe
> --- /dev/null
> +++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch
> @@ -0,0 +1,200 @@
> +From 8a7b8456d1dc0e7ca557d1ac31f638986704757f Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= 
> +Date: Wed, 15 Mar 2023 16:16:31 +0100
> +Subject: [PATCH] write: correctly handle wide characters
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Do this by replacing fputc_careful() (notice that the description said
> +it's locale-aware ‒ it very much is /not/), with a fputs_careful() which
> +does the same thing, but if it were to output a byte in the \123 format,
> +first it checks whether this byte starts a valid multibyte character.
> +
> +If it does, and that character is printable, write it verbatim.
> +This means that
> +  echo 'foo åäö ąęćźżń bar' | write nabijaczleweli pts/4
> +instead of
> +  foo \303\245\303\244\303\266
> +  \304\205\304\231\304\207\305\272\305\274\305\204 bar
> +yields
> +  foo åäö ąęćźżń bar
> +or, more realistically, from a message I got earlier today,
> +  Filip powiedzia\305\202 \305\274e zap\305\202aci jutro
> +becomes
> +  Filip powiedział że zapłaci jutro
> +
> +Invalid/non-printable sequences get processed as before.
> +
> +Line reading in write must become getline() to avoid dealing with
> +partial characters: for example on input consisting solely of
> +ąęćźżń, where every {1} is an instance, the output would be
> +  {42}ąęć\305\272żń{84}ąęćź\305\274ń{84}ąęćźż\305\204{39}
> +with just fixed-512 fgets()
> +
> +Bug-Debian: https://bugs.debian.org/826596
> +
> +Upstream-Status: Backport [
> https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f
> ]
> +CVE: CVE-2024-28085 #Dependency Patch1
> +Signed-off-by: Vijay Anusuri 
> +---
> + include/carefulputc.h | 60 +++
> + login-utils/last.c|  4 +--
> + term-utils/write.c| 25 +-
> + 3 files c

[OE-core][dunfell][PATCH v2] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785

2024-03-26 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1
&
https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0
&
https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/go/go-1.14.inc  |   3 +
 .../go/go-1.14/CVE-2023-45289.patch   | 121 
 .../go/go-1.14/CVE-2023-45290.patch   | 271 ++
 .../go/go-1.14/CVE-2024-24785.patch   | 197 +
 4 files changed, 592 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index 4fbf9d7590..69b65f3eb2 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -88,6 +88,9 @@ SRC_URI += "\
 file://CVE-2023-45287-pre2.patch \
 file://CVE-2023-45287-pre3.patch \
 file://CVE-2023-45287.patch \
+file://CVE-2023-45289.patch \
+file://CVE-2023-45290.patch \
+file://CVE-2024-24785.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
new file mode 100644
index 00..13d3510504
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
@@ -0,0 +1,121 @@
+From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001
+From: Damien Neil 
+Date: Thu, 11 Jan 2024 11:31:57 -0800
+Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid
+ subdomain matches on IPv6 zones
+
+When deciding whether to forward cookies or sensitive headers
+across a redirect, do not attempt to interpret an IPv6 address
+as a domain name.
+
+Avoids a case where a maliciously-crafted redirect to an
+IPv6 address with a scoped addressing zone could be
+misinterpreted as a within-domain redirect. For example,
+we could interpret "::1%.www.example.com" as a subdomain
+of "www.example.com".
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes CVE-2023-45289
+Fixes #65385
+For #65065
+
+Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
+Reviewed-by: Tatiana Bradley 
+Reviewed-by: Roland Shoemaker 
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
+Reviewed-by: Carlos Amedee 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+Reviewed-by: Carlos Amedee 
+Auto-Submit: Michael Knyszek 
+TryBot-Bypass: Michael Knyszek 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1]
+CVE: CVE-2023-45289
+Signed-off-by: Vijay Anusuri 
+---
+ src/net/http/client.go |  6 ++
+ src/net/http/client_test.go|  1 +
+ src/net/http/cookiejar/jar.go  |  7 +++
+ src/net/http/cookiejar/jar_test.go | 10 ++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index a496f1c..2031834 100644
+--- a/src/net/http/client.go
 b/src/net/http/client.go
+@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
+   if sub == parent {
+   return true
+   }
++  // If sub contains a :, it's probably an IPv6 address (and is 
definitely not a hostname).
++  // Don't check the suffix in this case, to avoid matching the contents 
of a IPv6 zone.
++  // For example, "::1%.www.example.com" is not a subdomain of 
"www.example.com".
++  if strings.ContainsAny(sub, ":%") {
++  return false
++  }
+   // If sub is "foo.example.com" and parent is "example.com",
+   // that means sub must end in "."+parent.
+   // Do it without allocating.
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 2b4f53f..442fe35 100644
+--- a/src/net/http/client_test.go
 b/src/net/http/client_test.go
+@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+   {"cookie2", "http://foo.com/;, "http://bar.com/;, false},
+   {"authorization", "http://foo.com/;, "http://bar.com/;, false},
+   {"www-authenticate", "http://foo.com/;, "http://bar.com/;, 
false},
++  {"authorization", "http://foo.com/;, 
"http://[::1%25.foo.com]/;, false},
+ 
+   // But subdomains should work:
+   {"www-authenticate", "http://foo.com/;, "http://foo.com/;, 
true},
+diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
+index 9f19917..18cbfc2 100644
+--- a/src/net/http/cookiejar/jar.go

[OE-core][kirkstone][PATCH] curl: backport Debian patch for CVE-2024-2398

2024-04-01 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patch from ubuntu to fix
 CVE-2024-2398

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Fjammy-security
Upstream commit 
https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]

Signed-off-by: Vijay Anusuri 
---
 .../curl/curl/CVE-2024-2398.patch | 89 +++
 meta/recipes-support/curl/curl_7.82.0.bb  |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch 
b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
new file mode 100644
index 00..ea55117f4d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
@@ -0,0 +1,89 @@
+Backport of:
+
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing 
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/jammy-security
+Upstream commit 
https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
+CVE: CVE-2024-2398
+Signed-off-by: Vijay Anusuri 
+---
+ lib/http2.c | 34 +++---
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/lib/http2.c
 b/lib/http2.c
+@@ -555,6 +555,15 @@ static int set_transfer_url(struct Curl_
+   return 0;
+ }
+ 
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; ipush_headers_used; i++)
++free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static int push_promise(struct Curl_easy *data,
+ struct connectdata *conn,
+ const nghttp2_push_promise *frame)
+@@ -568,7 +577,6 @@ static int push_promise(struct Curl_easy
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+ struct http_conn *httpc;
+-size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = duphandle(data);
+ if(!newhandle) {
+@@ -604,11 +612,7 @@ static int push_promise(struct Curl_easy
+ Curl_set_in_callback(data, false);
+ 
+ /* free the headers again */
+-for(i = 0; ipush_headers_used; i++)
+-  free(stream->push_headers[i]);
+-free(stream->push_headers);
+-stream->push_headers = NULL;
+-stream->push_headers_used = 0;
++free_push_headers(stream);
+ 
+ if(rv) {
+   DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1045,10 +1049,10 @@ static int on_header(nghttp2_session *se
+ stream->push_headers_alloc) {
+   char **headp;
+   stream->push_headers_alloc *= 2;
+-  headp = Curl_saferealloc(stream->push_headers,
+-   stream->push_headers_alloc * sizeof(char *));
++  headp = realloc(stream->push_headers,
++  stream->push_headers_alloc * sizeof(char *));
+   if(!headp) {
+-stream->push_headers = NULL;
++free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+   }
+   stream->push_headers = headp;
+@@ -1214,15 +1218,7 @@ void Curl_http2_done(struct Curl_easy *d
+  setup */
+   Curl_dyn_free(>header_recvbuf);
+   Curl_dyn_free(>trailer_recvbuf);
+-  if(http->push_headers) {
+-/* if they weren't used and then freed before */
+-for(; http->push_headers_used > 0; --http->push_headers_used) {
+-  free(http->push_headers[http->push_headers_used - 1]);
+-}
+-free(http->push_headers);
+-http->push_headers = NULL;
+-  }
+-
++  free_push_headers(http);
+   if(!(data->conn->handler->protocol_FAMILY_HTTP) ||
+  !httpc->h2) /* not HTTP/2 ? */
+ return;
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb 
b/meta/recipes-support/curl/curl_7.82.0.bb
index 383cf415d9..72d8544e08 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -57,6 +57,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2023-46219-0001.patch \
file://CVE-2023-46219-0002.patch \
file://CVE-2023-46219-0003.patch \
+   file://CVE-2024-2398.patch \
"
 SRC_URI[sha256sum] = 
"0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197684): 
https://lists.openembedded.org/g/openembedded-core/message/197684
Mute This Topic: https://lists.openembedded.org/mt/105261447/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] tar: Fix for CVE-2023-39804

2024-03-28 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from 
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4

Signed-off-by: Vijay Anusuri 
---
 .../tar/tar/CVE-2023-39804.patch  | 64 +++
 meta/recipes-extended/tar/tar_1.32.bb |  1 +
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-extended/tar/tar/CVE-2023-39804.patch

diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch 
b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
new file mode 100644
index 00..f550928540
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
+From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff 
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+
+Upstream-Status: Backport 
[https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
+CVE: CVE-2023-39804
+Signed-off-by: Vijay Anusuri 
+---
+ src/xheader.c | 17 +
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b2..3cd694d 100644
+--- a/src/xheader.c
 b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+ if (p->prefix)
+   {
+-if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++  size_t kwlen = strlen (p->keyword);
++if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 
0)
+   return p;
+   }
+ else
+@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
+char const *keyword, char const *arg, size_t size)
+ {
+   char *xstr, *xkey;
+-
++  
+   /* copy keyword */
+-  size_t klen_raw = strlen (keyword);
+-  xkey = alloca (klen_raw + 1);
+-  memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
++  xkey = xstrdup (keyword);
+ 
+   /* copy value */
+-  xstr = alloca (size + 1);
++  xstr = xmalloc (size + 1);
+   memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+ 
+   xattr_decode_keyword (xkey);
+ 
+-  xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
++  xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
++
++  free (xkey);
++  free (xstr);
+ }
+ 
+ static void
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-extended/tar/tar_1.32.bb 
b/meta/recipes-extended/tar/tar_1.32.bb
index 1246f01256..c560741599 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
file://musl_dirent.patch \
file://CVE-2021-20193.patch \
file://CVE-2022-48303.patch \
+   file://CVE-2023-39804.patch \
 "
 
 SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197619): 
https://lists.openembedded.org/g/openembedded-core/message/197619
Mute This Topic: https://lists.openembedded.org/mt/105210615/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] util-linux: Fix for CVE-2024-28085

2024-03-29 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from
https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f
&
https://github.com/util-linux/util-linux/commit/27ee6446503af7ec0c2647704ca47ac4de3852ef
&
https://github.com/util-linux/util-linux/commit/aa13246a1bf1be9e4f6eb331f4d4d2dbc875e22f
& 
https://github.com/util-linux/util-linux/commit/404b0781f52f7c045ca811b2dceec526408ac253

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-core/util-linux/util-linux.inc   |   4 +
 .../util-linux/CVE-2024-28085-pre1.patch  | 200 
 .../util-linux/CVE-2024-28085-pre2.patch  | 171 ++
 .../util-linux/CVE-2024-28085-pre3.patch  | 219 ++
 .../util-linux/CVE-2024-28085.patch   |  30 +++
 5 files changed, 624 insertions(+)
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre2.patch
 create mode 100644 
meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre3.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc 
b/meta/recipes-core/util-linux/util-linux.inc
index 982ec669a2..079359c55c 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -35,6 +35,10 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://run-ptest \
file://display_testname_for_subtest.patch \
file://avoid_parallel_tests.patch \
+   file://CVE-2024-28085-pre1.patch \
+   file://CVE-2024-28085-pre2.patch \
+   file://CVE-2024-28085-pre3.patch \
+   file://CVE-2024-28085.patch \
"
 
 SRC_URI[sha256sum] = 
"634e6916ad913366c3536b6468e7844769549b99a7b2bf80314de78ab5655b83"
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch 
b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch
new file mode 100644
index 00..ce3056eabe
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2024-28085-pre1.patch
@@ -0,0 +1,200 @@
+From 8a7b8456d1dc0e7ca557d1ac31f638986704757f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=D0=BD=D0=B0=D0=B1?= 
+Date: Wed, 15 Mar 2023 16:16:31 +0100
+Subject: [PATCH] write: correctly handle wide characters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Do this by replacing fputc_careful() (notice that the description said
+it's locale-aware ‒ it very much is /not/), with a fputs_careful() which
+does the same thing, but if it were to output a byte in the \123 format,
+first it checks whether this byte starts a valid multibyte character.
+
+If it does, and that character is printable, write it verbatim.
+This means that
+  echo 'foo åäö ąęćźżń bar' | write nabijaczleweli pts/4
+instead of
+  foo \303\245\303\244\303\266
+  \304\205\304\231\304\207\305\272\305\274\305\204 bar
+yields
+  foo åäö ąęćźżń bar
+or, more realistically, from a message I got earlier today,
+  Filip powiedzia\305\202 \305\274e zap\305\202aci jutro
+becomes
+  Filip powiedział że zapłaci jutro
+
+Invalid/non-printable sequences get processed as before.
+
+Line reading in write must become getline() to avoid dealing with
+partial characters: for example on input consisting solely of
+ąęćźżń, where every {1} is an instance, the output would be
+  {42}ąęć\305\272żń{84}ąęćź\305\274ń{84}ąęćźż\305\204{39}
+with just fixed-512 fgets()
+
+Bug-Debian: https://bugs.debian.org/826596
+
+Upstream-Status: Backport 
[https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7ca557d1ac31f638986704757f]
+CVE: CVE-2024-28085 #Dependency Patch1
+Signed-off-by: Vijay Anusuri 
+---
+ include/carefulputc.h | 60 +++
+ login-utils/last.c|  4 +--
+ term-utils/write.c| 25 +-
+ 3 files changed, 52 insertions(+), 37 deletions(-)
+
+diff --git a/include/carefulputc.h b/include/carefulputc.h
+index 8860b12340..740add68e8 100644
+--- a/include/carefulputc.h
 b/include/carefulputc.h
+@@ -1,31 +1,59 @@
+ #ifndef UTIL_LINUX_CAREFULPUTC_H
+ #define UTIL_LINUX_CAREFULPUTC_H
+ 
+-/*
+- * A putc() for use in write and wall (that sometimes are sgid tty).
+- * It avoids control characters in our locale, and also ASCII control
+- * characters.   Note that the locale of the recipient is unknown.
+-*/
+ #include 
+ #include 
+ #include 
++#ifdef HAVE_WIDECHAR
++#include 
++#endif
++#include 
+ 
+ #include "cctype.h"
+ 
+-static inline int fputc_careful(int c, FILE *fp, const char fail)
++/*
++ * A puts() for use in write and wall (that sometimes are sgid tty).
++ * It avoids control and invalid characters.
++ * The locale of the recipient is nominally unknown,
++ * but it's a solid bet that the encoding is compatible with the author's.
++ */
++static inline int

[OE-core][dunfell][PATCH] curl: backport Debian patch for CVE-2024-2398

2024-04-01 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

import patch from ubuntu to fix
 CVE-2024-2398

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]

Signed-off-by: Vijay Anusuri 
---
 .../curl/curl/CVE-2024-2398.patch | 88 +++
 meta/recipes-support/curl/curl_7.69.1.bb  |  1 +
 2 files changed, 89 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch 
b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
new file mode 100644
index 00..a3840336f0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
@@ -0,0 +1,88 @@
+Backport of:
+
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing 
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security
+Upstream commit 
https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
+CVE: CVE-2024-2398
+Signed-off-by: Vijay Anusuri 
+---
+ lib/http2.c | 34 +++---
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/lib/http2.c
 b/lib/http2.c
+@@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc
+ }
+ 
+ 
++static void free_push_headers(struct HTTP *stream)
++{
++  size_t i;
++  for(i = 0; ipush_headers_used; i++)
++free(stream->push_headers[i]);
++  Curl_safefree(stream->push_headers);
++  stream->push_headers_used = 0;
++}
++
+ static int push_promise(struct Curl_easy *data,
+ struct connectdata *conn,
+ const nghttp2_push_promise *frame)
+@@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+ struct http_conn *httpc;
+-size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = duphandle(data);
+ if(!newhandle) {
+@@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy
+ Curl_set_in_callback(data, false);
+ 
+ /* free the headers again */
+-for(i = 0; ipush_headers_used; i++)
+-  free(stream->push_headers[i]);
+-free(stream->push_headers);
+-stream->push_headers = NULL;
+-stream->push_headers_used = 0;
++free_push_headers(stream);
+ 
+ if(rv) {
+   /* denied, kill off the new handle again */
+@@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se
+ stream->push_headers_alloc) {
+   char **headp;
+   stream->push_headers_alloc *= 2;
+-  headp = Curl_saferealloc(stream->push_headers,
+-   stream->push_headers_alloc * sizeof(char *));
++  headp = realloc(stream->push_headers,
++  stream->push_headers_alloc * sizeof(char *));
+   if(!headp) {
+-stream->push_headers = NULL;
++free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+   }
+   stream->push_headers = headp;
+@@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d
+   if(http->header_recvbuf) {
+ Curl_add_buffer_free(>header_recvbuf);
+ Curl_add_buffer_free(>trailer_recvbuf);
+-if(http->push_headers) {
+-  /* if they weren't used and then freed before */
+-  for(; http->push_headers_used > 0; --http->push_headers_used) {
+-free(http->push_headers[http->push_headers_used - 1]);
+-  }
+-  free(http->push_headers);
+-  http->push_headers = NULL;
+-}
++free_push_headers(http);
+   }
+ 
+   if(!httpc->h2) /* not HTTP/2 ? */
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb 
b/meta/recipes-support/curl/curl_7.69.1.bb
index 980b4224a8..2f351d585a 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2023-28321.patch \
file://CVE-2023-28322.patch \
file://CVE-2023-46218.patch \
+   file://CVE-2024-2398.patch \
 "
 
 SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197674): 
https://lists.openembedded.org/g/openembedded-core/message/197674
Mute This Topic: https://lists.openembedded.org/mt/105259607/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] qemu: Fix for CVE-2023-6683

2024-04-01 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from 
https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a

Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-6683.patch | 92 +++
 2 files changed, 93 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 08ce72546d..856fe64fe7 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -111,6 +111,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-3019-0001.patch \
file://CVE-2023-3019-0002.patch \
file://CVE-2023-3019-0003.patch \
+   file://CVE-2023-6683.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
new file mode 100644
index 00..e528574076
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
@@ -0,0 +1,92 @@
+From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
+From: Fiona Ebner 
+Date: Wed, 24 Jan 2024 11:57:48 +0100
+Subject: [PATCH] ui/clipboard: mark type as not available when there is no
+ data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
+message with len=0. In qemu_clipboard_set_data(), the clipboard info
+will be updated setting data to NULL (because g_memdup(data, size)
+returns NULL when size is 0). If the client does not set the
+VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
+the 'request' callback for the clipboard peer is not initialized.
+Later, because data is NULL, qemu_clipboard_request() can be reached
+via vdagent_chr_write() and vdagent_clipboard_recv_request() and
+there, the clipboard owner's 'request' callback will be attempted to
+be called, but that is a NULL pointer.
+
+In particular, this can happen when using the KRDC (22.12.3) VNC
+client.
+
+Another scenario leading to the same issue is with two clients (say
+noVNC and KRDC):
+
+The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
+initializes its cbpeer.
+
+The KRDC client does not, but triggers a vnc_client_cut_text() (note
+it's not the _ext variant)). There, a new clipboard info with it as
+the 'owner' is created and via qemu_clipboard_set_data() is called,
+which in turn calls qemu_clipboard_update() with that info.
+
+In qemu_clipboard_update(), the notifier for the noVNC client will be
+called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
+noVNC client. The 'owner' in that clipboard info is the clipboard peer
+for the KRDC client, which did not initialize the 'request' function.
+That sounds correct to me, it is the owner of that clipboard info.
+
+Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
+the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
+passes), that clipboard info is passed to qemu_clipboard_request() and
+the original segfault still happens.
+
+Fix the issue by handling updates with size 0 differently. In
+particular, mark in the clipboard info that the type is not available.
+
+While at it, switch to g_memdup2(), because g_memdup() is deprecated.
+
+Cc: qemu-sta...@nongnu.org
+Fixes: CVE-2023-6683
+Reported-by: Markus Frank 
+Suggested-by: Marc-André Lureau 
+Signed-off-by: Fiona Ebner 
+Reviewed-by: Marc-André Lureau 
+Tested-by: Markus Frank 
+Message-ID: <20240124105749.204610-1-f.eb...@proxmox.com>
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a]
+CVE: CVE-2023-6683
+Signed-off-by: Vijay Anusuri 
+---
+ ui/clipboard.c | 12 +---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf80..b3f6fa3c9e1 100644
+--- a/ui/clipboard.c
 b/ui/clipboard.c
+@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+ }
+ 
+ g_free(info->types[type].data);
+-info->types[type].data = g_memdup(data, size);
+-info->types[type].size = size;
+-info->types[type].available = true;
++if (size) {
++info->types[type].data = g_memdup2(data, size);
++info->types[type].size = size;
++info->types[type].available = true;
++} else {
++info->types[type].data = NULL;
++info->types[type].size = 0;
++info->types[type].available = false;
++}
+ 
+ if (update) {
+ qemu_clipboard_update(info);
+-- 
+GitLab
+
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197676):

Re: [OE-core][kirkstone][PATCH] util-linux: Fix for CVE-2024-28085

2024-03-31 Thread Vijay Anusuri via lists.openembedded.org 
Sure Randy.

Issue introduced last year in util-linux v2.39.

The offending commits are:

* https://github.com/util-linux/util-linux/commit/8a7b8456d1dc0e7c
   ("write: correctly handle wide characters")
* https://github.com/util-linux/util-linux/commit/aa13246a1bf1be9e
   ("wall: use fputs_careful()")

I have added offending commits as dependency patches. As vulnerable
code is not present, it's not affected. So, I want it to be ignored.

Thanks & Regards,
Vijay


On Sun, Mar 31, 2024 at 5:54 AM Randy MacLeod  wrote:

>
>
> On Fri, Mar 29, 2024, 11:52 Vijay Anusuri via lists.openembedded.org
>  wrote:
>
>> Hi Steve,
>>
>> Please ignore this patch.
>>
>> Thanks & Regards,
>> Vijay
>>
>
>
> Hi Vijay,
>
> I expect that's fine with Steve but in the future, it would be good if,
> when you ask for a patch to be ignored, you briefly explain why you'd like
> it to be ignored.
>
> Randy
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197670): 
https://lists.openembedded.org/g/openembedded-core/message/197670
Mute This Topic: https://lists.openembedded.org/mt/105213911/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] ncurses: Backport fix for CVE-2023-50495

2024-04-02 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport from 
https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc

Reference: 
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz

Signed-off-by: Vijay Anusuri 
---
 .../ncurses/files/CVE-2023-50495.patch| 79 +++
 meta/recipes-core/ncurses/ncurses_6.2.bb  |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch 
b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
new file mode 100644
index 00..58c23866d1
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,79 @@
+Fix for CVE-2023-50495 from upstream:
+https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc
+
+Reference:
+https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz
+
+Upstream-Status: Backport [import from suse 
ftp.pbone.net/mirror/ftp.opensuse.org/update/leap-micro/5.3/sle/src/ncurses-6.1-15.5.20.1.src.rpm
+Upstream commit 
https://github.com/ThomasDickey/ncurses-snapshots/commit/efe9674ee14b14b788f9618941f97d31742f0adc]
+CVE: CVE-2023-50495
+Signed-off-by: Vijay Anusuri 
+---
+ ncurses/tinfo/parse_entry.c | 23 ---
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index 23574b66..56ba9ae6 100644
+--- a/ncurses/tinfo/parse_entry.c
 b/ncurses/tinfo/parse_entry.c
+@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+   /* Well, we are given a cancel for a name that we don't recognize */
+   return _nc_extend_names(entryp, name, STRING);
+ default:
+-  return 0;
++  return NULL;
+ }
+ 
+ /* Adjust the 'offset' (insertion-point) to keep the lists of extended
+@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+   for (last = (unsigned) (max - 1); last > tindex; last--)
+ 
+ if (!found) {
++  char *saved;
++
++  if ((saved = _nc_save_str(name)) == NULL)
++  return NULL;
++
+   switch (token_type) {
+   case BOOLEAN:
+   tp->ext_Booleans++;
+@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+   TYPE_REALLOC(char *, actual, tp->ext_Names);
+   while (--actual > offset)
+   tp->ext_Names[actual] = tp->ext_Names[actual - 1];
+-  tp->ext_Names[offset] = _nc_save_str(name);
++  tp->ext_Names[offset] = saved;
+ }
+ 
+ temp.nte_name = tp->ext_Names[offset];
+@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+   bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+   bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+   if (is_use || is_tc) {
++  char *saved;
++
+   if (!VALID_STRING(_nc_curr_token.tk_valstring)
+   || _nc_curr_token.tk_valstring[0] == '\0') {
+   _nc_warning("missing name for use-clause");
+@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+   _nc_curr_token.tk_valstring);
+   continue;
+   }
+-  entryp->uses[entryp->nuses].name = 
_nc_save_str(_nc_curr_token.tk_valstring);
+-  entryp->uses[entryp->nuses].line = _nc_curr_line;
+-  entryp->nuses++;
+-  if (entryp->nuses > 1 && is_tc) {
+-  BAD_TC_USAGE
++  if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
++  entryp->uses[entryp->nuses].name = saved;
++  entryp->uses[entryp->nuses].line = _nc_curr_line;
++  entryp->nuses++;
++  if (entryp->nuses > 1 && is_tc) {
++  BAD_TC_USAGE
++  }
+   }
+   } else {
+   /* normal token lookup */
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb 
b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 33285bcb5b..dbff149f55 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-tic-hang.patch \
file://CVE-2021-39537.patch \
file://CVE-2022-29458.patch \
file://CVE-2023-29491.patch \
+   file://CVE-2023-50495.patch \
"
 # commit id corresponds to the revision in package version
 SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197903): 
https://lists.openembedded.org/g/openembedded-core/message/197903
Mute This Topic: https://lists.openembedded.org/mt/105303486/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe:

[OE-core][kirkstone][PATCH] less: Fix for CVE-2022-48624

2024-02-22 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]

Signed-off-by: Vijay Anusuri 
---
 .../less/less/CVE-2022-48624.patch| 41 +++
 meta/recipes-extended/less/less_600.bb|  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-extended/less/less/CVE-2022-48624.patch

diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch 
b/meta/recipes-extended/less/less/CVE-2022-48624.patch
new file mode 100644
index 00..409730bd4f
--- /dev/null
+++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch
@@ -0,0 +1,41 @@
+From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
+From: Mark Nudelman 
+Date: Sat, 25 Jun 2022 11:54:43 -0700
+Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.
+
+Upstream-Status: Backport 
[https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
+CVE: CVE-2022-48624
+Signed-off-by: Vijay Anusuri 
+---
+ filename.c | 10 --
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/filename.c b/filename.c
+index 5824e385..dff20c08 100644
+--- a/filename.c
 b/filename.c
+@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
+ {
+ #if HAVE_POPEN
+   char *lessclose;
++  char *qfilename;
++  char *qaltfilename;
+   FILE *fd;
+   char *cmd;
+   int len;
+@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
+   error("LESSCLOSE ignored; must contain no more than 2 %%s", 
NULL_PARG);
+   return;
+   }
+-  len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) 
+ 2);
++  qfilename = shell_quote(filename);
++  qaltfilename = shell_quote(altfilename);
++  len = (int) (strlen(lessclose) + strlen(qfilename) + 
strlen(qaltfilename) + 2);
+   cmd = (char *) ecalloc(len, sizeof(char));
+-  SNPRINTF2(cmd, len, lessclose, filename, altfilename);
++  SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
++  free(qaltfilename);
++  free(qfilename);
+   fd = shellcmd(cmd);
+   free(cmd);
+   if (fd != NULL)
diff --git a/meta/recipes-extended/less/less_600.bb 
b/meta/recipes-extended/less/less_600.bb
index f68281ac93..f88127a9e3 100644
--- a/meta/recipes-extended/less/less_600.bb
+++ b/meta/recipes-extended/less/less_600.bb
@@ -27,6 +27,7 @@ DEPENDS = "ncurses"
 
 SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
file://CVE-2022-46663.patch \
+   file://CVE-2022-48624.patch \
  "
 
 SRC_URI[sha256sum] = 
"6633d6aa2b3cc717afb2c205778c7c42c4620f63b1d682f3d12c98af0be74d20"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196047): 
https://lists.openembedded.org/g/openembedded-core/message/196047
Mute This Topic: https://lists.openembedded.org/mt/104522820/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] less: Fix for CVE-2022-48624

2024-02-25 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport 
[https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]

Signed-off-by: Vijay Anusuri 
---
 .../less/less/CVE-2022-48624.patch| 41 +++
 meta/recipes-extended/less/less_551.bb|  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta/recipes-extended/less/less/CVE-2022-48624.patch

diff --git a/meta/recipes-extended/less/less/CVE-2022-48624.patch 
b/meta/recipes-extended/less/less/CVE-2022-48624.patch
new file mode 100644
index 00..409730bd4f
--- /dev/null
+++ b/meta/recipes-extended/less/less/CVE-2022-48624.patch
@@ -0,0 +1,41 @@
+From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
+From: Mark Nudelman 
+Date: Sat, 25 Jun 2022 11:54:43 -0700
+Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.
+
+Upstream-Status: Backport 
[https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144]
+CVE: CVE-2022-48624
+Signed-off-by: Vijay Anusuri 
+---
+ filename.c | 10 --
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/filename.c b/filename.c
+index 5824e385..dff20c08 100644
+--- a/filename.c
 b/filename.c
+@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
+ {
+ #if HAVE_POPEN
+   char *lessclose;
++  char *qfilename;
++  char *qaltfilename;
+   FILE *fd;
+   char *cmd;
+   int len;
+@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
+   error("LESSCLOSE ignored; must contain no more than 2 %%s", 
NULL_PARG);
+   return;
+   }
+-  len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) 
+ 2);
++  qfilename = shell_quote(filename);
++  qaltfilename = shell_quote(altfilename);
++  len = (int) (strlen(lessclose) + strlen(qfilename) + 
strlen(qaltfilename) + 2);
+   cmd = (char *) ecalloc(len, sizeof(char));
+-  SNPRINTF2(cmd, len, lessclose, filename, altfilename);
++  SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
++  free(qaltfilename);
++  free(qfilename);
+   fd = shellcmd(cmd);
+   free(cmd);
+   if (fd != NULL)
diff --git a/meta/recipes-extended/less/less_551.bb 
b/meta/recipes-extended/less/less_551.bb
index a818c68fc7..401f40bed5 100644
--- a/meta/recipes-extended/less/less_551.bb
+++ b/meta/recipes-extended/less/less_551.bb
@@ -26,6 +26,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \
 DEPENDS = "ncurses"
 
 SRC_URI = "http://www.greenwoodsoftware.com/${BPN}/${BPN}-${PV}.tar.gz \
+   file://CVE-2022-48624.patch \
  "
 
 SRC_URI[md5sum] = "4ad4408b06d7a6626a055cb453f36819"
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196181): 
https://lists.openembedded.org/g/openembedded-core/message/196181
Mute This Topic: https://lists.openembedded.org/mt/104578130/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] qemu: Fix for CVE-2024-24474

2024-02-25 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

Upstream-Status: Backport
[https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52]

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2024-24474.patch| 44 +++
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index c5fb9b1eab..18752af274 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -103,6 +103,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
   file://CVE-2021-3638.patch \
   file://CVE-2023-1544.patch \
   file://CVE-2023-5088.patch \
+  file://CVE-2024-24474.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch
new file mode 100644
index 00..e890fe56cf
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch
@@ -0,0 +1,44 @@
+From 77668e4b9bca03a856c27ba899a2513ddf52bb52 Mon Sep 17 00:00:00 2001
+From: Mark Cave-Ayland 
+Date: Wed, 13 Sep 2023 21:44:09 +0100
+Subject: [PATCH] esp: restrict non-DMA transfer length to that of available
+ data
+
+In the case where a SCSI layer transfer is incorrectly terminated, it is
+possible for a TI command to cause a SCSI buffer overflow due to the
+expected transfer data length being less than the available data in the
+FIFO. When this occurs the unsigned async_len variable underflows and
+becomes a large offset which writes past the end of the allocated SCSI
+buffer.
+
+Restrict the non-DMA transfer length to be the smallest of the expected
+transfer length and the available FIFO data to ensure that it is no longer
+possible for the SCSI buffer overflow to occur.
+
+Signed-off-by: Mark Cave-Ayland 
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1810
+Reviewed-by: Thomas Huth 
+Message-ID: <20230913204410.65650-3-mark.cave-ayl...@ilande.co.uk>
+Signed-off-by: Paolo Bonzini 
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52]
+CVE: CVE-2024-24474
+Signed-off-by: Vijay Anusuri 
+---
+ hw/scsi/esp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index 4218a6a96054..9b11d8c5738a 100644
+--- a/hw/scsi/esp.c
 b/hw/scsi/esp.c
+@@ -759,7 +759,8 @@ static void esp_do_nodma(ESPState *s)
+ }
+ 
+ if (to_device) {
+-len = MIN(fifo8_num_used(>fifo), ESP_FIFO_SZ);
++len = MIN(s->async_len, ESP_FIFO_SZ);
++len = MIN(len, fifo8_num_used(>fifo));
+ esp_fifo_pop_buf(>fifo, s->async_buf, len);
+ s->async_buf += len;
+ s->async_len -= len;
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196182): 
https://lists.openembedded.org/g/openembedded-core/message/196182
Mute This Topic: https://lists.openembedded.org/mt/104578182/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH] ghostscript: ignore CVE-2020-36773

2024-03-03 Thread Vijay Anusuri via lists.openembedded.org 
Hi Steve,

I've sent mail to cpe_diction...@nist.gov to update the information.

Now it was updated in https://nvd.nist.gov/vuln/detail/CVE-2020-36773

Thanks & Regards,
Vijay

On Thu, Feb 8, 2024 at 8:40 PM Steve Sakoman  wrote:

> On Wed, Feb 7, 2024 at 8:42 PM Vijay Anusuri via
> lists.openembedded.org 
> wrote:
> >
> > From: Vijay Anusuri 
> >
> > Artifex Ghostscript before 9.53.0 has an out-of-bounds write and
> use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single
> character code in a PDF document can map to more than one Unicode code
> point (e.g., for a ligature).
> >
> > Reference: https://ubuntu.com/security/CVE-2020-36773
> >
> > Signed-off-by: Vijay Anusuri 
> > ---
> >  meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 4 
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> > index e0d1e4618f..cc06d092c1 100644
> > --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> > +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
> > @@ -26,6 +26,10 @@ CVE_CHECK_IGNORE += "CVE-2013-6629"
> >  # Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe.
> >  CVE_CHECK_IGNORE += "CVE-2023-38560"
> >
> > +# This CVE affects Ghostscript before 9.53.0
> > +# https://ubuntu.com/security/CVE-2020-36773
> > +CVE_CHECK_IGNORE += "CVE-2020-36773"
>
> When there is an error in the upstream database it is preferred that
> you send an email to cpe_diction...@nist.gov requesting an update
> (giving links that justify the change to make it easy for them to
> research)
>
> They are usually quite responsive, and this is much preferred to
> carrying an IGNORE in our metadata.
>
> Thanks!
>
> Steve
>
> > +
> >  def gs_verdir(v):
> >  return "".join(v.split("."))
> >
> > --
> > 2.25.1
> >
> >
> > 
> >
>
--- Begin Message ---
Good afternoon,

We apologize for the late response as we are currently experiencing a large 
volume of CPE related inquiries.

Thank you for bringing this to our attention. We appreciate community input in 
order to provide the most accurate and up-to-date information as possible. 
After reviewing publicly available information we have made the appropriate 
modifications.  Please allow up to 24 hours for the changes to be reflected on 
the website and in the data feeds.


V/r,

Common Platform Enumeration Team

National Institute of Standards and Technology (NIST)

cpe_diction...@nist.gov<mailto:cpe_diction...@nist.gov>


From: Vijay Anusuri 
Sent: Thursday, February 8, 2024 10:52 PM
To: cpe_dictionary 
Subject: CVE-2020-36773 update

Hi Team,

CVE-2020-36773 was fixed in the Ghostscript version 9.53.0 by the below commit
https://git.ghostscript.com/?p=ghostpdl.git;h=8c7bd787defa071c96289b7da9397f673fddb874

This issue introduced in 9.51 as described in the patch.

Affected versions: 9.51 & 9.52
References: https://ghostscript.com/docs/9.53.3/History9.htm
https://ubuntu.com/security/CVE-2020-36773

Could you please update this in upstream database.

Thanks & Regards,
Vijay
--- End Message ---

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196582): 
https://lists.openembedded.org/g/openembedded-core/message/196582
Mute This Topic: https://lists.openembedded.org/mt/104234914/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] binutils: Rename CVE-2022-38126 patch to CVE-2022-35205

2024-05-21 Thread Vijay Anusuri via lists.openembedded.org 
From: Vijay Anusuri 

CVE-2022-38126 has been marked "REJECT" in the CVE List by NVD.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-38126

As commit changes in 0016-CVE-2022-38126.patch fixes CVE-2022-35205.
Hence renamed the patch.

Link: https://ubuntu.com/security/CVE-2022-35205

Signed-off-by: Vijay Anusuri 
---
 meta/recipes-devtools/binutils/binutils-2.38.inc   | 2 +-
 .../{0016-CVE-2022-38126.patch => 0016-CVE-2022-35205.patch}   | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)
 rename meta/recipes-devtools/binutils/binutils/{0016-CVE-2022-38126.patch => 
0016-CVE-2022-35205.patch} (94%)

diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc 
b/meta/recipes-devtools/binutils/binutils-2.38.inc
index bbe7bb57b2..4a8831b534 100644
--- a/meta/recipes-devtools/binutils/binutils-2.38.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.38.inc
@@ -34,7 +34,7 @@ SRC_URI = "\
  file://0013-Avoid-as-info-race-condition.patch \
  file://0014-CVE-2019-1010204.patch \
  file://0015-CVE-2022-38533.patch \
- file://0016-CVE-2022-38126.patch \
+ file://0016-CVE-2022-35205.patch \
  file://0017-CVE-2022-38127-1.patch \
  file://0017-CVE-2022-38127-2.patch \
  file://0017-CVE-2022-38127-3.patch \
diff --git a/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch 
b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch
similarity index 94%
rename from meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch
rename to meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch
index 8200e28a81..a582df4466 100644
--- a/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-38126.patch
+++ b/meta/recipes-devtools/binutils/binutils/0016-CVE-2022-35205.patch
@@ -9,8 +9,9 @@ Subject: [PATCH] Replace a run-time assertion failure with a 
warning message
message.
 
 Upstream-Status: Backport 
[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e3e5ae049371a27fd1737aba946fe26d06e029b5]
-
+CVE: CVE-2022-35205
 Signed-off-by: Pgowda 
+Signed-off-by: Vijay Anusuri 
 ---
  binutils/dwarf.c   | 7 ++-
 
-- 
2.25.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199616): 
https://lists.openembedded.org/g/openembedded-core/message/199616
Mute This Topic: https://lists.openembedded.org/mt/106221046/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

2024-05-28 Thread Vijay Anusuri via lists.openembedded.org 
Hi Soumya,

Along with Debian, Suse also fixed the issue with those 4 dependent commits
(https://bugzilla.suse.com/show_bug.cgi?id=1221831).

Debian added the "--disable-use-tty-group" configure option during build
along with patch for complete fix (
https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.4). We
already have that configure option in the recipe file.

I think we can go ahead with the debian patch fix.

Thanks & Regards,
Vijay

On Thu, Apr 25, 2024 at 8:56 AM Sambu, Soumya 
wrote:

> Hi Peter,
>
> Thank you for providing the details.
>
> Based on the information regarding the vulnerability report and the commit
> history provided, it appears that our code is indeed vulnerable as the
> commit introducing the vulnerability still exists in our codebase.
>
> Our util-linux version in the kirkstone branch is v2.37.4, and the
> vulnerable code was introduced in commit cdd3cc7fa4 back in 2013.
>
> I've also noted that Debian is also fixing the CVE, along with the
> dependent commits mentioned in the offending commits list. They have
> already added upstream patches to address CVE-2024-28085 (839ff33b), as
> detailed in their commit here:
> https://salsa.debian.org/debian/util-linux/-/commit/839ff33b8002189411b679cc9ee99d1a99e099cb
> .
>
> Please review the provided information, and let me know if there's
> anything else we need to consider.
>
> Best Regards,
> Soumya
> --
> *From:* Marko, Peter 
> *Sent:* Friday, April 19, 2024 10:11 PM
> *To:* Sambu, Soumya ;
> openembedded-core@lists.openembedded.org <
> openembedded-core@lists.openembedded.org>; vanus...@mvista.com <
> vanus...@mvista.com>
> *Subject:* RE: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix
> CVE-2024-28085
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and
> know the content is safe.
>
> Identical patch was already submitted and then requested to be ignored
> because the issue is apparently introduced by one of the added patches.
> https://lists.openembedded.org/g/openembedded-core/message/197670
>
> Since the vulnerability report claims that our version IS vulnerable, it
> would be interesting to know where the truth is...
> https://github.com/skyler-ferrante/CVE-2024-28085 -> The vulnerable code
> was introduced in commit cdd3cc7fa4 (2013).
>
> Peter
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199964): 
https://lists.openembedded.org/g/openembedded-core/message/199964
Mute This Topic: https://lists.openembedded.org/mt/105617913/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-