[yocto] [meta-security][PATCH] ncrack: update to tip
Signed-off-by: Scott Ellis --- recipes-security/ncrack/ncrack_0.7.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/recipes-security/ncrack/ncrack_0.7.bb b/recipes-security/ncrack/ncrack_0.7.bb index 06ba2b6..ba26965 100644 --- a/recipes-security/ncrack/ncrack_0.7.bb +++ b/recipes-security/ncrack/ncrack_0.7.bb @@ -4,9 +4,9 @@ HOMEPAGE = "https://nmap.org/ncrack; SECTION = "security" LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=198fa93d4e80225839e595336f3b5ff0" +LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" -SRCREV = "3a793a21820708466081825beda9fce857f36cb6" +SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426" SRC_URI = "git://github.com/nmap/ncrack.git" DEPENDS = "openssl zlib" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] checksec: Remove old script
Should have been removed in previous patch. Signed-off-by: Scott Ellis --- recipes-security/checksec/files/checksec.sh | 882 1 file changed, 882 deletions(-) delete mode 100644 recipes-security/checksec/files/checksec.sh diff --git a/recipes-security/checksec/files/checksec.sh b/recipes-security/checksec/files/checksec.sh deleted file mode 100644 index dd1f72e..000 --- a/recipes-security/checksec/files/checksec.sh +++ /dev/null @@ -1,882 +0,0 @@ -#!/bin/bash -# -# The BSD License (http://www.opensource.org/licenses/bsd-license.php) -# specifies the terms and conditions of use for checksec.sh: -# -# Copyright (c) 2009-2011, Tobias Klein. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# * Neither the name of Tobias Klein nor the name of trapkit.de may be -# used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED -# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF -# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -# DAMAGE. -# -# Name: checksec.sh -# Version : 1.5 -# Author : Tobias Klein -# Date: November 2011 -# Download: http://www.trapkit.de/tools/checksec.html -# Changes : http://www.trapkit.de/tools/checksec_changes.txt -# -# Description: -# -# Modern Linux distributions offer some mitigation techniques to make it -# harder to exploit software vulnerabilities reliably. Mitigations such -# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout -# Randomization (ASLR) and Position Independent Executables (PIE) have -# made reliably exploiting any vulnerabilities that do exist far more -# challenging. The checksec.sh script is designed to test what *standard* -# Linux OS and PaX (http://pax.grsecurity.net/) security features are being -# used. -# -# As of version 1.3 the script also lists the status of various Linux kernel -# protection mechanisms. -# -# Credits: -# -# Thanks to Brad Spengler (grsecurity.net) for the PaX support. -# Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support. -# Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support. -# -# Others that contributed to checksec.sh (in no particular order): -# -# Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej, -# Anthony G. Basile, Martin Vaeth and Brian Davis. -# - -# global vars -have_readelf=1 -verbose=false - -# FORTIFY_SOURCE vars -FS_end=_chk -FS_cnt_total=0 -FS_cnt_checked=0 -FS_cnt_unchecked=0 -FS_chk_func_libc=0 -FS_functions=0 -FS_libc=0 - -# version information -version() { - echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011" - echo -} - -# help -help() { - echo "Usage: checksec [OPTION]" - echo - echo "Options:" - echo - echo " --file " - echo " --dir [-v]" - echo " --proc " - echo " --proc-all" - echo " --proc-libs " - echo " --kernel" - echo " --fortify-file " - echo " --fortify-proc " - echo " --version" - echo " --help" - echo - echo "For more information, see:" - echo " http://www.trapkit.de/tools/checksec.html; - echo -} - -# check if command exists -command_exists () { - type $1 > /dev/null 2>&1; -} - -# check if directory exists -dir_exists () { - if [ -d $1 ] ; then -return 0 - else -return 1 - fi -} - -# check user privileges -root_privs () { - if [ $(/usr/bin/id -u) -eq 0 ] ; then -return 0 - else -return 1 - fi -} - -# check if input is numeric -isNumeric () { - echo "$@" | grep -q -v "[^0-9]" -} - -# check if input is a string -isString () { - echo "$@" | grep -q -v "[^A-Za-z]" -} - -# check file(s) -fil
[yocto] [meta-security][PATCH] checksec: Upgrade to latest upstream
More kernel checks, particularly arm64. Signed-off-by: Scott Ellis --- recipes-security/checksec/checksec_1.11.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/checksec/checksec_1.11.bb b/recipes-security/checksec/checksec_1.11.bb index 59a67bd..0ca6e07 100644 --- a/recipes-security/checksec/checksec_1.11.bb +++ b/recipes-security/checksec/checksec_1.11.bb @@ -6,7 +6,7 @@ HOMEPAGE="https://github.com/slimm609/checksec.sh; LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" -SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447" +SRCREV = "afcbaf954169771fc88ebba7727acdd2d26c27c7" SRC_URI = "git://github.com/slimm609/checksec.sh" S = "${WORKDIR}/git" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] scapy: Fix shebang for python3
Both scapy and UTscapy have python in the shebang line regardless of whether python3-scapy or python-scapy was built. Signed-off-by: Scott Ellis --- recipes-security/scapy/python-scapy.inc | 7 +++ 1 file changed, 7 insertions(+) diff --git a/recipes-security/scapy/python-scapy.inc b/recipes-security/scapy/python-scapy.inc index f90b93d..43ef959 100644 --- a/recipes-security/scapy/python-scapy.inc +++ b/recipes-security/scapy/python-scapy.inc @@ -10,6 +10,13 @@ SRC_URI[sha256sum] = "1baa048936207ceb1a4281a0e1e3b4317667c754872a0bb4734c5213c4 inherit pypi +do_install_append() { +if [ "${PYTHON_PN}" = "python3" ]; then +sed -i -e 's/python/python3/' ${D}${bindir}/scapy +sed -i -e 's/python/python3/' ${D}${bindir}/UTscapy +fi +} + RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] scapy: Add python-cryptography to RDEPENDS
Signed-off-by: Scott Ellis --- recipes-security/scapy/python-scapy.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-security/scapy/python-scapy.inc b/recipes-security/scapy/python-scapy.inc index 95e5312..f90b93d 100644 --- a/recipes-security/scapy/python-scapy.inc +++ b/recipes-security/scapy/python-scapy.inc @@ -10,6 +10,6 @@ SRC_URI[sha256sum] = "1baa048936207ceb1a4281a0e1e3b4317667c754872a0bb4734c5213c4 inherit pypi -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCHv2] Upgrade scapy to 2.4.2
Upstream MANIFEST.in removed doc and test directories so remove ptest. Signed-off-by: Scott Ellis --- recipes-security/scapy/files/run-ptest| 4 recipes-security/scapy/python-scapy.inc | 11 +++ recipes-security/scapy/python-scapy_2.4.0.bb | 6 -- recipes-security/scapy/python-scapy_2.4.2.bb | 4 recipes-security/scapy/python3-scapy_2.4.0.bb | 4 recipes-security/scapy/python3-scapy_2.4.2.bb | 2 ++ 6 files changed, 9 insertions(+), 22 deletions(-) delete mode 100755 recipes-security/scapy/files/run-ptest delete mode 100644 recipes-security/scapy/python-scapy_2.4.0.bb create mode 100644 recipes-security/scapy/python-scapy_2.4.2.bb delete mode 100644 recipes-security/scapy/python3-scapy_2.4.0.bb create mode 100644 recipes-security/scapy/python3-scapy_2.4.2.bb diff --git a/recipes-security/scapy/files/run-ptest b/recipes-security/scapy/files/run-ptest deleted file mode 100755 index 91b29f9..000 --- a/recipes-security/scapy/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -UTscapy -t regression.uts -f text -l -C \ --o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ -2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/recipes-security/scapy/python-scapy.inc b/recipes-security/scapy/python-scapy.inc index 5abe7db..95e5312 100644 --- a/recipes-security/scapy/python-scapy.inc +++ b/recipes-security/scapy/python-scapy.inc @@ -5,15 +5,10 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" -SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" -SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" +SRC_URI[md5sum] = "e6a03d8c924a6bbde1e86fc58bd2b9d6" +SRC_URI[sha256sum] = "1baa048936207ceb1a4281a0e1e3b4317667c754872a0bb4734c5213c468e86a" -inherit pypi ptest - -do_install_ptest() { -install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} -sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest -} +inherit pypi RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ diff --git a/recipes-security/scapy/python-scapy_2.4.0.bb b/recipes-security/scapy/python-scapy_2.4.0.bb deleted file mode 100644 index 98db1fd..000 --- a/recipes-security/scapy/python-scapy_2.4.0.bb +++ /dev/null @@ -1,6 +0,0 @@ -inherit setuptools -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" diff --git a/recipes-security/scapy/python-scapy_2.4.2.bb b/recipes-security/scapy/python-scapy_2.4.2.bb new file mode 100644 index 000..ea8764a --- /dev/null +++ b/recipes-security/scapy/python-scapy_2.4.2.bb @@ -0,0 +1,4 @@ +inherit setuptools +require python-scapy.inc + +RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" diff --git a/recipes-security/scapy/python3-scapy_2.4.0.bb b/recipes-security/scapy/python3-scapy_2.4.0.bb deleted file mode 100644 index 93ca7be..000 --- a/recipes-security/scapy/python3-scapy_2.4.0.bb +++ /dev/null @@ -1,4 +0,0 @@ -inherit setuptools3 -require python-scapy.inc - -SRC_URI += "file://run-ptest" diff --git a/recipes-security/scapy/python3-scapy_2.4.2.bb b/recipes-security/scapy/python3-scapy_2.4.2.bb new file mode 100644 index 000..34eb2a3 --- /dev/null +++ b/recipes-security/scapy/python3-scapy_2.4.2.bb @@ -0,0 +1,2 @@ +inherit setuptools3 +require python-scapy.inc -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][python3-scapy] scapy script is broken
The shebang line in /usr/bin/scapy and /usr/bin/UTscapy is always set for python not python3 and so doesn't work with the python3 scapy install. This problem existed in the 2.4.0 version as well. I am currently using this patch in my local repo to fix python3-scapy builds. diff --git a/recipes-security/scapy/python-scapy.inc b/recipes-security/scapy/python-scapy.inc index d5a70fe..97036e0 100644 --- a/recipes-security/scapy/python-scapy.inc +++ b/recipes-security/scapy/python-scapy.inc @@ -15,6 +15,20 @@ do_install_ptest() { sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest } +do_install_append() { +if [ "${PYTHON_BASEVERSION}" != "2.7" ]; then +bbwarn "Fixing shebang line for scapy and UTscapy" + +if [ -e ${D}${bindir}/scapy ]; then + sed -i -e 's/python/python3/' ${D}${bindir}/scapy +fi + +if [ -e ${D}${bindir}/UTscapy ]; then + sed -i -e 's/python/python3/' ${D}${bindir}/UTscapy +fi +fi +} + ... scapy is just a small wrapper script to launch an interactive scrapy session. Adding the do_install_append() to the python3-scapy.bb doesn't work (never gets called) so I had to add the PYTHON_BASEVERSION check and put it in the *.inc Open to suggestions on a better fix. -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] Upgrade scapy to 2.4.2
Signed-off-by: Scott Ellis --- recipes-security/scapy/python-scapy.inc | 4 ++-- .../scapy/{python-scapy_2.4.0.bb => python-scapy_2.4.2.bb}| 0 .../scapy/{python3-scapy_2.4.0.bb => python3-scapy_2.4.2.bb} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename recipes-security/scapy/{python-scapy_2.4.0.bb => python-scapy_2.4.2.bb} (100%) rename recipes-security/scapy/{python3-scapy_2.4.0.bb => python3-scapy_2.4.2.bb} (100%) diff --git a/recipes-security/scapy/python-scapy.inc b/recipes-security/scapy/python-scapy.inc index 5abe7db..d5a70fe 100644 --- a/recipes-security/scapy/python-scapy.inc +++ b/recipes-security/scapy/python-scapy.inc @@ -5,8 +5,8 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" -SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" -SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" +SRC_URI[md5sum] = "e6a03d8c924a6bbde1e86fc58bd2b9d6" +SRC_URI[sha256sum] = "1baa048936207ceb1a4281a0e1e3b4317667c754872a0bb4734c5213c468e86a" inherit pypi ptest diff --git a/recipes-security/scapy/python-scapy_2.4.0.bb b/recipes-security/scapy/python-scapy_2.4.2.bb similarity index 100% rename from recipes-security/scapy/python-scapy_2.4.0.bb rename to recipes-security/scapy/python-scapy_2.4.2.bb diff --git a/recipes-security/scapy/python3-scapy_2.4.0.bb b/recipes-security/scapy/python3-scapy_2.4.2.bb similarity index 100% rename from recipes-security/scapy/python3-scapy_2.4.0.bb rename to recipes-security/scapy/python3-scapy_2.4.2.bb -- 2.17.1 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] Add recipe for ncrack
Ncrack is a network authentication cracking tool. Signed-off-by: Scott Ellis --- recipes-security/ncrack/ncrack_0.7.bb | 18 ++ 1 file changed, 18 insertions(+) create mode 100644 recipes-security/ncrack/ncrack_0.7.bb diff --git a/recipes-security/ncrack/ncrack_0.7.bb b/recipes-security/ncrack/ncrack_0.7.bb new file mode 100644 index 000..06ba2b6 --- /dev/null +++ b/recipes-security/ncrack/ncrack_0.7.bb @@ -0,0 +1,18 @@ +SUMMARY = "Network authentication cracking tool" +DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network devices for poor passwords." +HOMEPAGE = "https://nmap.org/ncrack; +SECTION = "security" + +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=198fa93d4e80225839e595336f3b5ff0" + +SRCREV = "3a793a21820708466081825beda9fce857f36cb6" +SRC_URI = "git://github.com/nmap/ncrack.git" + +DEPENDS = "openssl zlib" + +inherit autotools-brokensep + +S = "${WORKDIR}/git" + +INSANE_SKIP_${PN} = "already-stripped" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [meta-security][PATCH] checksec: Upgrade to 1.11.0
Switch source to a more up to date github repo. Signed-off-by: Scott Ellis --- recipes-security/checksec/checksec_1.11.bb | 19 +++ 1 file changed, 19 insertions(+) create mode 100644 recipes-security/checksec/checksec_1.11.bb diff --git a/recipes-security/checksec/checksec_1.11.bb b/recipes-security/checksec/checksec_1.11.bb new file mode 100644 index 000..59a67bd --- /dev/null +++ b/recipes-security/checksec/checksec_1.11.bb @@ -0,0 +1,19 @@ +SUMMARY = "Linux system security checks" +DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." +SECTION = "security" +LICENSE = "BSD" +HOMEPAGE="https://github.com/slimm609/checksec.sh; + +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" + +SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447" +SRC_URI = "git://github.com/slimm609/checksec.sh" + +S = "${WORKDIR}/git" + +do_install() { +install -d ${D}${bindir} +install -m 0755 ${S}/checksec ${D}${bindir} +} + +RDEPENDS_${PN} = "bash openssl-bin" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH] nikto: upgrade to 2.1.6 (v2)
Source now on github. Signed-off-by: Scott Ellis --- recipes-security/nikto/files/CVE-2018-11652.patch | 106 --- recipes-security/nikto/files/location.patch | 32 +++--- recipes-security/nikto/nikto_2.1.5.bb | 108 recipes-security/nikto/nikto_2.1.6.bb | 118 ++ 4 files changed, 134 insertions(+), 230 deletions(-) delete mode 100644 recipes-security/nikto/files/CVE-2018-11652.patch delete mode 100644 recipes-security/nikto/nikto_2.1.5.bb create mode 100644 recipes-security/nikto/nikto_2.1.6.bb diff --git a/recipes-security/nikto/files/CVE-2018-11652.patch b/recipes-security/nikto/files/CVE-2018-11652.patch deleted file mode 100644 index 5ddb169..000 --- a/recipes-security/nikto/files/CVE-2018-11652.patch +++ /dev/null @@ -1,106 +0,0 @@ -From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001 -From: sullo -Date: Thu, 31 May 2018 23:30:03 -0400 -Subject: [PATCH] Fix CSV injection issue if server responds with a malicious - Server string & CSV output is opened in Excel or other spreadsheet app. - Potentially malicious cell start characters are now prefaced with a ' mark. - Thanks to Adam (@bytesoverbombs) for letting me know! - -Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split(). - -CVE: CVE-2018-11652 -Upstream-Status: Backport -Signed-off-by: Nagalakshmi Veeramallu - plugins/nikto_outdated.plugin | 2 +- - plugins/nikto_report_csv.plugin | 42 + - 2 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin -index 72379cc..eb1d889 100644 a/plugins/nikto_outdated.plugin -+++ b/plugins/nikto_outdated.plugin -@@ -83,7 +83,7 @@ sub nikto_outdated { - $sepr = substr($sepr, (length($sepr) - 1), 1); - - # break up ID string on $sepr --my @T = split(/$sepr/, $mark->{'banner'}); -+my @T = split(/\\$sepr/, $mark->{'banner'}); - - # assume last is version... - for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; } -diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin -index d13acab..b942e78 100644 a/plugins/nikto_report_csv.plugin -+++ b/plugins/nikto_report_csv.plugin -@@ -52,10 +52,12 @@ sub csv_open { - sub csv_host_start { - my ($handle, $mark) = @_; - $mark->{'banner'} =~ s/"/\\"/g; --print OUT "\"$mark->{'hostname'}\"," -- . "\"$mark->{'ip'}\"," -- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\"," -- . "\"$mark->{'banner'}\"\n"; -+print $handle "\"" . csv_safecell($hostname) . "\"," -+ . "\"" . csv_safecell($mark->{'ip'}) . "\"," -+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\"," -+ #. "\"" . $mark->{'banner'} . "\"\n"; -+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n"; -+ - return; - } - -@@ -65,26 +67,42 @@ sub csv_item { - my ($handle, $mark, $item) = @_; - foreach my $uri (split(' ', $item->{'uri'})) { - my $line = ''; --$line .= "\"$item->{'mark'}->{'hostname'}\","; --$line .= "\"$item->{'mark'}->{'ip'}\","; --$line .= "\"$item->{'mark'}->{'port'}\","; -+$line .= "\"" . csv_safecell($hostname) . "\","; -+$line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \","; -+$line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\","; - - $line .= "\""; - if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; } - $line .= "\","; - - $line .= "\""; --if ($item->{'method'} ne '') { $line .= $item->{'method'}; } -+if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); } - $line .= "\","; - - $line .= "\""; --if ($uri ne '') { $line .= $mark->{'root'} . $uri; } -+ { $line .= csv_safecell($mark->{'root'}) . $uri; } -+ else { $line .= csv_safecell($ur - $line .= "\","; - --$item->{'message'} =~ s/"/\\"/g; --$line .= "\"$item->{'message'}\""; --pr
[yocto] [meta-security][PATCH] nikto: upgrade to 2.1.6
Source now on github. Signed-off-by: Scott Ellis --- recipes-security/nikto/files/CVE-2018-11652.patch | 106 --- recipes-security/nikto/files/location.patch | 32 +++--- recipes-security/nikto/nikto_2.1.5.bb | 108 recipes-security/nikto/nikto_2.1.6.bb | 118 ++ 4 files changed, 134 insertions(+), 230 deletions(-) delete mode 100644 recipes-security/nikto/files/CVE-2018-11652.patch delete mode 100644 recipes-security/nikto/nikto_2.1.5.bb create mode 100644 recipes-security/nikto/nikto_2.1.6.bb diff --git a/recipes-security/nikto/files/CVE-2018-11652.patch b/recipes-security/nikto/files/CVE-2018-11652.patch deleted file mode 100644 index 5ddb169..000 --- a/recipes-security/nikto/files/CVE-2018-11652.patch +++ /dev/null @@ -1,106 +0,0 @@ -From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001 -From: sullo -Date: Thu, 31 May 2018 23:30:03 -0400 -Subject: [PATCH] Fix CSV injection issue if server responds with a malicious - Server string & CSV output is opened in Excel or other spreadsheet app. - Potentially malicious cell start characters are now prefaced with a ' mark. - Thanks to Adam (@bytesoverbombs) for letting me know! - -Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split(). - -CVE: CVE-2018-11652 -Upstream-Status: Backport -Signed-off-by: Nagalakshmi Veeramallu - plugins/nikto_outdated.plugin | 2 +- - plugins/nikto_report_csv.plugin | 42 + - 2 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin -index 72379cc..eb1d889 100644 a/plugins/nikto_outdated.plugin -+++ b/plugins/nikto_outdated.plugin -@@ -83,7 +83,7 @@ sub nikto_outdated { - $sepr = substr($sepr, (length($sepr) - 1), 1); - - # break up ID string on $sepr --my @T = split(/$sepr/, $mark->{'banner'}); -+my @T = split(/\\$sepr/, $mark->{'banner'}); - - # assume last is version... - for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; } -diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin -index d13acab..b942e78 100644 a/plugins/nikto_report_csv.plugin -+++ b/plugins/nikto_report_csv.plugin -@@ -52,10 +52,12 @@ sub csv_open { - sub csv_host_start { - my ($handle, $mark) = @_; - $mark->{'banner'} =~ s/"/\\"/g; --print OUT "\"$mark->{'hostname'}\"," -- . "\"$mark->{'ip'}\"," -- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\"," -- . "\"$mark->{'banner'}\"\n"; -+print $handle "\"" . csv_safecell($hostname) . "\"," -+ . "\"" . csv_safecell($mark->{'ip'}) . "\"," -+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\"," -+ #. "\"" . $mark->{'banner'} . "\"\n"; -+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n"; -+ - return; - } - -@@ -65,26 +67,42 @@ sub csv_item { - my ($handle, $mark, $item) = @_; - foreach my $uri (split(' ', $item->{'uri'})) { - my $line = ''; --$line .= "\"$item->{'mark'}->{'hostname'}\","; --$line .= "\"$item->{'mark'}->{'ip'}\","; --$line .= "\"$item->{'mark'}->{'port'}\","; -+$line .= "\"" . csv_safecell($hostname) . "\","; -+$line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \","; -+$line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\","; - - $line .= "\""; - if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; } - $line .= "\","; - - $line .= "\""; --if ($item->{'method'} ne '') { $line .= $item->{'method'}; } -+if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); } - $line .= "\","; - - $line .= "\""; --if ($uri ne '') { $line .= $mark->{'root'} . $uri; } -+ { $line .= csv_safecell($mark->{'root'}) . $uri; } -+ else { $line .= csv_safecell($ur - $line .= "\","; - --$item->{'message'} =~ s/"/\\"/g; --$line .= "\"$item->{'message'}\""; --pr
[yocto] [meta-raspberrypi][PATCH] userland: Add bash to RDEPENDS
WARNING: userland-git-r5 do_package_qa: QA Issue: /usr/bin/dtoverlay-post contained in package userland requires /bin/bash, but no providers found in RDEPENDS_userland? [file-rdeps] Signed-off-by: Scott Ellis <sc...@jumpnowtek.com> --- recipes-graphics/userland/userland_git.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-graphics/userland/userland_git.bb b/recipes-graphics/userland/userland_git.bb index 6e73ca7..99cf02c 100644 --- a/recipes-graphics/userland/userland_git.bb +++ b/recipes-graphics/userland/userland_git.bb @@ -71,3 +71,5 @@ FILES_${PN}-doc += "${datadir}/install" FILES_${PN}-dbg += "${libdir}/plugins/.debug" PACKAGE_ARCH = "${MACHINE_ARCH}" + +RDEPENDS_${PN} += "bash" -- 2.7.4 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [PATCH][coreutils] Add attr build dependency
The 'something' would be 'xattr' PACKAGECONFIG[attr] = "--enable-xattr,--disable-xattr,attr," What should the default be? The acl option for coreutils looks in DISTRO_FEATURES. Should I do the same for this? "Khem Raj" <raj.k...@gmail.com> said: > Scott > > Thanks for patch. You might want to send into to oe-core mailing list. > >> On Jan 14, 2016, at 6:54 AM, Scott Ellis <sc...@jumpnowtek.com> wrote: >> >> Fixes this warning: >> >> WARNING: QA Issue: coreutils rdepends on libattr, but it isn't a build >> dependency? [build-deps] >> >> Signed-off-by: Scott Ellis <sc...@jumpnowtek.com> >> --- >> meta/recipes-core/coreutils/coreutils_8.24.bb | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta/recipes-core/coreutils/coreutils_8.24.bb >> b/meta/recipes-core/coreutils/coreutils_8.24.bb >> index f042346..47a25f3 100644 >> --- a/meta/recipes-core/coreutils/coreutils_8.24.bb >> +++ b/meta/recipes-core/coreutils/coreutils_8.24.bb >> @@ -7,7 +7,7 @@ BUGTRACKER = "http://debbugs.gnu.org/coreutils; >> LICENSE = "GPLv3+" >> LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504\ >> >> file://src/ls.c;beginline=5;endline=16;md5=38b79785ca88537b75871782a2a3c6b8" >> -DEPENDS = "gmp libcap" >> +DEPENDS = "attr gmp lib cap” > > while this fix is good. We can make this into a packageconfig knob > > PACKAGECONFIG[attr] = "--enable-something,--disable-something,attr," > >> DEPENDS_class-native = "" >> >> inherit autotools gettext texinfo >> -- >> 2.5.0 >> >> -- >> ___ >> yocto mailing list >> yocto@yoctoproject.org >> https://lists.yoctoproject.org/listinfo/yocto > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [PATCH][coreutils] Add attr build dependency
Fixes this warning: WARNING: QA Issue: coreutils rdepends on libattr, but it isn't a build dependency? [build-deps] Signed-off-by: Scott Ellis <sc...@jumpnowtek.com> --- meta/recipes-core/coreutils/coreutils_8.24.bb | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/coreutils/coreutils_8.24.bb b/meta/recipes-core/coreutils/coreutils_8.24.bb index f042346..6a09c59 100644 --- a/meta/recipes-core/coreutils/coreutils_8.24.bb +++ b/meta/recipes-core/coreutils/coreutils_8.24.bb @@ -28,14 +28,19 @@ SRC_URI[manpages.sha256sum] = "cf0333b5f134a331e0b46e2ddf90666f8bdc3281c1ca2c7cc EXTRA_OECONF_class-native = "--without-gmp" EXTRA_OECONF_class-target = "--enable-install-program=arch --libexecdir=${libdir}" -# acl is not a default feature +# acl and xattr are not default features # -PACKAGECONFIG_class-target ??= "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}" +PACKAGECONFIG_class-target ??= "\ +${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)} \ +${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \ +" + PACKAGECONFIG_class-native ??= "" # with, without, depends, rdepends # PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl," +PACKAGECONFIG[xattr] = "--enable-xattr,--disable-xattr,attr," # [ df mktemp base64 gets a special treatment and is not included in this bindir_progs = "arch basename chcon cksum comm csplit cut dir dircolors dirname du \ -- 2.5.0 "Khem Raj" <raj.k...@gmail.com> said: > >> On Jan 15, 2016, at 7:15 AM, Scott Ellis <sc...@jumpnowtek.com> wrote: >> >> The 'something' would be 'xattr' >> >> PACKAGECONFIG[attr] = "--enable-xattr,--disable-xattr,attr," >> >> What should the default be? >> >> The acl option for coreutils looks in DISTRO_FEATURES. >> >> Should I do the same for this? > > if it depends on some DISTRO_FEATURE then definitely yes. Otherwise define the > packageconfig > and then weakly assign a default with ??= > >> >> "Khem Raj" <raj.k...@gmail.com> said: >> >>> Scott >>> >>> Thanks for patch. You might want to send into to oe-core mailing list. >>> >>>> On Jan 14, 2016, at 6:54 AM, Scott Ellis <sc...@jumpnowtek.com> wrote: >>>> >>>> Fixes this warning: >>>> >>>> WARNING: QA Issue: coreutils rdepends on libattr, but it isn't a build >>>> dependency? [build-deps] >>>> >>>> Signed-off-by: Scott Ellis <sc...@jumpnowtek.com> >>>> --- >>>> meta/recipes-core/coreutils/coreutils_8.24.bb | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>> >>>> diff --git a/meta/recipes-core/coreutils/coreutils_8.24.bb >>>> b/meta/recipes-core/coreutils/coreutils_8.24.bb >>>> index f042346..47a25f3 100644 >>>> --- a/meta/recipes-core/coreutils/coreutils_8.24.bb >>>> +++ b/meta/recipes-core/coreutils/coreutils_8.24.bb >>>> @@ -7,7 +7,7 @@ BUGTRACKER = "http://debbugs.gnu.org/coreutils; >>>> LICENSE = "GPLv3+" >>>> LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504\ >>>> >>>> file://src/ls.c;beginline=5;endline=16;md5=38b79785ca88537b75871782a2a3c6b8" >>>> -DEPENDS = "gmp libcap" >>>> +DEPENDS = "attr gmp lib cap” >>> >>> while this fix is good. We can make this into a packageconfig knob >>> >>> PACKAGECONFIG[attr] = "--enable-something,--disable-something,attr," >>> >>>> DEPENDS_class-native = "" >>>> >>>> inherit autotools gettext texinfo >>>> -- >>>> 2.5.0 >>>> >>>> -- >>>> ___ >>>> yocto mailing list >>>> yocto@yoctoproject.org >>>> https://lists.yoctoproject.org/listinfo/yocto >>> >>> >> >> >> -- >> ___ >> yocto mailing list >> yocto@yoctoproject.org >> https://lists.yoctoproject.org/listinfo/yocto > > -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] [PATCH][coreutils] Add attr build dependency
Fixes this warning: WARNING: QA Issue: coreutils rdepends on libattr, but it isn't a build dependency? [build-deps] Signed-off-by: Scott Ellis <sc...@jumpnowtek.com> --- meta/recipes-core/coreutils/coreutils_8.24.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/coreutils/coreutils_8.24.bb b/meta/recipes-core/coreutils/coreutils_8.24.bb index f042346..47a25f3 100644 --- a/meta/recipes-core/coreutils/coreutils_8.24.bb +++ b/meta/recipes-core/coreutils/coreutils_8.24.bb @@ -7,7 +7,7 @@ BUGTRACKER = "http://debbugs.gnu.org/coreutils; LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504\ file://src/ls.c;beginline=5;endline=16;md5=38b79785ca88537b75871782a2a3c6b8" -DEPENDS = "gmp libcap" +DEPENDS = "attr gmp libcap" DEPENDS_class-native = "" inherit autotools gettext texinfo -- 2.5.0 -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto