This change adds a fix for an unitialized token structure in gnulib.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...mp-Fix-uninitialized-token-structure.patch | 53 +++
meta
This change fixes a memory leak on error in grub_efi_get_filename().
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...-kern-efi-Fix-memory-leak-on-failure.patch | 30 +++
meta
This change fixes a possible NULL pointer dereference in grub's
EFI support. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ix-possible-NULL-pointer-dereference.patch | 65
This change fixes wrong handling of argc == 0 causing a memory leak.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...n-parser-Fix-resource-leak-if-argc-0.patch | 50 +++
meta
-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...formed-device-path-arithmetic-errors.patch | 235 ++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 236 insertions(+)
create mode 100644
meta/recipes-bsp/grub/files/0005-efi-Fix-some
This fix removes a possible NULL pointer dereference in grub
networking code. It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...ible-dereference-to-of-a-NULL-pointe.patch | 39
Backport a fix for a memory leak in grub_mmap_iterate(). This patch
is a part of a security series [1]
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...leak-when-iterating-over-mapped-memo.patch | 39 +++
meta
This change fixes a dangling memory pointer in the grub TFTP code.
It is a part of a security series [1].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
---
...net-tftp-Fix-dangling-memory-pointer.patch | 33 +++
meta
issues, so seem worth having.
Patches included here are also in Debian's backports [2].
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
[2]
https://salsa.debian.org/grub-team/grub/-/tree/debian/2.04-20/debian/patches/2021-02-security
Marta Rybczynska (46):
grub: fix
On Thu, Feb 10, 2022 at 3:36 PM Ross Burton wrote:
>
> > +from jsonmerge import Merger
>
> This isn't part of the standard Python library, you'll have to
> replicate the logic.
>
>
Do you mean copying part of the class or reimplementing it?
> One suggestion would be to move more of the
On Tue, Jan 25, 2022 at 10:59 AM Marta Rybczynska via lists.openembedded.org
wrote:
> Add an option to output the CVE check in a JSON-based format.
> This format is easier to parse in software than the original
> text-based one and allows post-processing by other tools.
>
>
Signed-off-by: Marta Rybczynska
---
.../grub/files/CVE-2020-25647.patch | 119 ++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 120 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-25647.patch
diff --git a/meta/recipes-bsp
arbitrary code to be executed or a bypass of Secure Boot protections.
This patch is a part of a bigger security collection for grub [2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-25632
[2] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html
Signed-off-by: Marta Rybczynska
by default.
The JSON output format gets generated in a similar way to the
text format with the exception of the manifest: appending to
JSON arrays requires parsing the file. Because of that we
first write JSON fragments and then assemble them in one pass
at the end.
Signed-off-by: Marta Rybczynska
On Mon, Jan 10, 2022 at 10:01 AM Marta Rybczynska via lists.openembedded.org
wrote:
>
> diff --git a/meta/recipes-bsp/grub/grub2.inc
>> b/meta/recipes-bsp/grub/grub2.inc
>> index bb791347dc..a72a562c5a 100644
>> --- a/meta/recipes-bsp/grub/grub2.inc
>> +++ b/m
> diff --git a/meta/recipes-bsp/grub/grub2.inc
> b/meta/recipes-bsp/grub/grub2.inc
> index bb791347dc..a72a562c5a 100644
> --- a/meta/recipes-bsp/grub/grub2.inc
> +++ b/meta/recipes-bsp/grub/grub2.inc
> @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
>
From: Marta Rybczynska
Fix issues with grub in secure boot mode where an attacker could circumvent
secure boot by using acpi and cutmem commands. Also include patches fixing
similar issues.
Most patches are backported directly from grub. One patch
(no-insmod-on-sb.patch) comes from Debian
On Wed, Dec 22, 2021 at 11:04 AM Ross Burton wrote:
> On Mon, 20 Dec 2021 at 15:04, Marta Rybczynska
> wrote:
> > An example entry:
> > LAYER: meta
> > PACKAGE NAME: libsdl2-native
> > PACKAGE VERSION: 2.0.14
> > CVES FOUND IN RECIPE: Yes
> >
, issues in the database and more.
An example entry:
LAYER: meta
PACKAGE NAME: libsdl2-native
PACKAGE VERSION: 2.0.14
CVES FOUND IN RECIPE: Yes
PRODUCT: simple_directmedia_layer (Yes)
PRODUCT: sdl (No)
Signed-off-by: Marta Rybczynska
---
meta/classes/cve-check.bbclass | 115
From: Marta Rybczynska
Improper access control in BlueZ may allow an authenticated user to
potentially enable information disclosure via adjacent access.
This issue can be fixed in the kernel, in BlueZ or both. This patch
fixes it on the BlueZ side, so that the configuration no longer
depends
On Thu, Dec 9, 2021 at 7:53 AM Tim Orling wrote:
>
> From: Richard Purdie
>
> The CVE applies to binutils 2.26 and not to gcc so ignore there.
>
Tim,
Have you requested a NVD database change on this one? Or you prefer me to do it?
Kind regards,
Marta
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive
://eprint.iacr.org/2021/923.pdf
[2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13
[3] https://dev.gnupg.org/T5328#149606
Signed-off-by: Marta Rybczynska
---
.../libgcrypt/files/CVE-2021-33560.patch | 138 +++---
.../libgcrypt/files/CVE-2021-40528.patch
gelog.html#changelog
Signed-off-by: Marta Rybczynska
---
.../python/{python3_3.8.11.bb => python3_3.8.12.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/python/{python3_3.8.11.bb => python3_3.8.12.bb}
(99%)
diff --git a/meta/recipes
> Best regards,
>
> Steve
>
> On Tue, Nov 2, 2021 at 9:20 PM Marta Rybczynska
> wrote:
> >
> > NetworkManager 1.22.16 contains a fix for CVE-2020-10754.
> >
> > This version includes an additional option by default for firewalld
> zones,
> >
a20.
Signed-off-by: Marta Rybczynska
---
.../nss/nss/CVE-2020-12403.patch | 68 +
.../nss/nss/CVE-2020-12403_2.patch| 96 +++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 2 +
3 files changed, 166 insertions(+)
create mode 100644 meta-oe/reci
from gatesgarth
meta-openembedded 165ad9ad4c86c9e63f3afcf3172c8e1d3629f3a5 required
for the build.
Signed-off-by: Marta Rybczynska
---
.../fix_reallocarray_check.patch | 27 +++
...r_1.22.10.bb => networkmanager_1.22.16.bb} | 7 -
2 files changed, 33 inserti
lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
not reported.
Signed-off-by: Marta Rybczynska
---
meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/lzo/lzo_2.10.bb
b/meta/recipes-support/lzo/lzo_2.10.bb
On Wed, Aug 11, 2021 at 4:52 PM Joshua Watt wrote:
> Moving the function will allow other classes to capture which CVEs have
> been patched, in particular SBoM generation.
>
> Also add a function to capture the CPE ID from the CVE Product and
> Version
>
>
Do you have a link to some resource on
Ross Burton wrote:
> This replaces the default value of 'lzo', it might be safer to use +=
> so both this name and just lzo are searched for.
>
> The CVE database isn't very reliable for consistent naming, so I
> prefer to cover all bases.
>
> Ross
>
> On Thu, 19 Aug 2021
lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
not reported.
Signed-off-by: Marta Rybczynska
---
meta/recipes-support/lzo/lzo_2.10.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/lzo/lzo_2.10.bb
b/meta/recipes-support/lzo/lzo_2.10.bb
CPEs, issues in the database and more.
An example entry:
LAYER: meta
PACKAGE NAME: libsdl2-native
PACKAGE VERSION: 2.0.14
CVES FOUND IN RECIPE: Yes
PRODUCT: simple_directmedia_layer (Yes)
PRODUCT: sdl (No)
Signed-of-by: Marta Rybczynska
---
meta/classes/cve-check.bbclass | 115
201 - 231 of 231 matches
Mail list logo