Reject LHA archive entries with negative size.
Affects libarchive = 3.3.2
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../libarchive/libarchive/CVE-2017-14503.patch | 33 ++
.../libarchive/libarchive_3.3.2.bb | 1 +
2 files changed, 34 insertions(+)
Remove existing files before overwriting them
Archive should extract only the latest same-named entry.
Extracted regular file should not be writtent into existing block
device (or any other one).
https://rt.cpan.org/Ticket/Display.html?id=125523
Affects perl <= 5.26.2
Signed-off-by: Jagadeesh
sfe_copy_data_fp: check value of "max" variable for being normal
and check elements of the data[] array for being finite.
Both checks use functions provided by the header as declared
by the C99 standard.
Fixes #317
CVE-2017-14245
CVE-2017-14246
Affects libsndfile1 = 1.0.28
Signed-off-by:
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it
Although the relative_symlinks class converts any absolute symlinks
in ${D} into relative symlinks automatically, it's a little clearer
to create relative symlinks directly where possible.
Signed-off-by: Andre McCurdy
---
meta/recipes-connectivity/openssl/openssl_1.0.2p.bb | 11 +++
On Thu, Aug 16, 2018 at 9:48 PM, Anuj Mittal wrote:
> On 08/17/2018 03:31 AM, Andre McCurdy wrote:
>> On Wed, Aug 15, 2018 at 11:26 PM, Anuj Mittal wrote:
>>> Enable profile guided optimization (pgo) for python3. Enabling pgo in
>>> python is generally as simple as invoking the target
On Wed, Aug 22, 2018 at 2:56 PM, Ryan Harkin wrote:
> On Wed, 22 Aug 2018, 21:42 Andre McCurdy, wrote:
>> On Wed, Aug 22, 2018 at 1:10 PM, Ryan Harkin
>> wrote:
>> > On Wed, 22 Aug 2018, 20:02 Martin Jansa, wrote:
>> >>
>> >> Your 1st parameter is wrong, compare again with the example I gave
On Thu, Aug 23, 2018 at 12:17 AM, Andreas Müller
wrote:
> Hi,
>
> to test my patches, I moved my layers from sumo to recent master and
> see similar linker (=gold) errors in different recipes. Up to now
> there are:
>
And
meta-qt5-extra/krita:
On Wed, 2018-08-22 at 16:56 +0100, Richard Purdie wrote:
> Sorry, this fails to build the nativesdk version:
>
> https://autobuilder.yocto.io/builders/nightly-x86/builds/1261/steps/B
> uilding%20Toolchain%20Images/logs/stdio
>
> I suspect you need to strip the RPATH in the nativesdk case...
Hi,
to test my patches, I moved my layers from sumo to recent master and
see similar linker (=gold) errors in different recipes. Up to now
there are:
meta-qt5-extra/kwallet:
FAILED: bin/libkwalletbackend5.so.5.49.0
: &&
On Wed, 22 Aug 2018, 21:42 Andre McCurdy, wrote:
> On Wed, Aug 22, 2018 at 1:10 PM, Ryan Harkin
> wrote:
> > On Wed, 22 Aug 2018, 20:02 Martin Jansa, wrote:
> >>
> >> Your 1st parameter is wrong, compare again with the example I gave you
> >> (don't include "brcm/" path in 1st param, because
On Wed, 22 Aug 2018, 21:36 Khem Raj, wrote:
> I wonder how it work with meta-raspverrypi now that it has its own
> packing for firmware
>
Sorry Them, I don't understand your question.
On Wed, Aug 22, 2018 at 1:10 PM Ryan Harkin wrote:
> >
> >
> >
> > On Wed, 22 Aug 2018, 20:02 Martin Jansa,
On Wed, Aug 22, 2018 at 1:10 PM, Ryan Harkin wrote:
> On Wed, 22 Aug 2018, 20:02 Martin Jansa, wrote:
>>
>> Your 1st parameter is wrong, compare again with the example I gave you
>> (don't include "brcm/" path in 1st param, because you want the symlink to
>> point to just
I wonder how it work with meta-raspverrypi now that it has its own
packing for firmware
On Wed, Aug 22, 2018 at 1:10 PM Ryan Harkin wrote:
>
>
>
> On Wed, 22 Aug 2018, 20:02 Martin Jansa, wrote:
>>
>> Your 1st parameter is wrong, compare again with the example I gave you
>> (don't include
On Wed, 22 Aug 2018, 20:02 Martin Jansa, wrote:
> Your 1st parameter is wrong, compare again with the example I gave you
> (don't include "brcm/" path in 1st param, because you want the symlink to
> point to just brcmfmac43430-sdio.AP6212.txt like you did in the version
> after cd).
>
That
Your 1st parameter is wrong, compare again with the example I gave you
(don't include "brcm/" path in 1st param, because you want the symlink to
point to just brcmfmac43430-sdio.AP6212.txt like you did in the version
after cd).
On Wed, Aug 22, 2018 at 7:11 PM Ryan Harkin wrote:
> This is
This is curious!
On 22 August 2018 at 17:56, Martin Jansa wrote:
> cd ${D}${nonarch_base_libdir}/firmware/brcm/ ; ln -sf
> brcmfmac43430-sdio.AP6212.txt brcmfmac43430-sdio.txt
>
> is the same as
>
> ln -sf brcmfmac43430-sdio.AP6212.txt ${D}${nonarch_base_libdir}/fir
>
cd ${D}${nonarch_base_libdir}/firmware/brcm/ ; ln -sf
brcmfmac43430-sdio.AP6212.txt brcmfmac43430-sdio.txt
is the same as
ln -sf brcmfmac43430-sdio.AP6212.txt ${D}${nonarch_base_libdir}/fir
mware/brcm/brcmfmac43430-sdio.txt
On Wed, Aug 22, 2018 at 6:47 PM Ryan Harkin wrote:
>
>
> On 22 August
From: He Zhe
The name string is too small to contain normal full path names and causes
the following failure.
"ftest06 2 TFAIL : ftest06.c:223: Can't chdir(): errno=ENOENT(2): No
such file or directory"
Signed-off-by: He Zhe
---
...est06.c-Fix-too-small-name-string-and-rel.patch | 34
On 22 August 2018 at 17:41, Martin Jansa wrote:
> The "cd ${D}${nonarch_base_libdir}/firmware/brcm/" doesn't seem to be
> needed, just include the path in 2nd ln parameter.
>
I don't think that works, or at least, it doesn't work for me, so I may be
doing something wrong. I'm also copying the
The "cd ${D}${nonarch_base_libdir}/firmware/brcm/" doesn't seem to be
needed, just include the path in 2nd ln parameter.
On Wed, Aug 22, 2018 at 6:30 PM Ryan Harkin wrote:
> The Linux kernel currently expects a single NVRAM file for BCM43430
> named brcmfmac43430-sdio.txt.
>
> Allow the machine
The Linux kernel currently expects a single NVRAM file for BCM43430
named brcmfmac43430-sdio.txt.
Allow the machine to specify an override to link its module specific
NVRAM to the filename expected by the kernel.
Signed-off-by: Ryan Harkin
---
Following changes are applied:
1d17c18 linux-firmware: add firmware for mhdp8546
c2e0d14 qed: Add firmware 8.37.7.0
f1b95fe linux-firmware:Update firmware patch for Intel Bluetooth 7265
8813230 linux-firmware: Update firmware file for Intel Bluetooth,9560
c2d8f1b linux-firmware: Update firmware
Add the new BCM43430 NVRAM files into the recipe.
Signed-off-by: Ryan Harkin
---
meta/recipes-kernel/linux-firmware/linux-firmware_git.bb | 6 ++
1 file changed, 6 insertions(+)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb
[Resending because I sent to the wrong email address for the oe-core
mailing list]
NVRAM files for the 43430 modules have been committed into the upstream
Linux firmware repo. I'd like to add these files into the linux-firmware
recipe.
The following files exist upstream on kernel.org:
-
On Wed, 2018-08-22 at 11:04 +0200, Jens Rehsack wrote:
> The perl distribution "XML-Parser" relies for configuration
> on the tooling of Devel::CheckLib - which is not aware of
> sysroot locations nor of reasonable compiler/link definitions
> from outside.
>
> This causes
>
> ERROR:
On 18-08-22 02:51 AM, Nicolas Dechesne wrote:
> hi,
>
> On Wed, Aug 22, 2018 at 4:25 AM Randy MacLeod
> wrote:
>> On 08/21/2018 11:04 AM, Wang, Yang (Young) wrote:
>>> Hi All,
>>>
>>> I'm working on this ticket:
>>> https://bugzilla.yoctoproject.org/show_bug.cgi?id=12372
>> Thanks for
On Wed, Aug 22, 2018 at 7:57 AM wrote:
>
> On Wed, 2018-08-22 at 15:39 +0200, Ricardo Ribalda Delgado wrote:
> > On Wed, Aug 22, 2018 at 3:37 PM
> > wrote:
> > > > RTLDLIST="/lib/ld-linux.so.2 /lib64/ld-linux-x86-64.so.2
> > > > /libx32/ld-linux-x32.so.
> > >
> > > I just looked at what the
Remove existing files before overwriting them
Archive should extract only the latest same-named entry.
Extracted regular file should not be writtent into existing block
device (or any other one).
https://rt.cpan.org/Ticket/Display.html?id=125523
Affects perl <= 5.26.2
Signed-off-by: Jagadeesh
ecc: Add blinding for ECDSA.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
randomized nonce B.
--
CVE-id: CVE-2018-0495
Affects libgcrypt < 1.7.10 and libgcrypt < 1.8.3
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../libgcrypt/files/CVE-2018-0495.patch| 76
submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check
Reject excessively large primes in DH key generation.
CVE-2018-0732
Affects openssl 1.0.2 to 1.0.2o
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../openssl/openssl-1.0.2o/CVE-2018-0732.patch | 46 ++
.../recipes-connectivity/openssl/openssl_1.0.2o.bb | 1 +
2 files
stream_decoder.c: Fix a memory leak
Leak reported by Secunia Research.
Affects flac = 1.3.2
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../flac/files/CVE-2017-6888.patch | 31 ++
meta/recipes-multimedia/flac/flac_1.3.2.bb | 3 ++-
2 files
Fix cookie injection (CVE-2018-0494)
* src/http.c (resp_new): Replace \r\n by space in continuation lines
Fixes #53763
"Malicious website can write arbitrary cookie entries to cookie jar"
HTTP header parsing left the \r\n from continuation line intact.
The Set-Cookie code didn't check and could
(perl #131844) fix various space calculation issues in
pp_pack.c
- for the originally reported case, if the start/cur pointer is in the
top 75% of the address space the add (cur) + glen addition would
overflow, resulting in the condition failing incorrectly.
- the addition of the existing
(perl #132227) restart a node if we change to uni rules within the node and
encounter...
This could lead to a buffer overflow.
(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d)
Affects perl >= 5.18 && perl <= 5.26
Signed-off-by: Jagadeesh Krishnanjanappa
---
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by
qga: check bytes count read by guest-file-read
While reading file content via 'guest-file-read' command,
'qmp_guest_file_read' routine allocates buffer of count+1
bytes. It could overflow for large values of 'count'.
Add check to avoid it.
Affects qemu < v3.0.0
Signed-off-by: Jagadeesh
multiboot: bss_end_addr can be zero
The multiboot spec
(https://www.gnu.org/software/grub/manual/multiboot/),
section 3.1.3, allows for bss_end_addr to be zero.
A zero bss_end_addr signifies there is no .bss section.
Affects qemu < v2.12.0
Signed-off-by: Jagadeesh Krishnanjanappa
---
osdep: Fix ROUND_UP(64-bit, 32-bit)
When using bit-wise operations that exploit the power-of-two
nature of the second argument of ROUND_UP(), we still need to
ensure that the mask is as wide as the first argument (done
by using a ternary to force proper arithmetic promotion).
Unpatched,
Reject LHA archive entries with negative size.
Affects libarchive = 3.3.2
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../libarchive/libarchive/CVE-2017-14503.patch | 33 ++
.../libarchive/libarchive_3.3.2.bb | 1 +
2 files changed, 34 insertions(+)
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it
revision: quit pruning diff more quickly when possible
When the revision traversal machinery is given a pathspec,
we must compute the parent-diff for each commit to determine
which ones are TREESAME. We set the QUICK diff flag to avoid
looking at more entries than we need; we really just care
From: Jeremy Puhlman
slirp: correct size computation while concatenating mbuf
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct
disallow creation (of empty files) in read-only mode; reported by
Michal Zalewski, feedback & ok deraadt@
Affects openssh < 7.6
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../openssh/openssh/CVE-2017-15906.patch | 38 ++
smtp: use the upload buffer size for scratch buffer malloc
... not the read buffer size, as that can be set smaller and thus cause
a buffer overflow! CVE-2018-0500
Reported-by: Peter Wu
Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
Affects curl >= 7.54.1 && curl <= 7.60.0
Signed-off-by:
gpg: Sanitize diagnostic with the original file name.
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic. The mention CVE is about using this to inject
status-fd lines into the stderr output. Other
Fix potential access violation, use runtime user dir instead of tmp dir.
pcmanfm = 1.2.5
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../recipes-sato/pcmanfm/files/CVE-2017-8934.patch | 60 ++
meta/recipes-sato/pcmanfm/pcmanfm_1.2.5.bb | 3 +-
2 files changed, 62
nbd/server: CVE-2017-15119 Reject options larger than 32M
The NBD spec gives us permission to abruptly disconnect on clients
that send outrageously large option requests, rather than having
to spend the time reading to the end of the option. No real
option request requires that much data
proc/readproc.c: Fix bugs and overflows in file2strvec().
Note: this is by far the most important and complex patch of the whole
series, please review it carefully; thank you very much!
For this patch, we decided to keep the original function's design and
skeleton, to avoid regressions and
http: restore buffer pointer when bad response-line is parsed
... leaving the k->str could lead to buffer over-reads later on.
CVE: CVE-2018-1000301
Assisted-by: Max Dymond
Detected by OSS-Fuzz.
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
Bug:
* CVE-2018-6798-1
The proximal cause is several instances in regexec.c of the code
assuming that the input was valid UTF-8, whereas the input was too short
for what the start byte claimed it would be.
I grepped through the core for any other similar uses, and did not find
any.
(cherry
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then
he
larger cache will be copied and overflow the new smaller heap based
buffer.
Reported-by: Dario Weisser
CVE:
bash-completion: (umount) use findmnt, escape a space in paths
# mount /dev/sdc1 /mnt/test/foo\ bar
# umount
has to return "/mnt/test/foo\ bar".
Changes:
* don't use mount | awk output, we have findmnt
* force compgen use \n as entries separator
Affects util-linux < 2.32-rc1
* CVE-2018-130-1
[2.7] bpo-31530: Stop crashes when iterating over a file on multiple threads
* CVE-2018-130-2
Multiple threads iterating over a file can corrupt the file's internal readahead
buffer resulting in crashes. To fix this, cache buffer state thread-locally for
the duration of a
CVE-2017-18018-1:
doc: clarify chown/chgrp --dereference defaults
* doc/coreutils.texi: the documentation for the --dereference
flag of chown/chgrp states that it is the default mode of
operation. Document that this is only the case when operating
non-recursively.
CVE-2017-18018-2:
doc:
io-gif: Fail quickly when image dimensions are too big
Fail quickly when the dimensions would create an image that's bigger
than MAXINT bytes long.
See https://bugzilla.gnome.org/show_bug.cgi?id=765094
https://bugzilla.gnome.org/show_bug.cgi?id=785973
Affects gdk-pixbuf <= 2.36.8
CVE-2017-14160: fix bounds check on very low sample rates.
Affects libvorbis = 1.3.5
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../libvorbis/libvorbis/CVE-2017-14160.patch | 33 ++
.../libvorbis/libvorbis_1.3.5.bb | 2 ++
2 files changed, 35
Open newly created files with O_EXCL to prevent symlink tricks.
When reopening hardlinks for writing the actual content, use append
mode instead. This is compatible with the write-only permissions but
is not destructive in case we got redirected to somebody elses file,
verify the target before
sfe_copy_data_fp: check value of "max" variable for being normal
and check elements of the data[] array for being finite.
Both checks use functions provided by the header as declared
by the C99 standard.
Fixes #317
CVE-2017-14245
CVE-2017-14246
Affects libsndfile1 = 1.0.28
Signed-off-by:
lineedit: do not tab-complete any strings which have control characters
function old new delta
add_match 41 68 +27
Affects busybox <= 1.27.2
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../busybox/busybox/CVE-2017-16544.patch | 44 ++
CVE-2017-15286: Make sure the tableColumnList() routine of the command-line
shell does not cause a null-pointer dereference in an error condition.
Affects sqlite3 < 3.21
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../sqlite/files/CVE-2017-15286.patch | 34 ++
> On Jul 30, 2018, at 12:56 PM, Adriana Kobylak wrote:
>
> Add mtd-utils upstream patch that fixes a regression on the
> mtd-utils tools such as ubinfo.
>
> Details of the issue which affects mtd-utils 2.0.1 and 2.0.2:
> http://lists.infradead.org/pipermail/linux-mtd/2018-June/081562.html
>
On Wed, 2018-08-22 at 15:39 +0200, Ricardo Ribalda Delgado wrote:
> On Wed, Aug 22, 2018 at 3:37 PM
> wrote:
> > > RTLDLIST="/lib/ld-linux.so.2 /lib64/ld-linux-x86-64.so.2
> > > /libx32/ld-linux-x32.so.
> >
> > I just looked at what the function is doing and its broken. What is
> > DEFAULTTUNE
On 08/22/2018 10:47 AM, Lukasz Majewski wrote:
On Wed, 22 Aug 2018 10:44:08 -0400
Bruce Ashfield wrote:
On 08/22/2018 10:20 AM, Lukasz Majewski wrote:
On Wed, 22 Aug 2018 10:13:33 -0400
Bruce Ashfield wrote:
On 08/22/2018 10:05 AM, Lukasz Majewski wrote:
Hi Bruce,
On
On Wed, 22 Aug 2018 10:44:08 -0400
Bruce Ashfield wrote:
> On 08/22/2018 10:20 AM, Lukasz Majewski wrote:
> > On Wed, 22 Aug 2018 10:13:33 -0400
> > Bruce Ashfield wrote:
> >
> >> On 08/22/2018 10:05 AM, Lukasz Majewski wrote:
> >>> Hi Bruce,
> >>>
> On 08/22/2018 09:40 AM,
On 08/22/2018 10:20 AM, Lukasz Majewski wrote:
On Wed, 22 Aug 2018 10:13:33 -0400
Bruce Ashfield wrote:
On 08/22/2018 10:05 AM, Lukasz Majewski wrote:
Hi Bruce,
On 08/22/2018 09:40 AM, Lukasz Majewski wrote:
Without this patch it happens that do_populate_recipe_sysroot is
called just
On Wed, 22 Aug 2018 10:13:33 -0400
Bruce Ashfield wrote:
> On 08/22/2018 10:05 AM, Lukasz Majewski wrote:
> > Hi Bruce,
> >
> >> On 08/22/2018 09:40 AM, Lukasz Majewski wrote:
> >>> Without this patch it happens that do_populate_recipe_sysroot is
> >>> called just before do_compile (on
On 08/22/2018 10:05 AM, Lukasz Majewski wrote:
Hi Bruce,
On 08/22/2018 09:40 AM, Lukasz Majewski wrote:
Without this patch it happens that do_populate_recipe_sysroot is
called just before do_compile (on multi core build machines).
This is way too late as the .config generated in
== Series Details ==
Series: "[ROCKO,V2] sqlite3: CVE-2017-1..." and 33 more
Revision: 1
URL : https://patchwork.openembedded.org/series/13666/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have
== Series Details ==
Series: kernel: yocto: Add dependency on do_prepare_recipe_sysroot
Revision: 1
URL : https://patchwork.openembedded.org/series/13667/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several
Hi Bruce,
> On 08/22/2018 09:40 AM, Lukasz Majewski wrote:
> > Without this patch it happens that do_populate_recipe_sysroot is
> > called just before do_compile (on multi core build machines).
> > This is way too late as the .config generated in
> > do_kernel_configme() is already broken.
> >
>
Hi Bruce,
> On 08/22/2018 09:40 AM, Lukasz Majewski wrote:
> > Without this patch it happens that do_populate_recipe_sysroot is
> > called just before do_compile (on multi core build machines).
> > This is way too late as the .config generated in
> > do_kernel_configme() is already broken.
> >
>
On 08/22/2018 09:40 AM, Lukasz Majewski wrote:
Without this patch it happens that do_populate_recipe_sysroot is called
just before do_compile (on multi core build machines).
This is way too late as the .config generated in do_kernel_configme()
is already broken.
The problem is that
On 08/22/2018 09:40 AM, Lukasz Majewski wrote:
Without this patch it happens that do_populate_recipe_sysroot is called
just before do_compile (on multi core build machines).
This is way too late as the .config generated in do_kernel_configme()
is already broken.
The problem is that
Without this patch it happens that do_populate_recipe_sysroot is called
just before do_compile (on multi core build machines).
This is way too late as the .config generated in do_kernel_configme()
is already broken.
The problem is that do_kernel_configme() calls native's merge_config.sh
script
On Wed, 2018-08-22 at 15:33 +0200, Ricardo Ribalda Delgado wrote:
> Hello
> On Wed, Aug 22, 2018 at 3:28 PM Ricardo Ribalda Delgado
> wrote:
> >
> > On Wed, Aug 22, 2018 at 3:21 PM > > wrote:
> > >
> > > On Wed, 2018-08-22 at 15:13 +0200, Ricardo Ribalda Delgado wrote:
> > > > > Here I see:
>
Remove existing files before overwriting them
Archive should extract only the latest same-named entry.
Extracted regular file should not be writtent into existing block
device (or any other one).
https://rt.cpan.org/Ticket/Display.html?id=125523
Affects perl <= 5.26.2
Signed-off-by: Jagadeesh
Hi
On Wed, Aug 22, 2018 at 3:37 PM wrote:
>
> On Wed, 2018-08-22 at 15:33 +0200, Ricardo Ribalda Delgado wrote:
> > Hello
> > On Wed, Aug 22, 2018 at 3:28 PM Ricardo Ribalda Delgado
> > wrote:
> > >
> > > On Wed, Aug 22, 2018 at 3:21 PM > > > wrote:
> > > >
> > > > On Wed, 2018-08-22 at 15:13
Reject excessively large primes in DH key generation.
CVE-2018-0732
Affects openssl 1.0.2 to 1.0.2o
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../openssl/openssl-1.0.2o/CVE-2018-0732.patch | 46 ++
.../recipes-connectivity/openssl/openssl_1.0.2o.bb | 1 +
2 files
ecc: Add blinding for ECDSA.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
randomized nonce B.
--
CVE-id: CVE-2018-0495
Affects libgcrypt < 1.7.10 and libgcrypt < 1.8.3
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../libgcrypt/files/CVE-2018-0495.patch| 76
submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check
stream_decoder.c: Fix a memory leak
Leak reported by Secunia Research.
Affects flac = 1.3.2
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../flac/files/CVE-2017-6888.patch | 31 ++
meta/recipes-multimedia/flac/flac_1.3.2.bb | 3 ++-
2 files
Fix cookie injection (CVE-2018-0494)
* src/http.c (resp_new): Replace \r\n by space in continuation lines
Fixes #53763
"Malicious website can write arbitrary cookie entries to cookie jar"
HTTP header parsing left the \r\n from continuation line intact.
The Set-Cookie code didn't check and could
(perl #132227) restart a node if we change to uni rules within the node and
encounter...
This could lead to a buffer overflow.
(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d)
Affects perl >= 5.18 && perl <= 5.26
Signed-off-by: Jagadeesh Krishnanjanappa
---
qga: check bytes count read by guest-file-read
While reading file content via 'guest-file-read' command,
'qmp_guest_file_read' routine allocates buffer of count+1
bytes. It could overflow for large values of 'count'.
Add check to avoid it.
Affects qemu < v3.0.0
Signed-off-by: Jagadeesh
(perl #131844) fix various space calculation issues in
pp_pack.c
- for the originally reported case, if the start/cur pointer is in the
top 75% of the address space the add (cur) + glen addition would
overflow, resulting in the condition failing incorrectly.
- the addition of the existing
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by
osdep: Fix ROUND_UP(64-bit, 32-bit)
When using bit-wise operations that exploit the power-of-two
nature of the second argument of ROUND_UP(), we still need to
ensure that the mask is as wide as the first argument (done
by using a ternary to force proper arithmetic promotion).
Unpatched,
multiboot: bss_end_addr can be zero
The multiboot spec
(https://www.gnu.org/software/grub/manual/multiboot/),
section 3.1.3, allows for bss_end_addr to be zero.
A zero bss_end_addr signifies there is no .bss section.
Affects qemu < v2.12.0
Signed-off-by: Jagadeesh Krishnanjanappa
---
Reject LHA archive entries with negative size.
Affects libarchive = 3.3.2
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../libarchive/libarchive/CVE-2017-14503.patch | 33 ++
.../libarchive/libarchive_3.3.2.bb | 1 +
2 files changed, 34 insertions(+)
Fix potential access violation, use runtime user dir instead of tmp dir.
pcmanfm = 1.2.5
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../recipes-sato/pcmanfm/files/CVE-2017-8934.patch | 60 ++
meta/recipes-sato/pcmanfm/pcmanfm_1.2.5.bb | 3 +-
2 files changed, 62
disallow creation (of empty files) in read-only mode; reported by
Michal Zalewski, feedback & ok deraadt@
Affects openssh < 7.6
Signed-off-by: Jagadeesh Krishnanjanappa
---
.../openssh/openssh/CVE-2017-15906.patch | 38 ++
From: Jeremy Puhlman
slirp: correct size computation while concatenating mbuf
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct
smtp: use the upload buffer size for scratch buffer malloc
... not the read buffer size, as that can be set smaller and thus cause
a buffer overflow! CVE-2018-0500
Reported-by: Peter Wu
Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
Affects curl >= 7.54.1 && curl <= 7.60.0
Signed-off-by:
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it
revision: quit pruning diff more quickly when possible
When the revision traversal machinery is given a pathspec,
we must compute the parent-diff for each commit to determine
which ones are TREESAME. We set the QUICK diff flag to avoid
looking at more entries than we need; we really just care
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then
he
larger cache will be copied and overflow the new smaller heap based
buffer.
Reported-by: Dario Weisser
CVE:
nbd/server: CVE-2017-15119 Reject options larger than 32M
The NBD spec gives us permission to abruptly disconnect on clients
that send outrageously large option requests, rather than having
to spend the time reading to the end of the option. No real
option request requires that much data
http: restore buffer pointer when bad response-line is parsed
... leaving the k->str could lead to buffer over-reads later on.
CVE: CVE-2018-1000301
Assisted-by: Max Dymond
Detected by OSS-Fuzz.
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
Bug:
1 - 100 of 242 matches
Mail list logo
