[oe-core][kirkstone][PATCH 2/2] xserver-xorg: fix CVE-2024-31083

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

FreeGlyph() function declared in render/glyphstr_priv.h, it is not present in
current recipe version and introduced in later versions, added this change to
render/glyphstr.h

Signed-off-by: Archana Polampalli 
---
 .../xserver-xorg/CVE-2024-31083-0001.patch| 117 ++
 .../xserver-xorg/CVE-2024-31083-0002.patch|  76 
 .../xorg-xserver/xserver-xorg_21.1.8.bb   |   2 +
 3 files changed, 195 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0001.patch
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0002.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0001.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0001.patch
new file mode 100644
index 00..1ef9d933ae
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0001.patch
@@ -0,0 +1,117 @@
+From bdca6c3d1f5057eeb31609b1280fc93237b00c77 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer 
+Date: Tue, 30 Jan 2024 13:13:35 +1000
+Subject: [PATCH] render: fix refcounting of glyphs during ProcRenderAddGlyphs
+
+Previously, AllocateGlyph would return a new glyph with refcount=0 and a
+re-used glyph would end up not changing the refcount at all. The
+resulting glyph_new array would thus have multiple entries pointing to
+the same non-refcounted glyphs.
+
+AddGlyph may free a glyph, resulting in a UAF when the same glyph
+pointer is then later used.
+
+Fix this by returning a refcount of 1 for a new glyph and always
+incrementing the refcount for a re-used glyph, followed by dropping that
+refcount back down again when we're done with it.
+
+CVE-2024-31083, ZDI-CAN-22880
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Part-of: 
+
+CVE: CVE-2024-31083
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057ee]
+
+Signed-off-by: Archana Polampalli 
+---
+ render/glyph.c|  5 +++--
+ render/glyphstr.h |  2 ++
+ render/render.c   | 15 +++
+ 3 files changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/render/glyph.c b/render/glyph.c
+index f3ed9cf..d5fc5f3 100644
+--- a/render/glyph.c
 b/render/glyph.c
+@@ -245,10 +245,11 @@ FreeGlyphPicture(GlyphPtr glyph)
+ }
+ }
+
+-static void
++void
+ FreeGlyph(GlyphPtr glyph, int format)
+ {
+ CheckDuplicates([format], "FreeGlyph");
++BUG_RETURN(glyph->refcnt == 0);
+ if (--glyph->refcnt == 0) {
+ GlyphRefPtr gr;
+ int i;
+@@ -354,7 +355,7 @@ AllocateGlyph(xGlyphInfo * gi, int fdepth)
+ glyph = (GlyphPtr) malloc(size);
+ if (!glyph)
+ return 0;
+-glyph->refcnt = 0;
++glyph->refcnt = 1;
+ glyph->size = size + sizeof(xGlyphInfo);
+ glyph->info = *gi;
+ dixInitPrivates(glyph, (char *) glyph + head_size, PRIVATE_GLYPH);
+diff --git a/render/glyphstr.h b/render/glyphstr.h
+index 2f51bd2..68f8c9e 100644
+--- a/render/glyphstr.h
 b/render/glyphstr.h
+@@ -117,6 +117,8 @@ extern GlyphSetPtr AllocateGlyphSet(int fdepth, 
PictFormatPtr format);
+ extern int
+  FreeGlyphSet(void *value, XID gid);
+
++void FreeGlyph(GlyphPtr glyph, int format);
++
+ #define GLYPH_HAS_GLYPH_PICTURE_ACCESSOR 1 /* used for api compat */
+ extern _X_EXPORT PicturePtr
+  GetGlyphPicture(GlyphPtr glyph, ScreenPtr pScreen);
+diff --git a/render/render.c b/render/render.c
+index 456f156..5bc2a20 100644
+--- a/render/render.c
 b/render/render.c
+@@ -1076,6 +1076,7 @@ ProcRenderAddGlyphs(ClientPtr client)
+
+ if (glyph_new->glyph && glyph_new->glyph != DeletedGlyph) {
+ glyph_new->found = TRUE;
++++glyph_new->glyph->refcnt;
+ }
+ else {
+ GlyphPtr glyph;
+@@ -1168,8 +1169,10 @@ ProcRenderAddGlyphs(ClientPtr client)
+ err = BadAlloc;
+ goto bail;
+ }
+-for (i = 0; i < nglyphs; i++)
++for (i = 0; i < nglyphs; i++) {
+ AddGlyph(glyphSet, glyphs[i].glyph, glyphs[i].id);
++FreeGlyph(glyphs[i].glyph, glyphSet->fdepth);
++}
+
+ if (glyphsBase != glyphsLocal)
+ free(glyphsBase);
+@@ -1179,9 +1182,13 @@ ProcRenderAddGlyphs(ClientPtr client)
+ FreePicture((void *) pSrc, 0);
+ if (pSrcPix)
+ FreeScratchPixmapHeader(pSrcPix);
+-for (i = 0; i < nglyphs; i++)
+-if (glyphs[i].glyph && !glyphs[i].found)
+-free(glyphs[i].glyph);
++for (i = 0; i < nglyphs; i++) {
++if (glyphs[i].glyph) {
++--glyphs[i].glyph->refcnt;
++if (!glyphs[i].found)
++free(glyphs[i].glyph);
++}
++}
+ if (glyphsBase != glyphsLocal)
+ free(glyphsBase);
+ return err;
+--
+2.40.0
diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0002.patch 

[oe-core][kirkstone][PATCH 1/2] xserver-xorg: fix CVE-2024-31082

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

Signed-off-by: Archana Polampalli 
---
 .../xserver-xorg/CVE-2024-31082.patch | 52 +++
 .../xorg-xserver/xserver-xorg_21.1.8.bb   |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 
meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31082.patch

diff --git 
a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31082.patch 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31082.patch
new file mode 100644
index 00..81d76977bb
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31082.patch
@@ -0,0 +1,52 @@
+From 6c684d035c06fd41c727f0ef0744517580864cef Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Fri, 22 Mar 2024 19:07:34 -0700
+Subject: [PATCH] Xquartz: ProcAppleDRICreatePixmap needs to use unswapped
+ length to send reply
+
+CVE-2024-31082
+
+Fixes: 14205ade0 ("XQuartz: appledri: Fix byte swapping in replies")
+Signed-off-by: Alan Coopersmith 
+Part-of: 
+
+CVE: CVE-2024-31082
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/xserver/-/commit/6c684d035c06fd4]
+
+Signed-off-by: Archana Polampalli 
+---
+ hw/xquartz/xpr/appledri.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/xquartz/xpr/appledri.c b/hw/xquartz/xpr/appledri.c
+index 7757465..40422b6 100644
+--- a/hw/xquartz/xpr/appledri.c
 b/hw/xquartz/xpr/appledri.c
+@@ -272,6 +272,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+ xAppleDRICreatePixmapReply rep;
+ int width, height, pitch, bpp;
+ void *ptr;
++CARD32 stringLength;
+
+ REQUEST_SIZE_MATCH(xAppleDRICreatePixmapReq);
+
+@@ -307,6 +308,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+ if (sizeof(rep) != sz_xAppleDRICreatePixmapReply)
+ ErrorF("error sizeof(rep) is %zu\n", sizeof(rep));
+
++stringLength = rep.stringLength;  /* save unswapped value */
+ if (client->swapped) {
+ swaps();
+ swapl();
+@@ -319,7 +321,7 @@ ProcAppleDRICreatePixmap(ClientPtr client)
+ }
+
+ WriteToClient(client, sizeof(rep), );
+-WriteToClient(client, rep.stringLength, path);
++WriteToClient(client, stringLength, path);
+
+ return Success;
+ }
+--
+2.40.0
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index b9eed92103..0a8cb7d81a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -18,6 +18,7 @@ SRC_URI += 
"file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2024-0409.patch \
file://CVE-2024-31080.patch \
file://CVE-2024-31081.patch \
+   file://CVE-2024-31082.patch \
"
 SRC_URI[sha256sum] = 
"38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199119): 
https://lists.openembedded.org/g/openembedded-core/message/199119
Mute This Topic: https://lists.openembedded.org/mt/105979549/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][master][scarthgap][PATCH 1/1] xserver-xorg: upgrade 21.1.11 -> 21.1.12

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This release contains security fixes for

* CVE-2024-31080
* CVE-2024-31081
* CVE-2024-31082
* CVE-2024-31083

Changelog:
===
101caa1b0 (tag: xorg-server-21.1.12) xserver 21.1.12
117315640 render: fix refcounting of glyphs during ProcRenderAddGlyphs
0e34d8ebc Xquartz: ProcAppleDRICreatePixmap needs to use unswapped length to 
send reply
cea92ca78 Xi: ProcXIPassiveGrabDevice needs to use unswapped length to send 
reply
8a7cd0e3e Xi: ProcXIGetSelectedEvents needs to use unswapped length to send 
reply
5ca3a9513 Xext: SProcSyncCreateFence needs to swap drawable id too
5d7272f05 Allow disabling byte-swapped clients
8a46a463f Initialize Mode->name in xf86CVTMode()
f653d9a0a hw/xfree86: fix NULL pointer refrence to mode name
8b75ec34d dix: Fix use after free in input device shutdown

https://lists.x.org/archives/xorg-announce/2024-April/003497.html

Signed-off-by: Archana Polampalli 
---
 .../{xserver-xorg_21.1.11.bb => xserver-xorg_21.1.12.bb}| 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.11.bb => 
xserver-xorg_21.1.12.bb} (92%)

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb 
b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.12.bb
similarity index 92%
rename from meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb
rename to meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.12.bb
index 6506d775ca..570e08d5ae 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.11.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.12.bb
@@ -3,7 +3,7 @@ require xserver-xorg.inc
 SRC_URI += 
"file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.patch \
file://0001-Avoid-duplicate-definitions-of-IOPortBase.patch \
"
-SRC_URI[sha256sum] = 
"1d3dadbd57fb86b16a018e9f5f957aeeadf744f56c0553f55737628d06d326ef"
+SRC_URI[sha256sum] = 
"1e016e2be1b5ccdd65eac3ea08e54bd13ce8f4f6c3fb32ad6fdac4e71729a90f"
 
 # These extensions are now integrated into the server, so declare the migration
 # path for in-place upgrades.
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199118): 
https://lists.openembedded.org/g/openembedded-core/message/199118
Mute This Topic: https://lists.openembedded.org/mt/105979530/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH V2 1/1] gstreamer1.0-plugins-bad: fix CVE-2023-44446

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

Signed-off-by: Archana Polampalli 
---
 .../CVE-2023-6.patch  | 329 ++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|   1 +
 2 files changed, 330 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch
new file mode 100644
index 00..92fe82d36d
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch
@@ -0,0 +1,329 @@
+From 7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= 
+Date: Fri, 20 Oct 2023 00:09:57 +0300
+Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
+ allocation
+
+Previously they were stored inline inside a GArray, but as references to
+the tracks were stored in various other places although the array could
+still be updated (and reallocated!), this could lead to dangling
+references in various places.
+
+Instead now store them in a GPtrArray in their own allocation so each
+track's memory position stays fixed.
+
+Fixes ZDI-CAN-22299
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
+
+Part-of: 

+
+CVE: CVE-2023-6
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f1]
+
+Signed-off-by: Archana Polampalli 
+---
+ gst/mxf/mxfdemux.c | 117 -
+ gst/mxf/mxfdemux.h |   2 +-
+ 2 files changed, 52 insertions(+), 67 deletions(-)
+
+diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
+index b0ccc17..7eb990c 100644
+--- a/gst/mxf/mxfdemux.c
 b/gst/mxf/mxfdemux.c
+@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * 
partition)
+ }
+
+ static void
+-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
++gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
+ {
+-  guint i;
++  if (t->offsets)
++g_array_free (t->offsets, TRUE);
++
++  g_free (t->mapping_data);
++
++  if (t->tags)
++gst_tag_list_unref (t->tags);
++
++  if (t->caps)
++gst_caps_unref (t->caps);
++
++  g_free (t);
++}
+
++static void
++gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
++{
+   GST_DEBUG_OBJECT (demux, "Resetting MXF state");
+
+   g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
+@@ -183,22 +198,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+
+   demux->current_partition = NULL;
+
+-  for (i = 0; i < demux->essence_tracks->len; i++) {
+-GstMXFDemuxEssenceTrack *t =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+-
+-if (t->offsets)
+-  g_array_free (t->offsets, TRUE);
+-
+-g_free (t->mapping_data);
+-
+-if (t->tags)
+-  gst_tag_list_unref (t->tags);
+-
+-if (t->caps)
+-  gst_caps_unref (t->caps);
+-  }
+-  g_array_set_size (demux->essence_tracks, 0);
++  g_ptr_array_set_size (demux->essence_tracks, 0);
+ }
+
+ static void
+@@ -216,7 +216,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
+
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+ GstMXFDemuxEssenceTrack *track =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++g_ptr_array_index (demux->essence_tracks, i);
+
+ track->source_package = NULL;
+ track->delta_id = -1;
+@@ -419,7 +419,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux,
+
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+ GstMXFDemuxEssenceTrack *cand =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++g_ptr_array_index (demux->essence_tracks, i);
+
+ if (cand->body_sid != partition->partition.body_sid)
+   continue;
+@@ -866,8 +866,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+
+   for (k = 0; k < demux->essence_tracks->len; k++) {
+ GstMXFDemuxEssenceTrack *tmp =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+-k);
++  g_ptr_array_index (demux->essence_tracks, k);
+
+ if (tmp->track_number == track->parent.track_number &&
+ tmp->body_sid == edata->body_sid) {
+@@ -885,24 +884,24 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+   }
+
+   if (!etrack) {
+-GstMXFDemuxEssenceTrack tmp;
++  GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
++
++tmp->body_sid = edata->body_sid;
++tmp->index_sid = edata->index_sid;
++tmp->track_number = track->parent.track_number;
++tmp->track_id = track->parent.track_id;
++memcpy (>source_package_uid, >parent.package_uid, 32);
+
+-memset (, 0, sizeof (tmp));
+-tmp.body_sid = 

[oe-core][kirkstone][PATCH 3/4] gstreamer1.0-plugins-bad: fix CVE-2024-0444

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

Signed-off-by: Archana Polampalli 
---
 .../CVE-2024-0444.patch   | 42 +++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch
new file mode 100644
index 00..6265f4293e
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2024-0444.patch
@@ -0,0 +1,42 @@
+From 394d5066f8a7b728df02fe9084e955b2f7d7f6fe Mon Sep 17 00:00:00 2001
+From: Seungha Yang 
+Date: Wed, 10 Jan 2024 03:33:59 +0900
+Subject: [PATCH] av1parser: Fix potential stack overflow during tile list
+ parsing
+
+The tile_count_minus_1 must be less than or equal to 511 as specified
+in spec "6.11.1 General tile list OBU semantics"
+
+Fixes #3214 / CVE-2024-0444 / ZDI-CAN-22873
+
+Part-of: 

+
+CVE: CVE-2024-0444
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728]
+
+Signed-off-by: Archana Polampalli 
+---
+ gst-libs/gst/codecparsers/gstav1parser.c | 7 +++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.c 
b/gst-libs/gst/codecparsers/gstav1parser.c
+index 68f8a76..bab404e 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.c
 b/gst-libs/gst/codecparsers/gstav1parser.c
+@@ -4352,6 +4352,13 @@ gst_av1_parser_parse_tile_list_obu (GstAV1Parser * 
parser,
+   tile_list->output_frame_width_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
+   tile_list->output_frame_height_in_tiles_minus_1 = AV1_READ_BITS (br, 8);
+   tile_list->tile_count_minus_1 = AV1_READ_BITS (br, 16);
++  if (tile_list->tile_count_minus_1 + 1 > GST_AV1_MAX_TILE_COUNT) {
++GST_WARNING ("Invalid tile_count_minus_1 %d",
++tile_list->tile_count_minus_1);
++retval = GST_AV1_PARSER_BITSTREAM_ERROR;
++goto error;
++  }
++
+   for (tile = 0; tile <= tile_list->tile_count_minus_1; tile++) {
+ if (AV1_REMAINING_BITS (br) < 8 + 8 + 8 + 16) {
+   retval = GST_AV1_PARSER_NO_MORE_DATA;
+--
+2.40.0
diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index 504cfce1fd..219ebe4fa7 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -14,6 +14,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
file://CVE-2023-40475.patch \
file://CVE-2023-40476.patch \
file://CVE-2023-44429.patch \
+   file://CVE-2024-0444.patch \
"
 SRC_URI[sha256sum] = 
"87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198979): 
https://lists.openembedded.org/g/openembedded-core/message/198979
Mute This Topic: https://lists.openembedded.org/mt/105886013/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 2/4] ofono: fix CVE-2023-4233

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow 
bug
is triggered within the sms_decode_address_field() function during the SMS
PDU decoding. It is assumed that the attack scenario is accessible from a 
compromised
modem, a malicious base station, or just SMS.

Signed-off-by: Archana Polampalli 
---
 .../ofono/ofono/CVE-2023-4233.patch   | 32 +++
 meta/recipes-connectivity/ofono/ofono_1.34.bb |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch

diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch 
b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch
new file mode 100644
index 00..d047a0d87a
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4233.patch
@@ -0,0 +1,32 @@
+From 1a5fbefa59465bec80425add562bdb1d36ec8e23 Mon Sep 17 00:00:00 2001
+From: Denis Grigorev 
+Date: Fri, 29 Dec 2023 13:30:04 +0300
+Subject: [PATCH] smsutil: Validate the length of the address field
+
+This addresses CVE-2023-4233.
+
+CVE: CVE-2023-4233
+
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=1a5fbefa59465bec]
+
+Signed-off-by: Archana Polampalli 
+---
+ src/smsutil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/smsutil.c b/src/smsutil.c
+index 5a12708..8dd2126 100644
+--- a/src/smsutil.c
 b/src/smsutil.c
+@@ -626,6 +626,9 @@ gboolean sms_decode_address_field(const unsigned char 
*pdu, int len,
+
+   if (!next_octet(pdu, len, offset, _len))
+   return FALSE;
++  /* According to 23.040 9.1.2.5 Address-Length must not exceed 20 */
++if (addr_len > 20)
++return FALSE;
+
+   if (sc && addr_len == 0) {
+   out->address[0] = '\0';
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb 
b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 8aab312ff8..f4548b8a30 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -13,6 +13,7 @@ SRC_URI = "\
 file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
 file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
 file://CVE-2023-4234.patch \
+file://CVE-2023-4233.patch \
 "
 SRC_URI[sha256sum] = 
"c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198978): 
https://lists.openembedded.org/g/openembedded-core/message/198978
Mute This Topic: https://lists.openembedded.org/mt/105886012/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 4/4] gstreamer1.0-plugins-bad: fix CVE-2023-44446

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

Signed-off-by: Archana Polampalli 
---
 .../CVE-2023-6.patch  | 329 ++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|   1 +
 2 files changed, 330 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch
new file mode 100644
index 00..64a9f83d0d
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-6.patch
@@ -0,0 +1,329 @@
+From 7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= 
+Date: Fri, 20 Oct 2023 00:09:57 +0300
+Subject: [PATCH] mxfdemux: Store GstMXFDemuxEssenceTrack in their own fixed
+ allocation
+
+Previously they were stored inline inside a GArray, but as references to
+the tracks were stored in various other places although the array could
+still be updated (and reallocated!), this could lead to dangling
+references in various places.
+
+Instead now store them in a GPtrArray in their own allocation so each
+track's memory position stays fixed.
+
+Fixes ZDI-CAN-22299
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3055
+
+Part-of: 

+
+CVE: CVE-2023-44429
+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f1]
+
+Signed-off-by: Archana Polampalli 
+---
+ gst/mxf/mxfdemux.c | 117 -
+ gst/mxf/mxfdemux.h |   2 +-
+ 2 files changed, 52 insertions(+), 67 deletions(-)
+
+diff --git a/gst/mxf/mxfdemux.c b/gst/mxf/mxfdemux.c
+index b0ccc17..7eb990c 100644
+--- a/gst/mxf/mxfdemux.c
 b/gst/mxf/mxfdemux.c
+@@ -170,10 +170,25 @@ gst_mxf_demux_partition_free (GstMXFDemuxPartition * 
partition)
+ }
+
+ static void
+-gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
++gst_mxf_demux_essence_track_free (GstMXFDemuxEssenceTrack * t)
+ {
+-  guint i;
++  if (t->offsets)
++g_array_free (t->offsets, TRUE);
++
++  g_free (t->mapping_data);
++
++  if (t->tags)
++gst_tag_list_unref (t->tags);
++
++  if (t->caps)
++gst_caps_unref (t->caps);
++
++  g_free (t);
++}
+
++static void
++gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
++{
+   GST_DEBUG_OBJECT (demux, "Resetting MXF state");
+
+   g_list_foreach (demux->partitions, (GFunc) gst_mxf_demux_partition_free,
+@@ -183,22 +198,7 @@ gst_mxf_demux_reset_mxf_state (GstMXFDemux * demux)
+
+   demux->current_partition = NULL;
+
+-  for (i = 0; i < demux->essence_tracks->len; i++) {
+-GstMXFDemuxEssenceTrack *t =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
+-
+-if (t->offsets)
+-  g_array_free (t->offsets, TRUE);
+-
+-g_free (t->mapping_data);
+-
+-if (t->tags)
+-  gst_tag_list_unref (t->tags);
+-
+-if (t->caps)
+-  gst_caps_unref (t->caps);
+-  }
+-  g_array_set_size (demux->essence_tracks, 0);
++  g_ptr_array_set_size (demux->essence_tracks, 0);
+ }
+
+ static void
+@@ -216,7 +216,7 @@ gst_mxf_demux_reset_linked_metadata (GstMXFDemux * demux)
+
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+ GstMXFDemuxEssenceTrack *track =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++g_ptr_array_index (demux->essence_tracks, i);
+
+ track->source_package = NULL;
+ track->delta_id = -1;
+@@ -419,7 +419,7 @@ gst_mxf_demux_partition_postcheck (GstMXFDemux * demux,
+
+   for (i = 0; i < demux->essence_tracks->len; i++) {
+ GstMXFDemuxEssenceTrack *cand =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack, i);
++g_ptr_array_index (demux->essence_tracks, i);
+
+ if (cand->body_sid != partition->partition.body_sid)
+   continue;
+@@ -866,8 +866,7 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+
+   for (k = 0; k < demux->essence_tracks->len; k++) {
+ GstMXFDemuxEssenceTrack *tmp =
+-_array_index (demux->essence_tracks, GstMXFDemuxEssenceTrack,
+-k);
++  g_ptr_array_index (demux->essence_tracks, k);
+
+ if (tmp->track_number == track->parent.track_number &&
+ tmp->body_sid == edata->body_sid) {
+@@ -885,24 +884,24 @@ gst_mxf_demux_update_essence_tracks (GstMXFDemux * demux)
+   }
+
+   if (!etrack) {
+-GstMXFDemuxEssenceTrack tmp;
++  GstMXFDemuxEssenceTrack *tmp = g_new0 (GstMXFDemuxEssenceTrack, 1);
++
++tmp->body_sid = edata->body_sid;
++tmp->index_sid = edata->index_sid;
++tmp->track_number = track->parent.track_number;
++tmp->track_id = track->parent.track_id;
++memcpy (>source_package_uid, >parent.package_uid, 32);
+
+-memset (, 0, sizeof (tmp));
+-tmp.body_sid = 

[oe-core][kirkstone][PATCH 1/4] ofono: fix CVE-2023-4234

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow 
bug
is triggered within the decode_submit_report() function during the SMS decoding.
It is assumed that the attack scenario is accessible from a compromised modem,
a malicious base station, or just SMS. There is a bound check for this memcpy
length in decode_submit(), but it was forgotten in decode_submit_report().

Signed-off-by: Archana Polampalli 
---
 .../ofono/ofono/CVE-2023-4234.patch   | 39 +++
 meta/recipes-connectivity/ofono/ofono_1.34.bb |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch

diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch 
b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch
new file mode 100644
index 00..9d7b56c1ae
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2023-4234.patch
@@ -0,0 +1,39 @@
+From 8d74bc66146ea78620d140640a0a57af86fc8936 Mon Sep 17 00:00:00 2001
+From: Denis Grigorev 
+Date: Thu, 21 Dec 2023 17:16:38 +0300
+Subject: [PATCH] smsutil: Check that submit report fits in memory
+
+This addresses CVE-2023-4234.
+
+CVE: CVE-2023-4234.
+
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8d74bc66146ea786]
+
+Signed-off-by: Archana Polampalli 
+---
+ src/smsutil.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/smsutil.c b/src/smsutil.c
+index 8e57a06..5a12708 100644
+--- a/src/smsutil.c
 b/src/smsutil.c
+@@ -938,10 +938,16 @@ static gboolean decode_submit_report(const unsigned char 
*pdu, int len,
+   return FALSE;
+
+   if (out->type == SMS_TYPE_SUBMIT_REPORT_ERROR) {
++  if (expected > (int) sizeof(out->submit_err_report.ud))
++return FALSE;
++
+   out->submit_err_report.udl = udl;
+   memcpy(out->submit_err_report.ud,
+   pdu + offset, expected);
+   } else {
++  if (expected > (int) sizeof(out->submit_ack_report.ud))
++return FALSE;
++
+   out->submit_ack_report.udl = udl;
+   memcpy(out->submit_ack_report.ud,
+   pdu + offset, expected);
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb 
b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 23631747a7..8aab312ff8 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -12,6 +12,7 @@ SRC_URI = "\
 file://ofono \
 file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \
 file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \
+file://CVE-2023-4234.patch \
 "
 SRC_URI[sha256sum] = 
"c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198977): 
https://lists.openembedded.org/g/openembedded-core/message/198977
Mute This Topic: https://lists.openembedded.org/mt/105886011/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 2/2] gnutls: fix CVE-2024-28835

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

A flaw has been discovered in GnuTLS where an application crash can be induced
when attempting to verify a specially crafted .pem bundle using the
"certtool --verify-chain" command.

Signed-off-by: Archana Polampalli 
---
 .../gnutls/gnutls/CVE-2024-28835.patch| 406 ++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   1 +
 2 files changed, 407 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch
new file mode 100644
index 00..0341df8bd9
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-28835.patch
@@ -0,0 +1,406 @@
+From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno 
+Date: Mon, 29 Jan 2024 13:52:46 +0900
+Subject: [PATCH] gnutls_x509_trust_list_verify_crt2: remove length limit of
+ input
+
+Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
+chain verification logic crashed with assertion failure.  This patch
+removes the restriction while keeping the maximum number of
+retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
+
+Signed-off-by: Daiki Ueno 
+
+CVE: CVE-2024-28835
+
+Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d]
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gnutls_int.h   |   5 +-
+ lib/x509/common.c  |  10 +-
+ lib/x509/verify-high.c |  43 ++---
+ tests/test-chains.h| 211 -
+ 4 files changed, 252 insertions(+), 17 deletions(-)
+
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index b2a3ae6..5127996 100644
+--- a/lib/gnutls_int.h
 b/lib/gnutls_int.h
+@@ -221,7 +221,10 @@ typedef enum record_send_state_t {
+
+ #define MAX_PK_PARAM_SIZE 2048
+
+-/* defaults for verification functions
++/* Defaults for verification functions.
++ *
++ * update many_icas in tests/test-chains.h when increasing
++ * DEFAULT_MAX_VERIFY_DEPTH.
+  */
+ #define DEFAULT_MAX_VERIFY_DEPTH 16
+ #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE*8)
+diff --git a/lib/x509/common.c b/lib/x509/common.c
+index 6367b03..8f8c1f8 100644
+--- a/lib/x509/common.c
 b/lib/x509/common.c
+@@ -1749,7 +1749,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t 
*clist,
+   bool insorted[DEFAULT_MAX_VERIFY_DEPTH]; /* non zero if clist[i] used 
in sorted list */
+   gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
+
+-  assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
++/* Limit the number of certificates in the chain, to avoid DoS
++   * because of the O(n^2) sorting below.  FIXME: Switch to a
++   * topological sort algorithm which should be linear to the
++   * number of certificates and subject-issuer relationships.
++   */
++  if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
++  _gnutls_debug_log("too many certificates; skipping sorting\n");
++  return 1;
++  }
+
+   for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
+   issuer[i] = -1;
+diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
+index 5698d4f..a957511 100644
+--- a/lib/x509/verify-high.c
 b/lib/x509/verify-high.c
+@@ -25,7 +25,7 @@
+ #include "errors.h"
+ #include 
+ #include 
+-#include   /* MAX */
++#include   /* MIN */
+ #include 
+ #include 
+ #include 
+@@ -1418,7 +1418,8 @@ 
gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+   int ret = 0;
+   unsigned int i;
+   size_t hash;
+-  gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
++  gnutls_x509_crt_t *cert_list_copy = NULL;
++  unsigned int cert_list_max_size = 0;
+   gnutls_x509_crt_t retrieved[DEFAULT_MAX_VERIFY_DEPTH];
+   unsigned int retrieved_size = 0;
+   const char *hostname = NULL, *purpose = NULL, *email = NULL;
+@@ -1472,16 +1473,26 @@ 
gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
+   }
+   }
+
+-  memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
+-  cert_list = sorted;
++  /* Allocate extra for retrieved certificates. */
++  if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
++  _list_max_size))
++  return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++
++  cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
++sizeof(gnutls_x509_crt_t));
++  if (!cert_list_copy)
++  return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++
++  memcpy(cert_list_copy, cert_list,
++ cert_list_size * sizeof(gnutls_x509_crt_t));
++  cert_list = cert_list_copy;
+
+   ret = cert_set_init(_set, DEFAULT_MAX_VERIFY_DEPTH);
+   if (ret < 0) {
+   return ret;
+   }
+
+-  for (i = 0; i < cert_list_size &&
+- 

[oe-core][kirkstone][PATCH 1/2] gnutls: fix CVE-2024-28834

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability
that exploits deterministic behavior in systems like GnuTLS, leading to
side-channel leaks. In specific scenarios, such as when using the
GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in
nonce size from 513 to 512 bits, exposing a potential timing side-channel.

Signed-off-by: Archana Polampalli 
---
 .../gnutls/gnutls/CVE-2024-28834.patch| 457 ++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   1 +
 2 files changed, 458 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch 
b/meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch
new file mode 100644
index 00..6c06fc2782
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-28834.patch
@@ -0,0 +1,457 @@
+From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno 
+Date: Fri, 12 Jan 2024 17:56:58 +0900
+Subject: [PATCH] nettle: avoid normalization of mpz_t in deterministic ECDSA
+
+This removes function calls that potentially leak bit-length of a
+private key used to calculate a nonce in deterministic ECDSA.  Namely:
+
+- _gnutls_dsa_compute_k has been rewritten to work on always
+  zero-padded mp_limb_t arrays instead of mpz_t
+- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
+  by a byte array instead of an mpz_t value
+
+Signed-off-by: Daiki Ueno 
+
+CVE: CVE-2024-28834
+
+Upstream-Status: Backport 
[https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5]
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/nettle/int/dsa-compute-k.c| 86 ---
+ lib/nettle/int/dsa-compute-k.h| 32 +---
+ lib/nettle/int/ecdsa-compute-k.c  | 32 +++-
+ lib/nettle/int/ecdsa-compute-k.h  |  8 +--
+ lib/nettle/pk.c   | 78 +++-
+ tests/sign-verify-deterministic.c |  2 +-
+ 6 files changed, 141 insertions(+), 97 deletions(-)
+
+diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
+index 3f5105a..f937693 100644
+--- a/lib/nettle/int/dsa-compute-k.c
 b/lib/nettle/int/dsa-compute-k.c
+@@ -31,33 +31,39 @@
+ #include "mpn-base256.h"
+ #include 
+
+-#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
+-
+-/* The maximum size of q, chosen from the fact that we support
+- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
+- * maximum. */
+-#define MAX_Q_BITS 521
+-#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
+-#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
+-
+-#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
+-#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
+-
+-int
+-_gnutls_dsa_compute_k(mpz_t k,
+-const mpz_t q,
+-const mpz_t x,
+-gnutls_mac_algorithm_t mac,
+-const uint8_t *digest,
+-size_t length)
++/* For mini-gmp */
++#ifndef GMP_LIMB_BITS
++#define GMP_LIMB_BITS GMP_NUMB_BITS
++#endif
++
++static inline int is_zero_limb(mp_limb_t x)
++{
++  x |= (x << 1);
++  return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
++}
++
++static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
++{
++  volatile mp_limb_t w;
++  mp_size_t i;
++
++  for (i = 0, w = 0; i < n; i++)
++  w |= ap[i];
++
++
++  return is_zero_limb(w);
++}
++
++int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t 
*x,
++mp_size_t qn, mp_bitcnt_t q_bits,
++gnutls_mac_algorithm_t mac,
++const uint8_t *digest,
++size_t length)
+ {
+   uint8_t V[MAX_HASH_SIZE];
+   uint8_t K[MAX_HASH_SIZE];
+   uint8_t xp[MAX_Q_SIZE];
+   uint8_t tp[MAX_Q_SIZE];
+-  mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)];
+-  mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2);
+-  mp_size_t qn = mpz_size(q);
+   mp_bitcnt_t h_bits = length * 8;
+   mp_size_t hn = BITS_TO_LIMBS(h_bits);
+   size_t nbytes = (q_bits + 7) / 8;
+@@ -66,6 +72,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+   mp_limb_t cy;
+   gnutls_hmac_hd_t hd;
+   int ret = 0;
++  mp_limb_t scratch[MAX_Q_LIMBS];
+
+   if (unlikely(q_bits > MAX_Q_BITS))
+   return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+@@ -73,7 +80,7 @@ _gnutls_dsa_compute_k(mpz_t k,
+   return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+   /* int2octets(x) */
+-  mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
++  mpn_get_base256(xp, nbytes, x, qn);
+
+   /* bits2octets(h) */
+   mpn_set_base256(h, hn, digest, length);
+@@ -97,12 +104,12 @@ _gnutls_dsa_compute_k(mpz_t k,
+   mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
+   }
+
+-  cy = mpn_sub_n(h, h, 

[oe-core][kirkstone][PATCH 2/2] openssh: fix CVE-2023-51385

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or
host name has shell metacharacters, and this name is referenced by an expansion
token in certain situations. For example, an untrusted Git repository can have a
submodule with shell metacharacters in a user name or host name.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51385

Upstream patches:
https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a

Signed-off-by: Archana Polampalli 
---
 .../openssh/openssh/CVE-2023-51385.patch  | 97 +++
 .../openssh/openssh_8.9p1.bb  |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 00..b8e6813857
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,97 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" 
+Date: Mon, 18 Dec 2023 14:47:44 +
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+ This makes ssh(1) refuse user or host names provided on the commandline that
+ contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+CVE: CVE-2023-51385
+
+Upstream-Status: Backport
+[https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+
+Signed-off-by: Archana Polampalli 
+---
+ ssh.c | 39 +++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/ssh.c b/ssh.c
+index 8ff9788..82ed15f 100644
+--- a/ssh.c
 b/ssh.c
+@@ -611,6 +611,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
+   free(cinfo);
+ }
+
++static int
++valid_hostname(const char *s)
++{
++  size_t i;
++
++  if (*s == '-')
++  return 0;
++  for (i = 0; s[i] != 0; i++) {
++  if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++  isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++  return 0;
++  }
++  return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++  size_t i;
++
++  if (*s == '-')
++  return 0;
++  for (i = 0; s[i] != 0; i++) {
++  if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++  return 0;
++  /* Disallow '-' after whitespace */
++  if (isspace((u_char)s[i]) && s[i + 1] == '-')
++  return 0;
++  /* Disallow \ in last position */
++  if (s[i] == '\\' && s[i + 1] == '\0')
++  return 0;
++  }
++  return 1;
++}
++
+ /*
+  * Main program for the ssh client.
+  */
+@@ -1097,6 +1132,10 @@ main(int ac, char **av)
+   if (!host)
+   usage();
+
++  if (!valid_hostname(host))
++  fatal("hostname contains invalid characters");
++  if (options.user != NULL && !valid_ruser(options.user))
++  fatal("remote username contains invalid characters");
+   host_arg = xstrdup(host);
+
+   /* Initialize the command to execute on remote host. */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb 
b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
index 3860899540..bc8e2d81b8 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.9p1.bb
@@ -35,6 +35,7 @@ SRC_URI = 
"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://fix-authorized-principals-command.patch \
file://CVE-2023-48795.patch \
file://CVE-2023-51384.patch \
+   file://CVE-2023-51385.patch \
"
 SRC_URI[sha256sum] = 
"fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent 

[oe-core][kirkstone][PATCH 1/2] openssh: fix CVE-2023-51384

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be
incompletely applied. When destination constraints are specified during
addition of PKCS#11-hosted private keys, these constraints are only applied
to the first key, even if a PKCS#11 token returns multiple keys.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-51384

Upstream patches:
https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b

Signed-off-by: Archana Polampalli 
---
 .../openssh/openssh/CVE-2023-51384.patch  | 171 ++
 .../openssh/openssh_8.9p1.bb  |   1 +
 2 files changed, 172 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
new file mode 100644
index 00..ead3256915
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51384.patch
@@ -0,0 +1,171 @@
+From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" 
+Date: Mon, 18 Dec 2023 14:46:12 +
+Subject: [PATCH] upstream: apply destination constraints to all p11 keys
+
+Previously applied only to the first key returned from each token.
+
+ok markus@
+
+OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
+
+CVE: CVE-2023-51384
+
+Upstream-Status: Backport
+https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
+
+Signed-off-by: Archana Polampalli 
+---
+ ssh-agent.c | 102 +---
+ 1 file changed, 98 insertions(+), 4 deletions(-)
+
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 19eeaae..4dbb4f3 100644
+--- a/ssh-agent.c
 b/ssh-agent.c
+@@ -249,6 +249,90 @@ free_dest_constraints(struct dest_constraint *dcs, size_t 
ndcs)
+   free(dcs);
+ }
+
++static void
++dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
++struct dest_constraint_hop *out)
++{
++  u_int i;
++  int r;
++
++  out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
++  out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
++  out->is_ca = dch->is_ca;
++  out->nkeys = dch->nkeys;
++  out->keys = out->nkeys == 0 ? NULL :
++  xcalloc(out->nkeys, sizeof(*out->keys));
++  out->key_is_ca = out->nkeys == 0 ? NULL :
++  xcalloc(out->nkeys, sizeof(*out->key_is_ca));
++  for (i = 0; i < dch->nkeys; i++) {
++  if (dch->keys[i] != NULL &&
++  (r = sshkey_from_private(dch->keys[i],
++  &(out->keys[i]))) != 0)
++  fatal_fr(r, "copy key");
++  out->key_is_ca[i] = dch->key_is_ca[i];
++  }
++}
++
++static struct dest_constraint *
++dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
++{
++  size_t i;
++  struct dest_constraint *ret;
++
++  if (ndcs == 0)
++  return NULL;
++  ret = xcalloc(ndcs, sizeof(*ret));
++  for (i = 0; i < ndcs; i++) {
++  dup_dest_constraint_hop([i].from, [i].from);
++  dup_dest_constraint_hop([i].to, [i].to);
++  }
++  return ret;
++}
++
++#ifdef DEBUG_CONSTRAINTS
++static void
++dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
++{
++  u_int i;
++  char *fp;
++
++  debug_f("user %s hostname %s is_ca %d nkeys %u",
++  dch->user == NULL ? "(null)" : dch->user,
++  dch->hostname == NULL ? "(null)" : dch->hostname,
++  dch->is_ca, dch->nkeys);
++  for (i = 0; i < dch->nkeys; i++) {
++  fp = NULL;
++  if (dch->keys[i] != NULL &&
++  (fp = sshkey_fingerprint(dch->keys[i],
++  SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
++  fatal_f("fingerprint failed");
++  debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
++  dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]),
++  dch->keys[i] == NULL ? "" : " ",
++  dch->keys[i] == NULL ? "none" : fp,
++  dch->key_is_ca[i]);
++  free(fp);
++  }
++}
++#endif /* DEBUG_CONSTRAINTS */
++
++static void
++dump_dest_constraints(const char *context,
++const struct dest_constraint *dcs, size_t ndcs)
++{
++#ifdef DEBUG_CONSTRAINTS
++  size_t i;
++
++  debug_f("%s: %zu constraints", context, ndcs);
++  for (i = 0; i < ndcs; i++) {
++  debug_f("constraint %zu / %zu: from: ", i, ndcs);
++  dump_dest_constraint_hop([i].from);
++  debug_f("constraint %zu / %zu: to: ", i, ndcs);
++  dump_dest_constraint_hop([i].to);
++  }
++  debug_f("done for %s", context);
++#endif /* DEBUG_CONSTRAINTS */
++}
+ static void
+ free_identity(Identity *id)
+ {
+@@ -520,13 +604,22 @@ 

[oe-core][kirkstone][PATCH 1/1] bluez5: fix CVE-2023-45866

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role
HID Device to initiate and establish an encrypted connection, and accept HID
keyboard reports,potentially permitting injection of HID messages when no user
interaction has occurred in the Central role to authorize such access. An 
example
affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases,
a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID 
Hosts issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45866

Upstream patches:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

Signed-off-by: Archana Polampalli 
---
 meta/recipes-connectivity/bluez5/bluez5.inc   |  1 +
 .../bluez5/bluez5/CVE-2023-45866.patch| 56 +++
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc 
b/meta/recipes-connectivity/bluez5/bluez5.inc
index a8eaba1dd6..7786b65670 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -54,6 +54,7 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '', 
'file://0001-Allow-using-obexd-without-systemd-in-the-user-sessio.patch', d)} \

file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
file://0001-test-gatt-Fix-hung-issue.patch \
+  file://CVE-2023-45866.patch \
"
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch 
b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
new file mode 100644
index 00..5bb31d866a
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
@@ -0,0 +1,56 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz 
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: [PATCH] input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+  5.4.3.4.2 Security Modes
+  Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+  Bluetooth HID devices that are compliant to the Bluetooth Core
+  Specification v2.1+EDR[6].
+
+Upstream-Status: Backport
+[https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675]
+
+CVE: CVE-2023-45866
+
+Signed-off-by: Archana Polampalli 
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 4a50ea9..4310dd1 100644
+--- a/profiles/input/device.c
 b/profiles/input/device.c
+@@ -81,7 +81,7 @@ struct input_device {
+
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc5..d8645f3 100644
+--- a/profiles/input/input.conf
 b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+
+ # LE upgrade security
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192046): 
https://lists.openembedded.org/g/openembedded-core/message/192046
Mute This Topic: https://lists.openembedded.org/mt/103053193/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][PATCH 1/1] bluez5: fix CVE-2023-45866

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role
HID Device to initiate and establish an encrypted connection, and accept HID
keyboard reports,potentially permitting injection of HID messages when no user
interaction has occurred in the Central role to authorize such access. An 
example
affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases,
a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID 
Hosts issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45866

Upstream patches:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675

Signed-off-by: Archana Polampalli 
---
 meta/recipes-connectivity/bluez5/bluez5.inc   |  1 +
 .../bluez5/bluez5/CVE-2023-45866.patch| 56 +++
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch

diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc 
b/meta/recipes-connectivity/bluez5/bluez5.inc
index a23e4e58a6..0bb157e202 100644
--- a/meta/recipes-connectivity/bluez5/bluez5.inc
+++ b/meta/recipes-connectivity/bluez5/bluez5.inc
@@ -56,6 +56,7 @@ SRC_URI = 
"${KERNELORG_MIRROR}/linux/bluetooth/bluez-${PV}.tar.xz \
file://0001-test-gatt-Fix-hung-issue.patch \
file://0004-src-shared-util.c-include-linux-limits.h.patch \

file://0002-input-Fix-.device_probe-failing-if-SDP-record-is-not.patch \
+  file://CVE-2023-45866.patch \
"
 S = "${WORKDIR}/bluez-${PV}"
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch 
b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
new file mode 100644
index 00..5bb31d866a
--- /dev/null
+++ b/meta/recipes-connectivity/bluez5/bluez5/CVE-2023-45866.patch
@@ -0,0 +1,56 @@
+From 25a471a83e02e1effb15d5a488b3f0085eaeb675 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz 
+Date: Tue, 10 Oct 2023 13:03:12 -0700
+Subject: [PATCH] input.conf: Change default of ClassicBondedOnly
+
+This changes the default of ClassicBondedOnly since defaulting to false
+is not inline with HID specification which mandates the of Security Mode
+4:
+
+BLUETOOTH SPECIFICATION Page 84 of 123
+Human Interface Device (HID) Profile:
+
+  5.4.3.4.2 Security Modes
+  Bluetooth HID Hosts shall use Security Mode 4 when interoperating with
+  Bluetooth HID devices that are compliant to the Bluetooth Core
+  Specification v2.1+EDR[6].
+
+Upstream-Status: Backport
+[https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/profiles/input?id=25a471a83e02e1effb15d5a488b3f0085eaeb675]
+
+CVE: CVE-2023-45866
+
+Signed-off-by: Archana Polampalli 
+---
+ profiles/input/device.c   | 2 +-
+ profiles/input/input.conf | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/profiles/input/device.c b/profiles/input/device.c
+index 4a50ea9..4310dd1 100644
+--- a/profiles/input/device.c
 b/profiles/input/device.c
+@@ -81,7 +81,7 @@ struct input_device {
+
+ static int idle_timeout = 0;
+ static bool uhid_enabled = false;
+-static bool classic_bonded_only = false;
++static bool classic_bonded_only = true;
+
+ void input_set_idle_timeout(int timeout)
+ {
+diff --git a/profiles/input/input.conf b/profiles/input/input.conf
+index 4c70bc5..d8645f3 100644
+--- a/profiles/input/input.conf
 b/profiles/input/input.conf
+@@ -17,7 +17,7 @@
+ # platforms may want to make sure that input connections only come from bonded
+ # device connections. Several older mice have been known for not supporting
+ # pairing/encryption.
+-# Defaults to false to maximize device compatibility.
++# Defaults to true for security.
+ #ClassicBondedOnly=true
+
+ # LE upgrade security
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192045): 
https://lists.openembedded.org/g/openembedded-core/message/192045
Mute This Topic: https://lists.openembedded.org/mt/103053192/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][master][kirkstone][PATCH 1/1] vim: Upgrade 9.0.2068 -> 9.0.2112

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This includes CVE fix for CVE-2023-48237.
6bf131888 (tag: v9.0.2112) patch 9.0.2112: [security]: overflow in shift_line

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-48237

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index e8942cbc2d..de350c4110 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".2068"
-SRCREV = "9198c1f2b1ddecde22af918541e0de2a32f0f45a"
+PV .= ".2112"
+SRCREV = "6bf131888a3d1de62bbfa8a7ea03c0ddccfd496e"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191141): 
https://lists.openembedded.org/g/openembedded-core/message/191141
Mute This Topic: https://lists.openembedded.org/mt/102764880/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] gstreamer1.0-plugins-bad: fix CVE-2023-44429

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

AV1 codec parser buffer overflow

Signed-off-by: Archana Polampalli 
---
 .../CVE-2023-44429.patch  | 38 +++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
new file mode 100644
index 00..5070d6b865
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
@@ -0,0 +1,38 @@
+From 1db83d3f745332cbda6adf954b2c53a10caa205e Mon Sep 17 00:00:00 2001
+From: Benjamin Gaignard 
+Date: Wed, 4 Oct 2023 11:14:38 +0200
+Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values
+
+Clip tile rows and cols to 64 as describe in AV1 specification.
+
+Fixes ZDI-CAN-6 / CVE-2023-44429
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015
+
+Part-of: 

+
+CVE: CVE-2023-44429
+
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1db83d3f745332cbda6adf954b2c53a10caa205e]
+
+Signed-off-by: Archana Polampalli 
+---
+ gst-libs/gst/codecparsers/gstav1parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.c 
b/gst-libs/gst/codecparsers/gstav1parser.c
+index 7b9378c..68f8a76 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.c
 b/gst-libs/gst/codecparsers/gstav1parser.c
+@@ -2219,6 +2219,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, 
GstBitReader * br,
+   ((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 
4);
+   sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows +
+   31) >> 5) : ((parser->state.mi_rows + 15) >> 4);
++  sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols);
++  sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows);
+   sb_shift = seq_header->use_128x128_superblock ? 5 : 4;
+   sb_size = sb_shift + 2;
+   max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size;
+--
+2.40.0
diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index fbaabda3f9..504cfce1fd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -13,6 +13,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
file://CVE-2023-40474.patch \
file://CVE-2023-40475.patch \
file://CVE-2023-40476.patch \
+   file://CVE-2023-44429.patch \
"
 SRC_URI[sha256sum] = 
"87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191069): 
https://lists.openembedded.org/g/openembedded-core/message/191069
Mute This Topic: https://lists.openembedded.org/mt/102747135/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][master][kirkstone][PATCH 1/1] vim: Upgrade 9.0.2048 -> 9.0.2068

[Polampalli, Archana via lists.openembedded.org]

Oh Sorry, Sent V2.

Regards,
Archana

From: Richard Purdie 
Sent: Thursday, November 16, 2023 19:40
To: Polampalli, Archana ; 
openembedded-core@lists.openembedded.org 

Subject: Re: [oe-core][master][kirkstone][PATCH 1/1] vim: Upgrade 9.0.2048 -> 
9.0.2068

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Thu, 2023-11-16 at 04:15 +0000, Polampalli, Archana via
lists.openembedded.org wrote:
> From: Archana Polampalli 
>
> This includes CVE fix for CVE-2023-46246.
> 9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-46246
>
> Signed-off-by: Archana Polampalli 
> ---
>  meta/recipes-support/vim/vim.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-support/vim/vim.inc 
> b/meta/recipes-support/vim/vim.inc
> index 38212a1fa6..2ef7fecc3f 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -19,7 +19,7 @@ SRC_URI = 
> "git://github.com/vim/vim.git;branch=master;protocol=https \
> file://no-path-adjust.patch \
> "
>
> -PV .= ".2048"
> +PV .= ".2068"
>  SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
>
>  # Do not consider .z in x.y.z, as that is updated with every commit

This doesn't change SRCREV so the update isn't correct.

Cheers,

Richard


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190829): 
https://lists.openembedded.org/g/openembedded-core/message/190829
Mute This Topic: https://lists.openembedded.org/mt/102621490/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][dunfell][PATCH V2 1/1] vim: Upgrade 9.0.2048 -> 9.0.2068

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This includes CVE fix for CVE-2023-46246.
9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46246

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index a12e3c8d89..9a74a52b52 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".2048"
-SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
+PV .= ".2068"
+SRCREV = "9198c1f2b1ddecde22af918541e0de2a32f0f45a"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190828): 
https://lists.openembedded.org/g/openembedded-core/message/190828
Mute This Topic: https://lists.openembedded.org/mt/102641479/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][master][kirkstone][PATCH V2 1/1] vim: Upgrade 9.0.2048 -> 9.0.2068

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This includes CVE fix for CVE-2023-46246.
9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46246

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 58025828f2..e8942cbc2d 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".2048"
-SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
+PV .= ".2068"
+SRCREV = "9198c1f2b1ddecde22af918541e0de2a32f0f45a"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190827): 
https://lists.openembedded.org/g/openembedded-core/message/190827
Mute This Topic: https://lists.openembedded.org/mt/102641476/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][dunfell][PATCH 3/3] vim: Upgrade 9.0.2048 -> 9.0.2068

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This includes CVE fix for CVE-2023-46246.
9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46246

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index a12e3c8d89..383db8b874 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,7 +19,7 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".2048"
+PV .= ".2068"
 SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190766): 
https://lists.openembedded.org/g/openembedded-core/message/190766
Mute This Topic: https://lists.openembedded.org/mt/102623318/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][dunfell][PATCH 2/3] vim: Improve locale handling

[Polampalli, Archana via lists.openembedded.org]

From: Richard Purdie 

When making checkouts from git, the timestamps can vary and occasionally two 
files
can end up with the same stamp. This triggers make to regenerate ru.cp1251.po 
from
ru.po for example. If it isn't regenerated, the output isn't quite the same 
leading
to reproducibility issues (CP1251 vs cp1251).

Since we added all locales to buildtools tarball now, we can drop the locale
restrictions too. We need to generate a native binary for the sjis conversion
tool so also tweak that.

(From OE-Core rev: 042c1a501b1dae5ddb31307b461be02c3591c589)

Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 14 --
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 10406d8b26..a12e3c8d89 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -40,22 +40,16 @@ do_configure () {
 cd src
 rm -f auto/*
 touch auto/config.mk
+# git timestamps aren't reliable and we want to consistently regenerate 
these generated files
+rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po 
po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po 
po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
 aclocal
 autoconf
 cd ..
 oe_runconf
 touch src/auto/configure
 touch src/auto/config.mk src/auto/config.h
-}
-
-do_compile() {
-# We do not support fully / correctly the following locales.  Attempting
-# to use these with msgfmt in order to update the ".desktop" files exposes
-# this problem and leads to the compile failing.
-for LOCALE in cs fr ko pl sk zh_CN zh_TW;do
-echo -n > src/po/${LOCALE}.po
-done
-autotools_do_compile
+# need a native tool, not a target one
+${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr
 }
 
 PACKAGECONFIG ??= "\
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190765): 
https://lists.openembedded.org/g/openembedded-core/message/190765
Mute This Topic: https://lists.openembedded.org/mt/102623317/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][dunfell][PATCH 1/3] vim: update obsolete comment

[Polampalli, Archana via lists.openembedded.org]

From: Etienne Cordonnier 

vim 8.3 has been out for a long time, so this comment is obsolete.
However we still need UPSTREAM_VERSION_UNKNOWN, since we ignore
the last digit of the upstream version number.

Test result:
$ devtool check-upgrade-status vim
  ...
  INFO: vim   9.0.1592UNKNOWN Tom Rini 
 c0370529c027abc5b1698d53fcfb8c02a0c515da

(From OE-Core rev: 65f5de85c3f488136d1ec2b1f7fe8d8426d6c5b3)

(From OE-Core rev: 72af322b6b8afd64a59b30a4f0fc3f8c6dfaa06a)

Signed-off-by: Etienne Cordonnier 
Signed-off-by: Luca Ceresoli 
Signed-off-by: Richard Purdie 
(cherry picked from commit 868a19357841470eb55fb7f1c4ab1af09dea99ed)
Signed-off-by: Steve Sakoman 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index d8e88af22e..10406d8b26 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -22,11 +22,10 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
 PV .= ".2048"
 SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
 
-# Remove when 8.3 is out
-UPSTREAM_VERSION_UNKNOWN = "1"
-
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
+# Ignore that the upstream version .z in x.y.z is always newer
+UPSTREAM_VERSION_UNKNOWN = "1"
 
 S = "${WORKDIR}/git"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190764): 
https://lists.openembedded.org/g/openembedded-core/message/190764
Mute This Topic: https://lists.openembedded.org/mt/102623316/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][master][kirkstone][PATCH 1/1] vim: Upgrade 9.0.2048 -> 9.0.2068

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This includes CVE fix for CVE-2023-46246.
9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46246

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 38212a1fa6..2ef7fecc3f 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,7 +19,7 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".2048"
+PV .= ".2068"
 SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190752): 
https://lists.openembedded.org/g/openembedded-core/message/190752
Mute This Topic: https://lists.openembedded.org/mt/102621490/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 2/2] vim: Improve locale handling

[Polampalli, Archana via lists.openembedded.org]

Thank you for the confirmation.

Regards,
Archana

From: Richard Purdie 
Sent: Wednesday, November 15, 2023 18:07
To: Polampalli, Archana ; 
openembedded-core@lists.openembedded.org 

Subject: Re: [OE-core] [PATCH 2/2] vim: Improve locale handling

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Wed, 2023-11-15 at 12:11 +, Polampalli, Archana wrote:
>
> Hi Richard,
>
>
> I am planning to send Vim upgrade patch for all branches.
>
>
> Could you please confirm Is it applicable to other branches as well,
> if yes please confirm are you planning to send other branches also It
> will avoid patch conflicts to further vim patches.

It is applicable to all branches and I believe our LTS maintainer has
it queued for them already.

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190594): 
https://lists.openembedded.org/g/openembedded-core/message/190594
Mute This Topic: https://lists.openembedded.org/mt/102595254/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 2/2] vim: Improve locale handling

[Polampalli, Archana via lists.openembedded.org]

Hi Richard,

I am planning to send Vim upgrade patch for all branches.

Could you please confirm Is it applicable to other branches as well, if yes 
please confirm are you planning to send other branches also It will avoid patch 
conflicts to further vim patches.

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Richard Purdie via 
lists.openembedded.org 

Sent: Wednesday, November 15, 2023 05:02
To: openembedded-core@lists.openembedded.org 

Subject: [OE-core] [PATCH 2/2] vim: Improve locale handling

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

When making checkouts from git, the timestamps can vary and occasionally two 
files
can end up with the same stamp. This triggers make to regenerate ru.cp1251.po 
from
ru.po for example. If it isn't regenerated, the output isn't quite the same 
leading
to reproducibility issues (CP1251 vs cp1251).

Since we added all locales to buildtools tarball now, we can drop the locale
restrictions too. We need to generate a native binary for the sjis conversion
tool so also tweak that.

Signed-off-by: Richard Purdie 
---
 meta/recipes-support/vim/vim.inc | 14 --
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 58025828f2b..38212a1fa60 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -40,22 +40,16 @@ do_configure () {
 cd src
 rm -f auto/*
 touch auto/config.mk
+# git timestamps aren't reliable and we want to consistently regenerate 
these generated files
+rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po 
po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po 
po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
 aclocal
 autoconf
 cd ..
 oe_runconf
 touch src/auto/configure
 touch src/auto/config.mk src/auto/config.h
-}
-
-do_compile() {
-# We do not support fully / correctly the following locales.  Attempting
-# to use these with msgfmt in order to update the ".desktop" files exposes
-# this problem and leads to the compile failing.
-for LOCALE in cs fr ko pl sk zh_CN zh_TW;do
-echo -n > src/po/${LOCALE}.po
-done
-autotools_do_compile
+# need a native tool, not a target one
+${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr
 }

 PACKAGECONFIG ??= "\
--
2.39.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190589): 
https://lists.openembedded.org/g/openembedded-core/message/190589
Mute This Topic: https://lists.openembedded.org/mt/102595254/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][dunfell][PATCH 1/1] go: ignore CVE-2023-45283 & CVE-2023-45284

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

Only affects code running on Windows

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-45284
https://nvd.nist.gov/vuln/detail/CVE-2023-45283
https://groups.google.com/g/golang-announce/c/4tU8LZfBFkY

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/go/go-1.14.inc | 4 
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index 091b778de8..b8b7fd0c46 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -115,3 +115,7 @@ CVE_CHECK_WHITELIST += "CVE-2022-41716"
 
 # Issue introduced in go1.15beta1, does not exist in 1.14
 CVE_CHECK_WHITELIST += "CVE-2022-1705"
+
+# Only affects code running on Windows
+CVE_CHECK_WHITELIST += "CVE-2023-45283"
+CVE_CHECK_WHITELIST += "CVE-2023-45284"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190491): 
https://lists.openembedded.org/g/openembedded-core/message/190491
Mute This Topic: https://lists.openembedded.org/mt/102580081/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 2/2] curl: fix CVE-2023-38546

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of 
conditions are met.

Signed-off-by: Archana Polampalli 
---
 .../curl/curl/CVE-2023-38546.patch| 137 ++
 meta/recipes-support/curl/curl_7.82.0.bb  |   1 +
 2 files changed, 138 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38546.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch 
b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
new file mode 100644
index 00..1b2f1e7a7d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
@@ -0,0 +1,137 @@
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg 
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/61275672b46d9abb32857404]
+
+CVE: CVE-2023-38546
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/cookie.c | 13 +
+ lib/cookie.h | 13 -
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 24 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index e0470a1..38d8d6c 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -115,7 +115,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+
+@@ -707,11 +706,7 @@ Curl_cookie_add(struct Curl_easy *data,
+   }
+ }
+ else if(strcasecompare("version", name)) {
+-  strstore(>version, whatptr);
+-  if(!co->version) {
+-badcookie = TRUE;
+-break;
+-  }
++  /* just ignore */
+ }
+ else if(strcasecompare("max-age", name)) {
+   /*
+@@ -1132,7 +1127,6 @@ Curl_cookie_add(struct Curl_easy *data,
+ free(clist->path);
+ free(clist->spath);
+ free(clist->expirestr);
+-free(clist->version);
+ free(clist->maxage);
+
+ *clist = *co;  /* then store all the new data */
+@@ -1210,9 +1204,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy 
*data,
+ c = calloc(1, sizeof(struct CookieInfo));
+ if(!c)
+   return NULL; /* failed to get memory */
+-c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-if(!c->filename)
+-  goto fail; /* failed to get memory */
+ /*
+  * Initialize the next_expiration time to signal that we don't have enough
+  * information yet.
+@@ -1363,7 +1354,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+ CLONE(name);
+ CLONE(value);
+ CLONE(maxage);
+-CLONE(version);
+ d->expires = src->expires;
+ d->tailmatch = src->tailmatch;
+ d->secure = src->secure;
+@@ -1579,7 +1569,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+ unsigned int i;
+-free(c->filename);
+ for(i = 0; i < COOKIE_HASH_SIZE; i++)
+   Curl_cookie_freelist(c->cookies[i]);
+ free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index 7411980..645600a 100644
+--- a/lib/cookie.h
 b/lib/cookie.h
+@@ -34,11 +34,7 @@ struct Cookie {
+   char *domain;  /* domain =  */
+   curl_off_t expires;  /* expires =  */
+   char *expirestr;   /* the plain text version */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version; /* Version =  */
+   char *maxage;  /* Max-Age =  */
+-
+   bool tailmatch;/* whether we do tail-matching of the domain name */
+   bool secure;   /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+@@ -54,18 +50,17 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;  /* last creation-time used in the jar */
+   bool running;/* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;  /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+
+ /* This is the maximum line length we accept for a cookie line. RFC 2109
+diff --git 

[oe-core][kirkstone][PATCH 1/2] curl: fix CVE-2023-38545

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.

Signed-off-by: Archana Polampalli 
---
 .../curl/curl/CVE-2023-38545.patch| 133 ++
 meta/recipes-support/curl/curl_7.82.0.bb  |   1 +
 2 files changed, 134 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38545.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch 
b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
new file mode 100644
index 00..c198d29c04
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,133 @@
+From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
+From: Jay Satiro 
+Date: Wed, 11 Oct 2023 07:34:19 +0200
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/fb4415d8aee6c1045be932a34fe6107c2f5ed147]
+
+CVE: CVE-2023-38545
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/socks.c |  8 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test722  | 64 +
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test722
+
+diff --git a/lib/socks.c b/lib/socks.c
+index a014aa6..2215c02 100644
+--- a/lib/socks.c
 b/lib/socks.c
+@@ -536,9 +536,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
+
+ /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+ if(!socks5_resolve_local && hostname_len > 255) {
+-  infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-"length > 255 [actual len=%zu]", hostname_len);
+-  socks5_resolve_local = TRUE;
++  failf(data, "SOCKS5: the destination hostname is too long to be "
++"resolved remotely by the proxy.");
++  return CURLPX_LONG_HOSTNAME;
+ }
+
+ if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -879,7 +879,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user,
+   }
+   else {
+ socksreq[len++] = 3;
+-socksreq[len++] = (char) hostname_len; /* one byte address length */
++  socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+ memcpy([len], hostname, hostname_len); /* address w/o NULL */
+ len += hostname_len;
+   }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 3064b39..47117b6 100644
+--- a/tests/data/Makefile.inc
 b/tests/data/Makefile.inc
+@@ -99,7 +99,7 @@ test670 test671 test672 test673 test674 test675 test676 
test677 test678 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
++test718 test719 test720 test721 test722 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test722 b/tests/data/test722
+new file mode 100644
+index 000..05bcf28
+--- /dev/null
 b/tests/data/test722
+@@ -0,0 +1,64 @@
++
++
++
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++
++
++
++#
++# Server-side
++
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++
++HTTP/1.1 301 Moved Permanently
++Location: 
http:///
++Content-Length: 0
++Connection: close
++
++
++
++
++#
++# Client-side
++
++
++proxy
++
++
++http
++socks5
++
++ 
++SOCKS5h with HTTP redirect to hostname too long
++ 
++ 
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT 
http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++
++
++
++#
++# Verify data after the test has been "shot"
++
++
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++
++
++97
++
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++
++curl: (97) SOCKS5: the destination hostname is too long to be resolved 
remotely by the proxy.
++
++
++
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb 
b/meta/recipes-support/curl/curl_7.82.0.bb
index af52ecad13..86a3a84332 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb

[oe-core]mickledore][PATCH V2 1/1] curl: fix CVE-2023-38546

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of 
conditions are met.

Signed-off-by: Archana Polampalli 
---
 .../curl/curl/CVE-2023-38546.patch| 137 ++
 meta/recipes-support/curl/curl_8.0.1.bb   |   1 +
 2 files changed, 138 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38546.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch 
b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
new file mode 100644
index 00..2c97c4d5a5
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
@@ -0,0 +1,137 @@
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg 
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/61275672b46d9abb32857404]
+
+CVE: CVE-2023-38546
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/cookie.c | 13 +
+ lib/cookie.h | 14 --
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 25 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0c6e0f7..d346203 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+
+@@ -726,11 +725,7 @@ Curl_cookie_add(struct Curl_easy *data,
+   }
+ }
+ else if((nlen == 7) && strncasecompare("version", namep, 7)) {
+-  strstore(>version, valuep, vlen);
+-  if(!co->version) {
+-badcookie = TRUE;
+-break;
+-  }
++  /* just ignore */
+ }
+ else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
+   /*
+@@ -1174,7 +1169,6 @@ Curl_cookie_add(struct Curl_easy *data,
+ free(clist->path);
+ free(clist->spath);
+ free(clist->expirestr);
+-free(clist->version);
+ free(clist->maxage);
+
+ *clist = *co;  /* then store all the new data */
+@@ -1238,9 +1232,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy 
*data,
+ c = calloc(1, sizeof(struct CookieInfo));
+ if(!c)
+   return NULL; /* failed to get memory */
+-c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-if(!c->filename)
+-  goto fail; /* failed to get memory */
+ /*
+  * Initialize the next_expiration time to signal that we don't have enough
+  * information yet.
+@@ -1394,7 +1385,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+ CLONE(name);
+ CLONE(value);
+ CLONE(maxage);
+-CLONE(version);
+ d->expires = src->expires;
+ d->tailmatch = src->tailmatch;
+ d->secure = src->secure;
+@@ -1611,7 +1601,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+ unsigned int i;
+-free(c->filename);
+ for(i = 0; i < COOKIE_HASH_SIZE; i++)
+   Curl_cookie_freelist(c->cookies[i]);
+ free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index 39bb08b..3a43bbf 100644
+--- a/lib/cookie.h
 b/lib/cookie.h
+@@ -36,11 +36,7 @@ struct Cookie {
+   char *domain;  /* domain =  */
+   curl_off_t expires;  /* expires =  */
+   char *expirestr;   /* the plain text version */
+-
+-  /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
+-  char *version; /* Version =  */
+   char *maxage;  /* Max-Age =  */
+-
+   bool tailmatch;/* whether we do tail-matching of the domain name */
+   bool secure;   /* whether the 'secure' keyword was used */
+   bool livecookie;   /* updated from a server, not a stored file */
+@@ -56,18 +52,16 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+-
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;  /* last creation-time used in the jar */
+   bool running;/* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;  /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+
+ /* This is the maximum line length we accept for a cookie line. RFC 

[oe-core][mickledore][PATCH 2/2] curl: fix CVE-2023-38546

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of 
conditions are met.

Signed-off-by: Archana Polampalli 
---
 .../curl/curl/CVE-2023-38546.patch| 125 ++
 meta/recipes-support/curl/curl_8.0.1.bb   |   1 +
 2 files changed, 126 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38546.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-38546.patch 
b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
new file mode 100644
index 00..c1d60fe656
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38546.patch
@@ -0,0 +1,125 @@
+From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg 
+Date: Thu, 14 Sep 2023 23:28:32 +0200
+Subject: [PATCH] cookie: remove unnecessary struct fields
+
+Plus: reduce the hash table size from 256 to 63. It seems unlikely to
+make much of a speed difference for most use cases but saves 1.5KB of
+data per instance.
+
+Closes #11862
+
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/61275672b46d9abb32857404]
+
+CVE: CVE-2023-38546
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/cookie.c | 13 +
+ lib/cookie.h |  9 -
+ lib/easy.c   |  4 +---
+ 3 files changed, 6 insertions(+), 20 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0c6e0f7..f9dfa50 100644
+--- a/lib/cookie.c
 b/lib/cookie.c
+@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
+   free(co->name);
+   free(co->value);
+   free(co->maxage);
+-  free(co->version);
+   free(co);
+ }
+
+@@ -726,11 +725,7 @@ Curl_cookie_add(struct Curl_easy *data,
+   }
+ }
+ else if((nlen == 7) && strncasecompare("version", namep, 7)) {
+-  strstore(>version, valuep, vlen);
+-  if(!co->version) {
+-badcookie = TRUE;
+-break;
+-  }
++/* just ignore */
+ }
+ else if((nlen == 7) && strncasecompare("max-age", namep, 7)) {
+   /*
+@@ -1174,7 +1169,6 @@ Curl_cookie_add(struct Curl_easy *data,
+ free(clist->path);
+ free(clist->spath);
+ free(clist->expirestr);
+-free(clist->version);
+ free(clist->maxage);
+
+ *clist = *co;  /* then store all the new data */
+@@ -1238,9 +1232,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy 
*data,
+ c = calloc(1, sizeof(struct CookieInfo));
+ if(!c)
+   return NULL; /* failed to get memory */
+-c->filename = strdup(file?file:"none"); /* copy the name just in case */
+-if(!c->filename)
+-  goto fail; /* failed to get memory */
+ /*
+  * Initialize the next_expiration time to signal that we don't have enough
+  * information yet.
+@@ -1394,7 +1385,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
+ CLONE(name);
+ CLONE(value);
+ CLONE(maxage);
+-CLONE(version);
+ d->expires = src->expires;
+ d->tailmatch = src->tailmatch;
+ d->secure = src->secure;
+@@ -1611,7 +1601,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
+ {
+   if(c) {
+ unsigned int i;
+-free(c->filename);
+ for(i = 0; i < COOKIE_HASH_SIZE; i++)
+   Curl_cookie_freelist(c->cookies[i]);
+ free(c); /* free the base struct as well */
+diff --git a/lib/cookie.h b/lib/cookie.h
+index 39bb08b..f852c68 100644
+--- a/lib/cookie.h
 b/lib/cookie.h
+@@ -56,18 +56,17 @@ struct Cookie {
+ #define COOKIE_PREFIX__SECURE (1<<0)
+ #define COOKIE_PREFIX__HOST (1<<1)
+
+-#define COOKIE_HASH_SIZE 256
++#define COOKIE_HASH_SIZE 63
+
+ struct CookieInfo {
+   /* linked list of cookies we know of */
+   struct Cookie *cookies[COOKIE_HASH_SIZE];
+
+-  char *filename;  /* file we read from/write to */
+-  long numcookies; /* number of cookies in the "jar" */
++  curl_off_t next_expiration; /* the next time at which expiration happens */
++  int numcookies;  /* number of cookies in the "jar" */
++  int lastct;  /* last creation-time used in the jar */
+   bool running;/* state info, for cookie adding information */
+   bool newsession; /* new session, discard session cookies on load */
+-  int lastct;  /* last creation-time used in the jar */
+-  curl_off_t next_expiration; /* the next time at which expiration happens */
+ };
+
+ /* This is the maximum line length we accept for a cookie line. RFC 2109
+diff --git a/lib/easy.c b/lib/easy.c
+index 27124a7..fddf047 100644
+--- a/lib/easy.c
 b/lib/easy.c
+@@ -911,9 +911,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy 
*data)
+   if(data->cookies) {
+ /* If cookies are enabled in the parent handle, we enable them
+in the clone as well! */
+-outcurl->cookies = Curl_cookie_init(data,
+-data->cookies->filename,
+-outcurl->cookies,
++outcurl->cookies = Curl_cookie_init(data, NULL, 

[oe-core][mickledore][PATCH 1/2] curl: fix CVE-2023-38545

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.

Signed-off-by: Archana Polampalli 
---
 .../curl/curl/CVE-2023-38545.patch| 133 ++
 meta/recipes-support/curl/curl_8.0.1.bb   |   1 +
 2 files changed, 134 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38545.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-38545.patch 
b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
new file mode 100644
index 00..b90677fa5f
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-38545.patch
@@ -0,0 +1,133 @@
+From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
+From: Jay Satiro 
+Date: Wed, 11 Oct 2023 07:34:19 +0200
+Subject: [PATCH] socks: return error if hostname too long for remote resolve
+
+Prior to this change the state machine attempted to change the remote
+resolve to a local resolve if the hostname was longer than 255
+characters. Unfortunately that did not work as intended and caused a
+security issue.
+
+Bug: https://curl.se/docs/CVE-2023-38545.html
+
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/fb4415d8aee6c1045be932a34fe6107c2f5ed147]
+CVE: CVE-2023-38545
+Signed-off-by: Archana Polampalli 
+---
+ lib/socks.c |  8 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test722  | 64 +
+ 3 files changed, 69 insertions(+), 5 deletions(-)
+ create mode 100644 tests/data/test722
+
+diff --git a/lib/socks.c b/lib/socks.c
+index 95c2b00..8cf694d 100644
+--- a/lib/socks.c
 b/lib/socks.c
+@@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+
+ /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
+ if(!socks5_resolve_local && hostname_len > 255) {
+-  infof(data, "SOCKS5: server resolving disabled for hostnames of "
+-"length > 255 [actual len=%zu]", hostname_len);
+-  socks5_resolve_local = TRUE;
++  failf(data, "SOCKS5: the destination hostname is too long to be "
++"resolved remotely by the proxy.");
++  return CURLPX_LONG_HOSTNAME;
+ }
+
+ if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
+@@ -904,7 +904,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
+   }
+   else {
+ socksreq[len++] = 3;
+-socksreq[len++] = (char) hostname_len; /* one byte address length */
++socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
+ memcpy([len], sx->hostname, hostname_len); /* w/o NULL */
+ len += hostname_len;
+   }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 7ed03a2..643c9fe 100644
+--- a/tests/data/Makefile.inc
 b/tests/data/Makefile.inc
+@@ -100,7 +100,7 @@ test679 test680 test681 test682 test683 test684 test685 
test686 \
+ \
+ test700 test701 test702 test703 test704 test705 test706 test707 test708 \
+ test709 test710 test711 test712 test713 test714 test715 test716 test717 \
+-test718 test719 test720 test721 \
++test718 test719 test720 test721 test722 \
+ \
+ test800 test801 test802 test803 test804 test805 test806 test807 test808 \
+ test809 test810 test811 test812 test813 test814 test815 test816 test817 \
+diff --git a/tests/data/test722 b/tests/data/test722
+new file mode 100644
+index 000..05bcf28
+--- /dev/null
 b/tests/data/test722
+@@ -0,0 +1,64 @@
++
++
++
++HTTP
++HTTP GET
++SOCKS5
++SOCKS5h
++followlocation
++
++
++
++#
++# Server-side
++
++# The hostname in this redirect is 256 characters and too long (> 255) for
++# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case.
++
++HTTP/1.1 301 Moved Permanently
++Location: 
http:///
++Content-Length: 0
++Connection: close
++
++
++
++
++#
++# Client-side
++
++
++proxy
++
++
++http
++socks5
++
++ 
++SOCKS5h with HTTP redirect to hostname too long
++ 
++ 
++--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT 
http://%HOSTIP:%HTTPPORT/%TESTNUMBER
++
++
++
++#
++# Verify data after the test has been "shot"
++
++
++GET /%TESTNUMBER HTTP/1.1
++Host: %HOSTIP:%HTTPPORT
++User-Agent: curl/%VERSION
++Accept: */*
++
++
++
++97
++
++# the error message is verified because error code CURLE_PROXY (97) may be
++# returned for any number of reasons and we need to make sure it is
++# specifically for the reason below so that we know the check is working.
++
++curl: (97) SOCKS5: the destination hostname is too long to be resolved 
remotely by the proxy.
++
++
++
+--
+2.40.0
diff --git a/meta/recipes-support/curl/curl_8.0.1.bb 
b/meta/recipes-support/curl/curl_8.0.1.bb
index 708f622fe1..bdffe7be34 100644
--- a/meta/recipes-support/curl/curl_8.0.1.bb

[oe-core][master][mickledore][PATCH V3 1/1] gstreamer: upgrade 1.22.5 -> 1.22.6

[Polampalli, Archana via lists.openembedded.org]

From: Archana Polampalli 

This release only contains bugfixes and security fixes.

Highlighted bugfixes in 1.22.6:

Security fixes for the MXF demuxer and H.265 video parser
Fix latency regression in H.264 hardware decoder base class
androidmedia: fix HEVC codec profile registration and fix coded_data handling
decodebin3: fix switching from a raw stream to an encoded stream
gst-inspect: prettier and more correct signal and action signals printing
rtmp2: Allow NULL flash version, omitting the field, for better RTMP server 
compatibility
rtspsrc: better compatibility with buggy RTSP servers that don't set a 
clock-rate
rtpjitterbuffer: fix integer overflow that led to more packets being declared 
lost than have been lost
v4l2: fix video encoding regression on RPi and fix support for left and top 
padding
waylandsink: Crop surfaces to their display width height
cerbero: recognise Manjaro; add Rust support for MSVC ARM64; cmake detection 
fixes
various bug fixes, build fixes, memory leak fixes, and other stability and 
reliability improvements

https://nvd.nist.gov/vuln/detail/CVE-2023-40474
https://nvd.nist.gov/vuln/detail/CVE-2023-40475
https://nvd.nist.gov/vuln/detail/CVE-2023-40476

https://gstreamer.freedesktop.org/releases/1.22/#1.22.6

Signed-off-by: Archana Polampalli 
---
 .../{gst-devtools_1.22.5.bb => gst-devtools_1.22.6.bb}  | 2 +-
 ...streamer1.0-libav_1.22.5.bb => gstreamer1.0-libav_1.22.6.bb} | 2 +-
 .../{gstreamer1.0-omx_1.22.5.bb => gstreamer1.0-omx_1.22.6.bb}  | 2 +-
 ...plugins-bad_1.22.5.bb => gstreamer1.0-plugins-bad_1.22.6.bb} | 2 +-
 ...ugins-base_1.22.5.bb => gstreamer1.0-plugins-base_1.22.6.bb} | 2 +-
 ...ugins-good_1.22.5.bb => gstreamer1.0-plugins-good_1.22.6.bb} | 2 +-
 ...ugins-ugly_1.22.5.bb => gstreamer1.0-plugins-ugly_1.22.6.bb} | 2 +-
 ...reamer1.0-python_1.22.5.bb => gstreamer1.0-python_1.22.6.bb} | 2 +-
 ...rtsp-server_1.22.5.bb => gstreamer1.0-rtsp-server_1.22.6.bb} | 2 +-
 ...streamer1.0-vaapi_1.22.5.bb => gstreamer1.0-vaapi_1.22.6.bb} | 2 +-
 .../{gstreamer1.0_1.22.5.bb => gstreamer1.0_1.22.6.bb}  | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)
 rename meta/recipes-multimedia/gstreamer/{gst-devtools_1.22.5.bb => 
gst-devtools_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.22.5.bb => 
gstreamer1.0-libav_1.22.6.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.22.5.bb => 
gstreamer1.0-omx_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.22.5.bb 
=> gstreamer1.0-plugins-bad_1.22.6.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.22.5.bb 
=> gstreamer1.0-plugins-base_1.22.6.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.22.5.bb 
=> gstreamer1.0-plugins-good_1.22.6.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.22.5.bb 
=> gstreamer1.0-plugins-ugly_1.22.6.bb} (94%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.22.5.bb => 
gstreamer1.0-python_1.22.6.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.22.5.bb 
=> gstreamer1.0-rtsp-server_1.22.6.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.22.5.bb => 
gstreamer1.0-vaapi_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.22.5.bb => 
gstreamer1.0_1.22.6.bb} (97%)

diff --git a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb 
b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
similarity index 95%
rename from meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb
rename to meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
index 3e029396a6..90bbd9c733 100644
--- a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
@@ -12,7 +12,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV}
file://0001-connect-has-a-different-signature-on-musl.patch \
"
 
-SRC_URI[sha256sum] = 
"2add1519aa6eeb01d544cb94293688ee3bc2079f6bca6075bf5c23d00a0921be"
+SRC_URI[sha256sum] = 
"8928560efaf16137c30285e718708e5d0bab0777eb4ef8127e0274e120d3d86b"
 
 DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 
gstreamer1.0-plugins-base"
 RRECOMMENDS:${PN} = "git"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
similarity index 91%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
index af9dc5d2d5..8906556b44 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \
 "
 
 SRC_URI = 

[oe-core][master][mickledore][PATCH V2 1/1] gstreamer: upgrade 1.22.5 -> 1.22.6

[Polampalli, Archana via lists.openembedded.org]

This release only contains bugfixes and security fixes.

Highlighted bugfixes in 1.22.6:

Security fixes for the MXF demuxer and H.265 video parser
Fix latency regression in H.264 hardware decoder base class
androidmedia: fix HEVC codec profile registration and fix coded_data handling
decodebin3: fix switching from a raw stream to an encoded stream
gst-inspect: prettier and more correct signal and action signals printing
rtmp2: Allow NULL flash version, omitting the field, for better RTMP server 
compatibility
rtspsrc: better compatibility with buggy RTSP servers that don't set a 
clock-rate
rtpjitterbuffer: fix integer overflow that led to more packets being declared 
lost than have been lost
v4l2: fix video encoding regression on RPi and fix support for left and top 
padding
waylandsink: Crop surfaces to their display width height
cerbero: recognise Manjaro; add Rust support for MSVC ARM64; cmake detection 
fixes
various bug fixes, build fixes, memory leak fixes, and other stability and 
reliability improvements

https://nvd.nist.gov/vuln/detail/CVE-2023-40474
https://nvd.nist.gov/vuln/detail/CVE-2023-40475
https://nvd.nist.gov/vuln/detail/CVE-2023-40476

https://gstreamer.freedesktop.org/releases/1.22/#1.22.6

Signed-off-by: Archana Polampalli 
---
 .../{gst-devtools_1.22.5.bb => gst-devtools_1.22.6.bb}  | 2 +-
 ...streamer1.0-libav_1.22.5.bb => gstreamer1.0-libav_1.22.6.bb} | 2 +-
 .../{gstreamer1.0-omx_1.22.5.bb => gstreamer1.0-omx_1.22.6.bb}  | 2 +-
 ...plugins-bad_1.22.5.bb => gstreamer1.0-plugins-bad_1.22.6.bb} | 2 +-
 ...ugins-base_1.22.5.bb => gstreamer1.0-plugins-base_1.22.6.bb} | 2 +-
 ...ugins-good_1.22.5.bb => gstreamer1.0-plugins-good_1.22.6.bb} | 2 +-
 ...ugins-ugly_1.22.5.bb => gstreamer1.0-plugins-ugly_1.22.6.bb} | 2 +-
 ...reamer1.0-python_1.22.5.bb => gstreamer1.0-python_1.22.6.bb} | 2 +-
 ...rtsp-server_1.22.5.bb => gstreamer1.0-rtsp-server_1.22.6.bb} | 2 +-
 ...streamer1.0-vaapi_1.22.5.bb => gstreamer1.0-vaapi_1.22.6.bb} | 2 +-
 .../{gstreamer1.0_1.22.5.bb => gstreamer1.0_1.22.6.bb}  | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)
 rename meta/recipes-multimedia/gstreamer/{gst-devtools_1.22.5.bb => 
gst-devtools_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.22.5.bb => 
gstreamer1.0-libav_1.22.6.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.22.5.bb => 
gstreamer1.0-omx_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.22.5.bb 
=> gstreamer1.0-plugins-bad_1.22.6.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.22.5.bb 
=> gstreamer1.0-plugins-base_1.22.6.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.22.5.bb 
=> gstreamer1.0-plugins-good_1.22.6.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.22.5.bb 
=> gstreamer1.0-plugins-ugly_1.22.6.bb} (94%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.22.5.bb => 
gstreamer1.0-python_1.22.6.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.22.5.bb 
=> gstreamer1.0-rtsp-server_1.22.6.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.22.5.bb => 
gstreamer1.0-vaapi_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.22.5.bb => 
gstreamer1.0_1.22.6.bb} (97%)

diff --git a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb 
b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
similarity index 95%
rename from meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb
rename to meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
index 3e029396a6..90bbd9c733 100644
--- a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
@@ -12,7 +12,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV}
file://0001-connect-has-a-different-signature-on-musl.patch \
"
 
-SRC_URI[sha256sum] = 
"2add1519aa6eeb01d544cb94293688ee3bc2079f6bca6075bf5c23d00a0921be"
+SRC_URI[sha256sum] = 
"8928560efaf16137c30285e718708e5d0bab0777eb4ef8127e0274e120d3d86b"
 
 DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 
gstreamer1.0-plugins-base"
 RRECOMMENDS:${PN} = "git"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
similarity index 91%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
index af9dc5d2d5..8906556b44 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \
 "
 
 SRC_URI = 

[oe-core][PATCH 1/1] gstreamer: upgrade 1.22.5 -> 1.22.6

[Polampalli, Archana via lists.openembedded.org]

This release only contains bugfixes and security fixes.

Highlighted bugfixes in 1.22.6:

Security fixes for the MXF demuxer and H.265 video parser
Fix latency regression in H.264 hardware decoder base class
androidmedia: fix HEVC codec profile registration and fix coded_data handling
decodebin3: fix switching from a raw stream to an encoded stream
gst-inspect: prettier and more correct signal and action signals printing
rtmp2: Allow NULL flash version, omitting the field, for better RTMP server 
compatibility
rtspsrc: better compatibility with buggy RTSP servers that don't set a 
clock-rate
rtpjitterbuffer: fix integer overflow that led to more packets being declared 
lost than have been lost
v4l2: fix video encoding regression on RPi and fix support for left and top 
padding
waylandsink: Crop surfaces to their display width height
cerbero: recognise Manjaro; add Rust support for MSVC ARM64; cmake detection 
fixes
various bug fixes, build fixes, memory leak fixes, and other stability and 
reliability improvements

https://nvd.nist.gov/vuln/detail/CVE-2023-40475
https://nvd.nist.gov/vuln/detail/CVE-2023-40476

https://gstreamer.freedesktop.org/releases/1.22/#1.22.6

Signed-off-by: Archana Polampalli 
---
 .../{gst-devtools_1.22.5.bb => gst-devtools_1.22.6.bb}  | 2 +-
 ...streamer1.0-libav_1.22.5.bb => gstreamer1.0-libav_1.22.6.bb} | 2 +-
 .../{gstreamer1.0-omx_1.22.5.bb => gstreamer1.0-omx_1.22.6.bb}  | 2 +-
 ...plugins-bad_1.22.5.bb => gstreamer1.0-plugins-bad_1.22.6.bb} | 2 +-
 ...ugins-base_1.22.5.bb => gstreamer1.0-plugins-base_1.22.6.bb} | 2 +-
 ...ugins-good_1.22.5.bb => gstreamer1.0-plugins-good_1.22.6.bb} | 2 +-
 ...ugins-ugly_1.22.5.bb => gstreamer1.0-plugins-ugly_1.22.6.bb} | 2 +-
 ...reamer1.0-python_1.22.5.bb => gstreamer1.0-python_1.22.6.bb} | 2 +-
 ...rtsp-server_1.22.5.bb => gstreamer1.0-rtsp-server_1.22.6.bb} | 2 +-
 ...streamer1.0-vaapi_1.22.5.bb => gstreamer1.0-vaapi_1.22.6.bb} | 2 +-
 .../{gstreamer1.0_1.22.5.bb => gstreamer1.0_1.22.6.bb}  | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)
 rename meta/recipes-multimedia/gstreamer/{gst-devtools_1.22.5.bb => 
gst-devtools_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.22.5.bb => 
gstreamer1.0-libav_1.22.6.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.22.5.bb => 
gstreamer1.0-omx_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.22.5.bb 
=> gstreamer1.0-plugins-bad_1.22.6.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.22.5.bb 
=> gstreamer1.0-plugins-base_1.22.6.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.22.5.bb 
=> gstreamer1.0-plugins-good_1.22.6.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.22.5.bb 
=> gstreamer1.0-plugins-ugly_1.22.6.bb} (94%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.22.5.bb => 
gstreamer1.0-python_1.22.6.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.22.5.bb 
=> gstreamer1.0-rtsp-server_1.22.6.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.22.5.bb => 
gstreamer1.0-vaapi_1.22.6.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.22.5.bb => 
gstreamer1.0_1.22.6.bb} (97%)

diff --git a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb 
b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
similarity index 95%
rename from meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb
rename to meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
index 3e029396a6..90bbd9c733 100644
--- a/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.5.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-devtools_1.22.6.bb
@@ -12,7 +12,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV}
file://0001-connect-has-a-different-signature-on-musl.patch \
"
 
-SRC_URI[sha256sum] = 
"2add1519aa6eeb01d544cb94293688ee3bc2079f6bca6075bf5c23d00a0921be"
+SRC_URI[sha256sum] = 
"8928560efaf16137c30285e718708e5d0bab0777eb4ef8127e0274e120d3d86b"
 
 DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 
gstreamer1.0-plugins-base"
 RRECOMMENDS:${PN} = "git"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
similarity index 91%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
index af9dc5d2d5..8906556b44 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.5.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.22.6.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \
 "
 
 SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz;
-SRC_URI[sha256sum] = 

[oe-core][kirkstone][PATCH 3/3] gstreamer1.0-plugins-bad: fix CVE-2023-40476

[Polampalli, Archana via lists.openembedded.org]

gst-plugins-bad: h265parser: Fix possible overflow using max_sub_layers_minus1

Signed-off-by: Archana Polampalli 
---
 .../CVE-2023-40476.patch  | 44 +++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
new file mode 100644
index 00..7810e98024
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40476.patch
@@ -0,0 +1,44 @@
+From 1b51467ea640bcc73c97f3186350d72cbfba5cb4 Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne 
+Date: Wed, 9 Aug 2023 12:49:19 -0400
+Subject: [PATCH] h265parser: Fix possible overflow using max_sub_layers_minus1
+
+This fixes a possible overflow that can be triggered by an invalid value of
+max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
+but the allowed range is 0 to 6 only.
+
+Fixes ZDI-CAN-21768, CVE-2023-40476
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
+
+Part-of: 

+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9]
+CVE: CVE-2023-40476
+
+Signed-off-by: Archana Polampalli 
+
+---
+ gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c 
b/gst-libs/gst/codecparsers/gsth265parser.c
+index a4e7549..3db1c38 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
 b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1670,6 +1670,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * 
vps)
+
+   READ_UINT8 (, vps->max_layers_minus1, 6);
+   READ_UINT8 (, vps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (, vps->temporal_id_nesting_flag, 1);
+
+   /* skip reserved_0x_16bits */
+@@ -1849,6 +1850,7 @@ gst_h265_parse_sps (GstH265Parser * parser, 
GstH265NalUnit * nalu,
+   sps->vps = vps;
+
+   READ_UINT8 (, sps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (, sps->temporal_id_nesting_flag, 1);
+
+   if (!gst_h265_parse_profile_tier_level (>profile_tier_level, ,
diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index d5f1e794cd..fbaabda3f9 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -12,6 +12,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad

file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
file://CVE-2023-40474.patch \
file://CVE-2023-40475.patch \
+   file://CVE-2023-40476.patch \
"
 SRC_URI[sha256sum] = 
"87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188099): 
https://lists.openembedded.org/g/openembedded-core/message/188099
Mute This Topic: https://lists.openembedded.org/mt/101519780/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/3] gstreamer1.0-plugins-bad: fix CVE-2023-40474

[Polampalli, Archana via lists.openembedded.org]

gst-plugins-bad: Heap-based buffer overflow in the MXF file demuxer when 
handling
malformed files with uncompressed video in GStreamer versions before 1.22.6

Signed-off-by: Archana Polampalli 
---
 .../CVE-2023-40474.patch  | 118 ++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|   1 +
 2 files changed, 119 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch
new file mode 100644
index 00..dd5886863d
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40474.patch
@@ -0,0 +1,118 @@
+From ce17e968e4cf900d28ca5b46f6e095febc42b4f0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= 
+Date: Thu, 10 Aug 2023 15:45:01 +0300
+Subject: [PATCH] mxfdemux: Fix integer overflow causing out of bounds writes
+ when handling invalid uncompressed video
+
+Check ahead of time when parsing the track information whether
+width, height and bpp are valid and usable without overflows.
+
+Fixes ZDI-CAN-21660, CVE-2023-40474
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2896
+
+Part-of: 

+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ce17e968e4cf900d28ca5b46f6e095febc42b4f0]
+CVE: CVE-2023-40474
+
+Signed-off-by: Archana Polampalli 
+---
+ gst/mxf/mxfup.c | 51 +
+ 1 file changed, 43 insertions(+), 8 deletions(-)
+
+diff --git a/gst/mxf/mxfup.c b/gst/mxf/mxfup.c
+index d72ed22cb7..0c0178c1c9 100644
+--- a/gst/mxf/mxfup.c
 b/gst/mxf/mxfup.c
+@@ -118,6 +118,8 @@ mxf_up_handle_essence_element (const MXFUL * key, 
GstBuffer * buffer,
+ gpointer mapping_data, GstBuffer ** outbuf)
+ {
+   MXFUPMappingData *data = mapping_data;
++  gsize expected_in_stride = 0, out_stride = 0;
++  gsize expected_in_size = 0, out_size = 0;
+
+   /* SMPTE 384M 7.1 */
+   if (key->u[12] != 0x15 || (key->u[14] != 0x01 && key->u[14] != 0x02
+@@ -146,22 +148,25 @@ mxf_up_handle_essence_element (const MXFUL * key, 
GstBuffer * buffer,
+ }
+   }
+
+-  if (gst_buffer_get_size (buffer) != data->bpp * data->width * data->height) 
{
++  // Checked for overflows when parsing the descriptor
++  expected_in_stride = data->bpp * data->width;
++  out_stride = GST_ROUND_UP_4 (expected_in_stride);
++  expected_in_size = expected_in_stride * data->height;
++  out_size = out_stride * data->height;
++
++  if (gst_buffer_get_size (buffer) != expected_in_size) {
+ GST_ERROR ("Invalid buffer size");
+ gst_buffer_unref (buffer);
+ return GST_FLOW_ERROR;
+   }
+
+-  if (data->bpp != 4
+-  || GST_ROUND_UP_4 (data->width * data->bpp) != data->width * data->bpp) 
{
++  if (data->bpp != 4 || out_stride != expected_in_stride) {
+ guint y;
+ GstBuffer *ret;
+ GstMapInfo inmap, outmap;
+ guint8 *indata, *outdata;
+
+-ret =
+-gst_buffer_new_and_alloc (GST_ROUND_UP_4 (data->width * data->bpp) *
+-data->height);
++ret = gst_buffer_new_and_alloc (out_size);
+ gst_buffer_map (buffer, , GST_MAP_READ);
+ gst_buffer_map (ret, , GST_MAP_WRITE);
+ indata = inmap.data;
+@@ -169,8 +174,8 @@ mxf_up_handle_essence_element (const MXFUL * key, 
GstBuffer * buffer,
+
+ for (y = 0; y < data->height; y++) {
+   memcpy (outdata, indata, data->width * data->bpp);
+-  outdata += GST_ROUND_UP_4 (data->width * data->bpp);
+-  indata += data->width * data->bpp;
++  outdata += out_stride;
++  indata += expected_in_stride;
+ }
+
+ gst_buffer_unmap (buffer, );
+@@ -378,6 +383,36 @@ mxf_up_create_caps (MXFMetadataTimelineTrack * track, 
GstTagList ** tags,
+ return NULL;
+   }
+
++  if (caps) {
++MXFUPMappingData *data = *mapping_data;
++gsize expected_in_stride = 0, out_stride = 0;
++gsize expected_in_size = 0, out_size = 0;
++
++// Do some checking of the parameters to see if they're valid and
++// we can actually work with them.
++if (data->image_start_offset > data->image_end_offset) {
++  GST_WARNING ("Invalid image start/end offset");
++  g_free (data);
++  *mapping_data = NULL;
++  gst_clear_caps ();
++
++  return NULL;
++}
++
++if (!g_size_checked_mul (_in_stride, data->bpp, data->width) ||
++(out_stride = GST_ROUND_UP_4 (expected_in_stride)) < 
expected_in_stride
++|| !g_size_checked_mul (_in_size, expected_in_stride,
++data->height)
++|| !g_size_checked_mul (_size, out_stride, data->height)) {
++  GST_ERROR ("Invalid resolution or bit depth");
++  g_free (data);
++  *mapping_data = NULL;
++  gst_clear_caps ();
++
++  return NULL;
++}
++  }
++
+   return caps;
+ }
+
+--
+2.40.0
diff --git 

[oe-core][kirkstone][PATCH 2/3] gstreamer1.0-plugins-bad: fix CVE-2023-40475

[Polampalli, Archana via lists.openembedded.org]

gst-plugins-bad: Integer overflow leading to heap overwrite in MXF file 
handling with AES3 audio

Signed-off-by: Archana Polampalli 
---
 .../CVE-2023-40475.patch  | 49 +++
 .../gstreamer1.0-plugins-bad_1.20.7.bb|  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 
meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch

diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch
 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch
new file mode 100644
index 00..ab9ac7afaa
--- /dev/null
+++ 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-40475.patch
@@ -0,0 +1,49 @@
+From 72742dee30cce7bf909639f82de119871566ce39 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= 
+Date: Thu, 10 Aug 2023 15:47:03 +0300
+Subject: [PATCH] mxfdemux: Check number of channels for AES3 audio
+
+Only up to 8 channels are allowed and using a higher number would cause
+integer overflows when copying the data, and lead to out of bound
+writes.
+
+Also check that each buffer is at least 4 bytes long to avoid another
+overflow.
+
+Fixes ZDI-CAN-21661, CVE-2023-40475
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2897
+
+Part-of: 

+
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39]
+CVE: CVE-2023-40475
+
+Signed-off-by: Archana Polampalli 
+---
+ gst/mxf/mxfd10.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gst/mxf/mxfd10.c b/gst/mxf/mxfd10.c
+index 03854d9303..0ad0d2d283 100644
+--- a/gst/mxf/mxfd10.c
 b/gst/mxf/mxfd10.c
+@@ -101,7 +101,7 @@ mxf_d10_sound_handle_essence_element (const MXFUL * key, 
GstBuffer * buffer,
+   gst_buffer_map (buffer, , GST_MAP_READ);
+
+   /* Now transform raw AES3 into raw audio, see SMPTE 331M */
+-  if ((map.size - 4) % 32 != 0) {
++  if (map.size < 4 || (map.size - 4) % 32 != 0) {
+ gst_buffer_unmap (buffer, );
+ GST_ERROR ("Invalid D10 sound essence buffer size");
+ return GST_FLOW_ERROR;
+@@ -201,6 +201,7 @@ mxf_d10_create_caps (MXFMetadataTimelineTrack * track, 
GstTagList ** tags,
+ GstAudioFormat audio_format;
+
+ if (s->channel_count == 0 ||
++s->channel_count > 8 ||
+ s->quantization_bits == 0 ||
+ s->audio_sampling_rate.n == 0 || s->audio_sampling_rate.d == 0) {
+   GST_ERROR ("Invalid descriptor");
+--
+2.40.0
diff --git 
a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index 52acb30d74..d5f1e794cd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -11,6 +11,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
file://0003-ensure-valid-sentinals-for-gst_structure_get-etc.patch \

file://0004-opencv-resolve-missing-opencv-data-dir-in-yocto-buil.patch \
file://CVE-2023-40474.patch \
+   file://CVE-2023-40475.patch \
"
 SRC_URI[sha256sum] = 
"87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188098): 
https://lists.openembedded.org/g/openembedded-core/message/188098
Mute This Topic: https://lists.openembedded.org/mt/101519779/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] ghostscript: fix CVE-2023-43115

[Polampalli, Archana via lists.openembedded.org]

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote
code execution via crafted PostScript documents because they can switch to the
IJS device, or change the IjsServer parameter, after SAFER has been activated.
NOTE: it is a documented risk that the IJS server can be specified on a gs
command line (the IJS device inherently must execute a command to start the IJS 
server).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-43115

Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe

Signed-off-by: Archana Polampalli 
---
 .../ghostscript/CVE-2023-43115.patch  | 62 +++
 .../ghostscript/ghostscript_9.55.0.bb |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
new file mode 100644
index 00..979f354ed5
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-43115.patch
@@ -0,0 +1,62 @@
+From 8b0f20002536867bd73ff4552408a72597190cbe Mon Sep 17 00:00:00 2001
+From: Ken Sharp 
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: [PATCH] IJS device - try and secure the IJS server startup
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command line. This does at
+least provide minimal security against malicious PostScript programs.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe]
+
+CVE: CVE-2023-43115
+
+Signed-off-by: Archana Polampalli 
+---
+ devices/gdevijs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/devices/gdevijs.c b/devices/gdevijs.c
+index 8cbd84b97..16f5a1752 100644
+--- a/devices/gdevijs.c
 b/devices/gdevijs.c
+@@ -888,6 +888,8 @@ gsijs_initialize_device(gx_device *dev)
+ static const char rgb[] = "DeviceRGB";
+ gx_device_ijs *ijsdev = (gx_device_ijs *)dev;
+
++if (ijsdev->memory->gs_lib_ctx->core->path_control_active)
++return_error(gs_error_invalidaccess);
+ if (!ijsdev->ColorSpace) {
+ ijsdev->ColorSpace = gs_malloc(ijsdev->memory, sizeof(rgb), 1,
+"gsijs_initialize");
+@@ -1326,7 +1328,7 @@ gsijs_put_params(gx_device *dev, gs_param_list *plist)
+ if (code >= 0)
+ code = gsijs_read_string(plist, "IjsServer",
+ ijsdev->IjsServer, sizeof(ijsdev->IjsServer),
+-dev->LockSafetyParams, is_open);
++ijsdev->memory->gs_lib_ctx->core->path_control_active, is_open);
+
+ if (code >= 0)
+ code = gsijs_read_string_malloc(plist, "DeviceManufacturer",
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb 
b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index ad0b008cab..4c4c22cf39 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -38,6 +38,7 @@ SRC_URI_BASE = 
"https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
 file://CVE-2023-36664-0001.patch \
 file://CVE-2023-36664-0002.patch \
 file://CVE-2023-38559.patch \
+file://CVE-2023-43115.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188086): 
https://lists.openembedded.org/g/openembedded-core/message/188086
Mute This Topic: https://lists.openembedded.org/mt/101517377/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] vim: Upgrade 9.0.1664 -> 9.0.1894

[Polampalli, Archana via lists.openembedded.org]

From: Richard Purdie 

This includes multiple CVE fixes.

The license change is due to changes in maintainership, the license
itself is unchanged.

(From OE-Core rev: 91e66b93a0c0928f0c2cfe78e22898a6c9800f34)

Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 8a399cd802..5f55f590e6 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -10,7 +10,7 @@ DEPENDS = "ncurses gettext-native"
 RSUGGESTS:${PN} = "diffutils"
 
 LICENSE = "Vim"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=6b30ea4fa660c483b619924bc709ef99"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e"
 
 SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://disable_acl_header_check.patch \
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1664"
-SRCREV = "8154e642aa476e1a5d3de66c34e8289845b2b797"
+PV .= ".1894"
+SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187627): 
https://lists.openembedded.org/g/openembedded-core/message/187627
Mute This Topic: https://lists.openembedded.org/mt/101354768/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH V2 1/1] vim: upgrade 9.0.1592 -> 9.0.1664

[Polampalli, Archana via lists.openembedded.org]

Fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-3896
8154e642a (tag: v9.0.1664) patch 9.0.1664: divide by zero when scrolling with 
'smoothscroll' set

(From OE-Core rev: 4a1ab744142c9229f03a359b45e5e89a1fbae0d3)

Signed-off-by: Archana Polampalli 
Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 83ab9ea5de..8a399cd802 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1592"
-SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
+PV .= ".1664"
+SRCREV = "8154e642aa476e1a5d3de66c34e8289845b2b797"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187626): 
https://lists.openembedded.org/g/openembedded-core/message/187626
Mute This Topic: https://lists.openembedded.org/mt/101354765/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] vim: update obsolete comment

[Polampalli, Archana via lists.openembedded.org]

From: Etienne Cordonnier 

vim 8.3 has been out for a long time, so this comment is obsolete.
However we still need UPSTREAM_VERSION_UNKNOWN, since we ignore
the last digit of the upstream version number.

Test result:
$ devtool check-upgrade-status vim
  ...
  INFO: vim   9.0.1592UNKNOWN Tom Rini 
 c0370529c027abc5b1698d53fcfb8c02a0c515da

(From OE-Core rev: 65f5de85c3f488136d1ec2b1f7fe8d8426d6c5b3)

(From OE-Core rev: 868a19357841470eb55fb7f1c4ab1af09dea99ed)

Signed-off-by: Etienne Cordonnier 
Signed-off-by: Luca Ceresoli 
Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 33ae0d8079..83ab9ea5de 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -22,11 +22,10 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
 PV .= ".1592"
 SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
 
-# Remove when 8.3 is out
-UPSTREAM_VERSION_UNKNOWN = "1"
-
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
+# Ignore that the upstream version .z in x.y.z is always newer
+UPSTREAM_VERSION_UNKNOWN = "1"
 
 S = "${WORKDIR}/git"
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187625): 
https://lists.openembedded.org/g/openembedded-core/message/187625
Mute This Topic: https://lists.openembedded.org/mt/101354758/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][mickledore][PATCH 1/1] vim: Upgrade 9.0.1664 -> 9.0.1894

[Polampalli, Archana via lists.openembedded.org]

From: Richard Purdie 

This includes multiple CVE fixes.

The license change is due to changes in maintainership, the license
itself is unchanged.

(From OE-Core rev: 91e66b93a0c0928f0c2cfe78e22898a6c9800f34)

Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 8a399cd802..5f55f590e6 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -10,7 +10,7 @@ DEPENDS = "ncurses gettext-native"
 RSUGGESTS:${PN} = "diffutils"
 
 LICENSE = "Vim"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=6b30ea4fa660c483b619924bc709ef99"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d1a651ab770b45d41c0f8cb5a8ca930e"
 
 SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://disable_acl_header_check.patch \
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1664"
-SRCREV = "8154e642aa476e1a5d3de66c34e8289845b2b797"
+PV .= ".1894"
+SRCREV = "e5f7cd0a60d0eeab84f7aeb35c13d3af7e50072e"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+\.\d+)\.0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187624): 
https://lists.openembedded.org/g/openembedded-core/message/187624
Mute This Topic: https://lists.openembedded.org/mt/101354501/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][master][mickledore][PATCH 1/1] vim: upgrade 9.0.1592 -> 9.0.1664

[Polampalli, Archana via lists.openembedded.org]

Thank you Richard,

It is failed due to "844dd42d1f vim: update obsolete comment".

But I have sent this patch before "vim: update obsolete comment".

Regards,
Archana

From: Richard Purdie 
Sent: 07 September 2023 19:39
To: Polampalli, Archana ; 
openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: Re: [oe-core][master][mickledore][PATCH 1/1] vim: upgrade 9.0.1592 -> 
9.0.1664

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Thu, 2023-09-07 at 09:23 +0000, Polampalli, Archana via
lists.openembedded.org wrote:
>
> Reminder,
>

FWIW the reason this patch was delayed is that doesn't apply properly
with fuzz warnings on master. I've forced it to apply in this case.

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187400): 
https://lists.openembedded.org/g/openembedded-core/message/187400
Mute This Topic: https://lists.openembedded.org/mt/100816446/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][master][mickledore][PATCH 1/1] vim: upgrade 9.0.1592 -> 9.0.1664

[Polampalli, Archana via lists.openembedded.org]

Reminder,

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: 18 August 2023 13:19
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [oe-core][master][mickledore][PATCH 1/1] vim: upgrade 9.0.1592 -> 
9.0.1664

Fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-3896
8154e642a (tag: v9.0.1664) patch 9.0.1664: divide by zero when scrolling with 
'smoothscroll' set

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 33ae0d8079..9a7b7650a7 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"

-PV .= ".1592"
-SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
+PV .= ".1664"
+SRCREV = "8154e642aa476e1a5d3de66c34e8289845b2b797"

 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
--
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187368): 
https://lists.openembedded.org/g/openembedded-core/message/187368
Mute This Topic: https://lists.openembedded.org/mt/100816446/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] nasm: fix CVE-2020-21528

[Polampalli, Archana via lists.openembedded.org]

A Segmentation Fault issue discovered in in ieee_segment function in outieee.c
in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service
via crafted assembly file.

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-21528

Upstream patches:
https://github.com/netwide-assembler/nasm/commit/93c774d482694643cafbc82578ac8b729fb5bc8b

Signed-off-by: Archana Polampalli 
---
 .../nasm/nasm/CVE-2020-21528.patch| 47 +++
 meta/recipes-devtools/nasm/nasm_2.15.05.bb|  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2020-21528.patch

diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2020-21528.patch 
b/meta/recipes-devtools/nasm/nasm/CVE-2020-21528.patch
new file mode 100644
index 00..2303744540
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2020-21528.patch
@@ -0,0 +1,47 @@
+From 93c774d482694643cafbc82578ac8b729fb5bc8b Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov 
+Date: Wed, 4 Nov 2020 13:08:06 +0300
+Subject: [PATCH] BR3392637: output/outieee: Fix nil dereference
+
+The handling been broken in commit 98578071.
+
+Upstream-Status: Backport 
[https://github.com/netwide-assembler/nasm/commit/93c774d482694643cafbc82578ac8b729fb5bc8b]
+
+CVE: CVE-2020-21528
+
+Signed-off-by: Cyrill Gorcunov 
+Signed-off-by: Archana Polampalli 
+---
+ output/outieee.c | 17 +
+ 1 file changed, 17 insertions(+)
+
+diff --git a/output/outieee.c b/output/outieee.c
+index bff2f085..b3ccc5f6 100644
+--- a/output/outieee.c
 b/output/outieee.c
+@@ -795,6 +795,23 @@ static int32_t ieee_segment(char *name, int *bits)
+ define_label(name, seg->index + 1, 0L, false);
+ ieee_seg_needs_update = NULL;
+
++/*
++ * In commit 98578071b9d71ecaa2344dd9c185237c1765041e
++ * we reworked labels significantly which in turn lead
++ * to the case where seg->name = NULL here and we get
++ * nil dereference in next segments definitions.
++ *
++ * Lets placate this case with explicit name setting
++ * if labels engine didn't set it yet.
++ *
++ * FIXME: Need to revisit this moment if such fix doesn't
++ * break anything but since IEEE 695 format is veeery
++ * old I don't expect there are many users left. In worst
++ * case this should only lead to a memory leak.
++ */
++if (!seg->name)
++seg->name = nasm_strdup(name);
++
+ if (seg->use32)
+ *bits = 32;
+ else
+--
+2.40.0
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.05.bb 
b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
index bcb7e071d6..aba061f56f 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.05.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
@@ -10,6 +10,7 @@ SRC_URI = 
"http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
file://0002-Add-debug-prefix-map-option.patch \
file://CVE-2022-44370.patch \
file://CVE-2022-46457.patch \
+   file://CVE-2020-21528.patch \
"
 
 SRC_URI[sha256sum] = 
"3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187203): 
https://lists.openembedded.org/g/openembedded-core/message/187203
Mute This Topic: https://lists.openembedded.org/mt/101166618/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] gstreamer1.0: upgrade 1.20.6 -> 1.20.7

[Polampalli, Archana via lists.openembedded.org]

This release only contains bugfixes.

Highlighted bugfixes in 1.20.7:

Security fixes for flacparse, dvdspu, and subparse, and the RealMedia demuxer
h265parse: Fix framerate handling
filesink: Fix buffered mode writing of buffer lists and buffers with multiple 
memories
asfmux, rtpbin_buffer_list test: fix possible unaligned write/read on 32-bit ARM
ptp clock: Work around bug in ptpd in default configuration
qtdemux: fix reverse playback regression with edit lists
rtspsrc: various control path handling server compatibility improvements
avviddec: fix potential deadlock on seeking with FFmpeg 6.x
cerbero: Fix pango crash on 32bit Windows; move libass into non-GPL codecs
Miscellaneous bug fixes, memory leak fixes, and other stability and reliability 
improvements

https://nvd.nist.gov/vuln/detail/CVE-2023-37327
https://nvd.nist.gov/vuln/detail/CVE-2023-37328
https://nvd.nist.gov/vuln/detail/CVE-2023-37329

https://gstreamer.freedesktop.org/releases/1.20/#1.20.7

Signed-off-by: Archana Polampalli 
---
 .../{gst-devtools_1.20.6.bb => gst-devtools_1.20.7.bb}  | 2 +-
 ...streamer1.0-libav_1.20.6.bb => gstreamer1.0-libav_1.20.7.bb} | 2 +-
 .../{gstreamer1.0-omx_1.20.6.bb => gstreamer1.0-omx_1.20.7.bb}  | 2 +-
 ...plugins-bad_1.20.6.bb => gstreamer1.0-plugins-bad_1.20.7.bb} | 2 +-
 ...ugins-base_1.20.6.bb => gstreamer1.0-plugins-base_1.20.7.bb} | 2 +-
 ...ugins-good_1.20.6.bb => gstreamer1.0-plugins-good_1.20.7.bb} | 2 +-
 ...ugins-ugly_1.20.6.bb => gstreamer1.0-plugins-ugly_1.20.7.bb} | 2 +-
 ...reamer1.0-python_1.20.6.bb => gstreamer1.0-python_1.20.7.bb} | 2 +-
 ...rtsp-server_1.20.6.bb => gstreamer1.0-rtsp-server_1.20.7.bb} | 2 +-
 ...streamer1.0-vaapi_1.20.6.bb => gstreamer1.0-vaapi_1.20.7.bb} | 2 +-
 .../{gstreamer1.0_1.20.6.bb => gstreamer1.0_1.20.7.bb}  | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)
 rename meta/recipes-multimedia/gstreamer/{gst-devtools_1.20.6.bb => 
gst-devtools_1.20.7.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.20.6.bb => 
gstreamer1.0-libav_1.20.7.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.20.6.bb => 
gstreamer1.0-omx_1.20.7.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.20.6.bb 
=> gstreamer1.0-plugins-bad_1.20.7.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.20.6.bb 
=> gstreamer1.0-plugins-base_1.20.7.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.20.6.bb 
=> gstreamer1.0-plugins-good_1.20.7.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.20.6.bb 
=> gstreamer1.0-plugins-ugly_1.20.7.bb} (94%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.20.6.bb => 
gstreamer1.0-python_1.20.7.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.20.6.bb 
=> gstreamer1.0-rtsp-server_1.20.7.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.20.6.bb => 
gstreamer1.0-vaapi_1.20.7.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.20.6.bb => 
gstreamer1.0_1.20.7.bb} (97%)

diff --git a/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.6.bb 
b/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.7.bb
similarity index 95%
rename from meta/recipes-multimedia/gstreamer/gst-devtools_1.20.6.bb
rename to meta/recipes-multimedia/gstreamer/gst-devtools_1.20.7.bb
index 2eee50e6d8..2409ea25e1 100644
--- a/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.6.bb
+++ b/meta/recipes-multimedia/gstreamer/gst-devtools_1.20.7.bb
@@ -12,7 +12,7 @@ SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-devtools/gst-devtools-${PV}
file://0001-connect-has-a-different-signature-on-musl.patch \
"
 
-SRC_URI[sha256sum] = 
"2c64037c823fb88751a47dacf3d4752a52b7951190d6e05fc44855e912e81d71"
+SRC_URI[sha256sum] = 
"2df2ddfee05f6ce978207de9086ca22f00fc36e04f74a11869074da178585e35"
 
 DEPENDS = "json-glib glib-2.0 glib-2.0-native gstreamer1.0 
gstreamer1.0-plugins-base"
 RRECOMMENDS:${PN} = "git"
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.6.bb 
b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.7.bb
similarity index 91%
rename from meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.6.bb
rename to meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.7.bb
index c54913e8a1..f3f53893b6 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.6.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-libav_1.20.7.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=69333daa044cb77e486cc36129f7a770 \
 "
 
 SRC_URI = 
"https://gstreamer.freedesktop.org/src/gst-libav/gst-libav-${PV}.tar.xz;
-SRC_URI[sha256sum] = 
"7d619a030542a4a5a11e0302742a3d9b05f8e5cfc453025683a0379bc50aa013"
+SRC_URI[sha256sum] = 
"65e776e366f7f3549a9a829418817f464dcc5dc9845220c64a886683d8841b56"
 
 S = "${WORKDIR}/gst-libav-${PV}"
 
diff --git 

[oe-core][master][mickledore][PATCH 1/1] vim: upgrade 9.0.1592 -> 9.0.1664

[Polampalli, Archana via lists.openembedded.org]

Fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-3896
8154e642a (tag: v9.0.1664) patch 9.0.1664: divide by zero when scrolling with 
'smoothscroll' set

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 33ae0d8079..9a7b7650a7 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1592"
-SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
+PV .= ".1664"
+SRCREV = "8154e642aa476e1a5d3de66c34e8289845b2b797"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186351): 
https://lists.openembedded.org/g/openembedded-core/message/186351
Mute This Topic: https://lists.openembedded.org/mt/100816446/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][kirkstone][PATCH 1/1] vim: upgrade 9.0.1592 -> 9.0.1664

[Polampalli, Archana via lists.openembedded.org]

Thank you, Will do it for master

Regards,
Archana

From: Steve Sakoman 
Sent: 17 August 2023 22:56
To: Polampalli, Archana 
Cc: openembedded-core@lists.openembedded.org 
; G Pillai, Hari 

Subject: Re: [oe-core][kirkstone][PATCH 1/1] vim: upgrade 9.0.1592 -> 9.0.1664

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

Hi Archana,

This version upgrade will need to be submitted for master first before
I can take it for the stable branches.

Thanks,

Steve

On Thu, Aug 17, 2023 at 12:18 AM Polampalli, Archana via
lists.openembedded.org
 wrote:
>
> Fixes:
> https://nvd.nist.gov/vuln/detail/CVE-2023-3896
> 8154e642a (tag: v9.0.1664) patch 9.0.1664: divide by zero when scrolling with 
> 'smoothscroll' set
>
> Signed-off-by: Archana Polampalli 
> ---
>  meta/recipes-support/vim/vim.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-support/vim/vim.inc 
> b/meta/recipes-support/vim/vim.inc
> index 33ae0d8079..9a7b7650a7 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -19,8 +19,8 @@ SRC_URI = 
> "git://github.com/vim/vim.git;branch=master;protocol=https \
> file://no-path-adjust.patch \
> "
>
> -PV .= ".1592"
> -SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
> +PV .= ".1664"
> +SRCREV = "8154e642aa476e1a5d3de66c34e8289845b2b797"
>
>  # Remove when 8.3 is out
>  UPSTREAM_VERSION_UNKNOWN = "1"
> --
> 2.40.0
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186346): 
https://lists.openembedded.org/g/openembedded-core/message/186346
Mute This Topic: https://lists.openembedded.org/mt/100797549/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] vim: upgrade 9.0.1592 -> 9.0.1664

[Polampalli, Archana via lists.openembedded.org]

Fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-3896
8154e642a (tag: v9.0.1664) patch 9.0.1664: divide by zero when scrolling with 
'smoothscroll' set

Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 33ae0d8079..9a7b7650a7 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1592"
-SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
+PV .= ".1664"
+SRCREV = "8154e642aa476e1a5d3de66c34e8289845b2b797"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#186304): 
https://lists.openembedded.org/g/openembedded-core/message/186304
Mute This Topic: https://lists.openembedded.org/mt/100797549/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3180

[Polampalli, Archana via lists.openembedded.org]

A flaw was found in the QEMU virtual crypto device while handling data
encryption/decryption requests in virtio_crypto_handle_sym_req.
There is no check for the value of `src_len` and `dst_len` in
virtio_crypto_sym_op_helper, potentially leading to a heap buffer
overflow when the two values differ.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3180

Upstream patches:
https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-3180.patch | 49 +++
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 3347a99e19..d77c376bb6 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -99,6 +99,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-2861.patch \
   file://CVE-2020-14394.patch \
   file://CVE-2023-3354.patch \
+  file://CVE-2023-3180.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
new file mode 100644
index 00..5ec7dd0aa0
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch
@@ -0,0 +1,49 @@
+From 49f1e02bac166821c712534aaa775f50e1afe17f Mon Sep 17 00:00:00 2001
+From: zhenwei pi 
+Date: Thu, 3 Aug 2023 10:43:13 +0800
+Subject: [PATCH] virtio-crypto: verify src buffer length for sym request
+
+For symmetric algorithms, the length of ciphertext must be as same
+as the plaintext.
+The missing verification of the src_len and the dst_len in
+virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
+
+This patch is originally written by Yiming Tao for QEMU-SECURITY,
+resend it(a few changes of error message) in qemu-devel.
+
+Fixes: CVE-2023-3180
+Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
+Cc: Gonglei 
+Cc: Mauro Matteo Cascella 
+Cc: Yiming Tao 
+Signed-off-by: zhenwei pi 
+Message-Id: <20230803024314.29962-2-pizhen...@bytedance.com>
+Reviewed-by: Michael S. Tsirkin 
+Signed-off-by: Michael S. Tsirkin 
+(cherry picked from commit 9d38a8434721a6479fe03fb5afb150ca793d3980)
+Signed-off-by: Michael Tokarev 
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f]
+CVE: CVE-2023-3180
+---
+ hw/virtio/virtio-crypto.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
+index a1d122b9aa..ccaa704530 100644
+--- a/hw/virtio/virtio-crypto.c
 b/hw/virtio/virtio-crypto.c
+@@ -635,6 +635,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
+ return NULL;
+ }
+
++if (unlikely(src_len != dst_len)) {
++virtio_error(vdev, "sym request src len is different from dst len");
++return NULL;
++}
++
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + 
hash_result_len;
+ if (unlikely(max_len > vcrypto->conf.max_size)) {
+ virtio_error(vdev, "virtio-crypto too big length");
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185924): 
https://lists.openembedded.org/g/openembedded-core/message/185924
Mute This Topic: https://lists.openembedded.org/mt/100732602/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] ghostscript: fix CVE-2023-38559

[Polampalli, Archana via lists.openembedded.org]

A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_write_rle()
in ghostscript. This issue may allow a local attacker to cause a denial of 
service
via outputting a crafted PDF file for a DEVN device with gs.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-38559

Upstream patch:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f

Signed-off-by: Archana Polampalli 
---
 .../ghostscript/CVE-2023-38559.patch  | 32 +++
 .../ghostscript/ghostscript_9.55.0.bb |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch
new file mode 100644
index 00..60e2fa7ee3
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-38559.patch
@@ -0,0 +1,32 @@
+From 34b0eec257c3a597e0515946f17fb973a33a7b5b Mon Sep 17 00:00:00 2001
+From: Chris Liddell 
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
+ devices/gdevpcx.c
+
+Bounds check the buffer, before dereferencing the pointer.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f]
+
+CVE: CVE-2023-38559
+
+Signed-off-by: Archana Polampalli 
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index f679127..66c771b 100644
+--- a/base/gdevdevn.c
 b/base/gdevdevn.c
+@@ -1950,7 +1950,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, 
int step, gp_file * file
+ byte data = *from;
+
+ from += step;
+-if (data != *from || from == end) {
++if (from >= end || data != *from) {
+ if (data >= 0xc0)
+ gp_fputc(0xc1, file);
+ } else {
+--
+2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb 
b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 48508fd6a2..ad0b008cab 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -37,6 +37,7 @@ SRC_URI_BASE = 
"https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
 file://cve-2023-28879.patch \
 file://CVE-2023-36664-0001.patch \
 file://CVE-2023-36664-0002.patch \
+file://CVE-2023-38559.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185733): 
https://lists.openembedded.org/g/openembedded-core/message/185733
Mute This Topic: https://lists.openembedded.org/mt/100660824/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core]mickledore][PATCH 1/1] bind: upgrade 9.18.15 -> 9.18.16

[Polampalli, Archana via lists.openembedded.org]

Remove enable-epoll & disable-devpoll configure options no longer supported in 
bind-9.18.16
6b6076c882: Remove obsolete epoll/kqueue/devpoll configure options

Security fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-2828
https://nvd.nist.gov/vuln/detail/CVE-2023-2911

Changelog:
https://github.com/isc-projects/bind9/blob/v9.18.16/CHANGES
https://bind9.readthedocs.io/en/v9.18.16/notes.html#notes-for-bind-9-18-16

Signed-off-by: Archana Polampalli 
---
 .../0001-avoid-start-failure-with-bind-user.patch | 0
 ...0001-named-lwresd-V-and-start-log-hide-build-options.patch | 0
 ...bind-ensure-searching-for-json-headers-searches-sysr.patch | 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/bind9 | 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/conf.patch| 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/generate-rndc-key.sh  | 0
 .../init.d-add-support-for-read-only-rootfs.patch | 0
 .../make-etc-initd-bind-stop-work.patch   | 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/named.service | 0
 .../bind/{bind_9.18.15.bb => bind_9.18.16.bb} | 4 ++--
 10 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/0001-avoid-start-failure-with-bind-user.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/bind9 
(100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/conf.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/generate-rndc-key.sh (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/init.d-add-support-for-read-only-rootfs.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/make-etc-initd-bind-stop-work.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/named.service (100%)
 rename meta/recipes-connectivity/bind/{bind_9.18.15.bb => bind_9.18.16.bb} 
(96%)

diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/0001-avoid-start-failure-with-bind-user.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch
rename to 
meta/recipes-connectivity/bind/bind-9.18.16/0001-avoid-start-failure-with-bind-user.patch
diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
rename to 
meta/recipes-connectivity/bind/bind-9.18.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/bind-ensure-searching-for-json-headers-searches-sysr.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
rename to 
meta/recipes-connectivity/bind/bind-9.18.16/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/bind9 
b/meta/recipes-connectivity/bind/bind-9.18.16/bind9
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.18.15/bind9
rename to meta/recipes-connectivity/bind/bind-9.18.16/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/conf.patch 
b/meta/recipes-connectivity/bind/bind-9.18.16/conf.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.18.15/conf.patch
rename to meta/recipes-connectivity/bind/bind-9.18.16/conf.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh 
b/meta/recipes-connectivity/bind/bind-9.18.16/generate-rndc-key.sh
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh
rename to meta/recipes-connectivity/bind/bind-9.18.16/generate-rndc-key.sh
diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/init.d-add-support-for-read-only-rootfs.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch
rename to 
meta/recipes-connectivity/bind/bind-9.18.16/init.d-add-support-for-read-only-rootfs.patch
diff --git 

Re: [oe-core]mickledore][PATCH 1/1] bind: upgrade 9.18.5 -> 9.18.16

[Polampalli, Archana via lists.openembedded.org]

Thank you for catching this,

Will send V2

Regards,
Archana

From: Lee, Chee Yang 
Sent: 08 August 2023 07:21
To: Polampalli, Archana ; 
openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: RE: [oe-core]mickledore][PATCH 1/1] bind: upgrade 9.18.5 -> 9.18.16

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

> -Original Message-
> From: openembedded-core@lists.openembedded.org  c...@lists.openembedded.org> On Behalf Of Polampalli, Archana via
> lists.openembedded.org
> Sent: Tuesday, August 8, 2023 1:24 AM
> To: openembedded-core@lists.openembedded.org
> Cc: hari.gpil...@windriver.com
> Subject: [oe-core]mickledore][PATCH 1/1] bind: upgrade 9.18.5 -> 9.18.16

Typo in commit short message/title " 9.18.15 ".
There is similar patch in master.
https://git.openembedded.org/openembedded-core/commit/?id=77d2fa5ac1f394fba2b8e24f2b6ded6ea6b691b4


>
> Remove --enable-epoll  and  --disable-devpoll configuration option as these 
> are
> removed in bind-9.18.16
> 6b6076c882: Remove obsolete epoll/kqueue/devpoll configure options
> Ref:
> https://github.com/isc-
> projects/bind9/commit/6b6076c882a00028197b04a827f6cf8e7a5369de
>
> Security fixes:
> https://nvd.nist.gov/vuln/detail/CVE-2023-2828
> https://nvd.nist.gov/vuln/detail/CVE-2023-2911
>
> Changelog:
> https://github.com/isc-projects/bind9/blob/v9.18.16/CHANGES
> https://bind9.readthedocs.io/en/v9.18.16/notes.html#notes-for-bind-9-18-16
>
> Signed-off-by: Archana Polampalli 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185647): 
https://lists.openembedded.org/g/openembedded-core/message/185647
Mute This Topic: https://lists.openembedded.org/mt/100604849/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core]mickledore][PATCH 1/1] ncurses: fix CVE-2023-29491

[Polampalli, Archana via lists.openembedded.org]

From: Chen Qi 

Backport patch to fix CVE-2023-29491.

(From OE-Core rev: f1c95ae70f7aac574daf5b935a02bbba0d6f8a16)

Signed-off-by: Chen Qi 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 .../files/0001-Fix-CVE-2023-29491.patch   | 462 ++
 meta/recipes-core/ncurses/ncurses_6.4.bb  |   1 +
 2 files changed, 463 insertions(+)
 create mode 100644 
meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch

diff --git a/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch 
b/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch
new file mode 100644
index 00..1232c8c2a8
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch
@@ -0,0 +1,462 @@
+From 3d54a41f12e9aa059f06e66e72d872f2283395b6 Mon Sep 17 00:00:00 2001
+From: Chen Qi 
+Date: Sun, 30 Jul 2023 21:14:00 -0700
+Subject: [PATCH] Fix CVE-2023-29491
+
+CVE: CVE-2023-29491
+
+Upstream-Status: Backport 
[http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56]
+
+Signed-off-by: Chen Qi 
+---
+ ncurses/tinfo/lib_tgoto.c  |  10 +++-
+ ncurses/tinfo/lib_tparm.c  | 116 -
+ ncurses/tinfo/read_entry.c |   3 +
+ progs/tic.c|   6 ++
+ progs/tparm_type.c |   9 +++
+ progs/tparm_type.h |   2 +
+ progs/tput.c   |  61 ---
+ 7 files changed, 185 insertions(+), 22 deletions(-)
+
+diff --git a/ncurses/tinfo/lib_tgoto.c b/ncurses/tinfo/lib_tgoto.c
+index 9cf5e100..c50ed4df 100644
+--- a/ncurses/tinfo/lib_tgoto.c
 b/ncurses/tinfo/lib_tgoto.c
+@@ -207,6 +207,14 @@ tgoto(const char *string, int x, int y)
+   result = tgoto_internal(string, x, y);
+ else
+ #endif
+-  result = TIPARM_2(string, y, x);
++if ((result = TIPARM_2(string, y, x)) == NULL) {
++  /*
++   * Because termcap did not provide a more general solution such as
++   * tparm(), it was necessary to handle single-parameter capabilities
++   * using tgoto().  The internal _nc_tiparm() function returns a NULL
++   * for that case; retry for the single-parameter case.
++   */
++  result = TIPARM_1(string, y);
++}
+ returnPtr(result);
+ }
+diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c
+index d9bdfd8f..a10a3877 100644
+--- a/ncurses/tinfo/lib_tparm.c
 b/ncurses/tinfo/lib_tparm.c
+@@ -1086,6 +1086,64 @@ tparam_internal(TPARM_STATE *tps, const char *string, 
TPARM_DATA *data)
+ return (TPS(out_buff));
+ }
+ 
++#ifdef CUR
++/*
++ * Only a few standard capabilities accept string parameters.  The others that
++ * are parameterized accept only numeric parameters.
++ */
++static bool
++check_string_caps(TPARM_DATA *data, const char *string)
++{
++bool result = FALSE;
++
++#define CHECK_CAP(name) (VALID_STRING(name) && !strcmp(name, string))
++
++/*
++ * Disallow string parameters unless we can check them against a terminal
++ * description.
++ */
++if (cur_term != NULL) {
++  int want_type = 0;
++
++  if (CHECK_CAP(pkey_key))
++  want_type = 2;  /* function key #1, type string #2 */
++  else if (CHECK_CAP(pkey_local))
++  want_type = 2;  /* function key #1, execute string #2 */
++  else if (CHECK_CAP(pkey_xmit))
++  want_type = 2;  /* function key #1, transmit string #2 */
++  else if (CHECK_CAP(plab_norm))
++  want_type = 2;  /* label #1, show string #2 */
++  else if (CHECK_CAP(pkey_plab))
++  want_type = 6;  /* function key #1, type string #2, show string 
#3 */
++#if NCURSES_XNAMES
++  else {
++  char *check;
++
++  check = tigetstr("Cs");
++  if (CHECK_CAP(check))
++  want_type = 1;  /* style #1 */
++
++  check = tigetstr("Ms");
++  if (CHECK_CAP(check))
++  want_type = 3;  /* storage unit #1, content #2 */
++  }
++#endif
++
++  if (want_type == data->tparm_type) {
++  result = TRUE;
++  } else {
++  T(("unexpected string-parameter"));
++  }
++}
++return result;
++}
++
++#define ValidCap() (myData.tparm_type == 0 || \
++  check_string_caps(, string))
++#else
++#define ValidCap() 1
++#endif
++
+ #if NCURSES_TPARM_VARARGS
+ 
+ NCURSES_EXPORT(char *)
+@@ -1100,7 +1158,7 @@ tparm(const char *string, ...)
+ tps->tname = "tparm";
+ #endif /* TRACE */
+ 
+-if (tparm_setup(cur_term, string, ) == OK) {
++if (tparm_setup(cur_term, string, ) == OK && ValidCap()) {
+   va_list ap;
+ 
+   va_start(ap, string);
+@@ -1135,7 +1193,7 @@ tparm(const char *string,
+ tps->tname = "tparm";
+ #endif /* TRACE */
+ 
+-if (tparm_setup(cur_term, string, ) == OK) {
++if (tparm_setup(cur_term, string, ) == OK && ValidCap()) {
+ 
+   myData.param[0] = a1;
+   myData.param[1] = a2;
+@@ -1166,7 +1224,7 @@ tiparm(const char 

[oe-core]mickledore][PATCH 1/1] openssh: upgrade 9.3p1 -> 9.3p2

[Polampalli, Archana via lists.openembedded.org]

Signed-off-by: Archana Polampalli 
---
 .../openssh/{openssh_9.3p1.bb => openssh_9.3p2.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssh/{openssh_9.3p1.bb => 
openssh_9.3p2.bb} (98%)

diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb 
b/meta/recipes-connectivity/openssh/openssh_9.3p2.bb
similarity index 98%
rename from meta/recipes-connectivity/openssh/openssh_9.3p1.bb
rename to meta/recipes-connectivity/openssh/openssh_9.3p2.bb
index 42ce814523..558e027f5d 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p2.bb
@@ -26,7 +26,7 @@ SRC_URI = 
"http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://add-test-support-for-busybox.patch \
file://7280401bdd77ca54be6867a154cc01e0d72612e0.patch \
"
-SRC_URI[sha256sum] = 
"e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
+SRC_URI[sha256sum] = 
"200ebe147f6cb3f101fd0cdf9e02442af7ddca298dffd9f456878e7ccac676e8"
 
 # This CVE is specific to OpenSSH with the pam opie which we don't build/use 
here
 CVE_CHECK_IGNORE += "CVE-2007-2768"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185616): 
https://lists.openembedded.org/g/openembedded-core/message/185616
Mute This Topic: https://lists.openembedded.org/mt/100605094/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core]mickledore][PATCH 1/1] bind: upgrade 9.18.5 -> 9.18.16

[Polampalli, Archana via lists.openembedded.org]

Remove --enable-epoll  and  --disable-devpoll configuration option as these are 
removed in bind-9.18.16
6b6076c882: Remove obsolete epoll/kqueue/devpoll configure options
Ref:
https://github.com/isc-projects/bind9/commit/6b6076c882a00028197b04a827f6cf8e7a5369de

Security fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-2828
https://nvd.nist.gov/vuln/detail/CVE-2023-2911

Changelog:
https://github.com/isc-projects/bind9/blob/v9.18.16/CHANGES
https://bind9.readthedocs.io/en/v9.18.16/notes.html#notes-for-bind-9-18-16

Signed-off-by: Archana Polampalli 
---
 .../0001-avoid-start-failure-with-bind-user.patch | 0
 ...0001-named-lwresd-V-and-start-log-hide-build-options.patch | 0
 ...bind-ensure-searching-for-json-headers-searches-sysr.patch | 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/bind9 | 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/conf.patch| 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/generate-rndc-key.sh  | 0
 .../init.d-add-support-for-read-only-rootfs.patch | 0
 .../make-etc-initd-bind-stop-work.patch   | 0
 .../bind/{bind-9.18.15 => bind-9.18.16}/named.service | 0
 .../bind/{bind_9.18.15.bb => bind_9.18.16.bb} | 4 ++--
 10 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/0001-avoid-start-failure-with-bind-user.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => bind-9.18.16}/bind9 
(100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/conf.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/generate-rndc-key.sh (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/init.d-add-support-for-read-only-rootfs.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/make-etc-initd-bind-stop-work.patch (100%)
 rename meta/recipes-connectivity/bind/{bind-9.18.15 => 
bind-9.18.16}/named.service (100%)
 rename meta/recipes-connectivity/bind/{bind_9.18.15.bb => bind_9.18.16.bb} 
(96%)

diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/0001-avoid-start-failure-with-bind-user.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/0001-avoid-start-failure-with-bind-user.patch
rename to 
meta/recipes-connectivity/bind/bind-9.18.16/0001-avoid-start-failure-with-bind-user.patch
diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/0001-named-lwresd-V-and-start-log-hide-build-options.patch
rename to 
meta/recipes-connectivity/bind/bind-9.18.16/0001-named-lwresd-V-and-start-log-hide-build-options.patch
diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/bind-ensure-searching-for-json-headers-searches-sysr.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/bind-ensure-searching-for-json-headers-searches-sysr.patch
rename to 
meta/recipes-connectivity/bind/bind-9.18.16/bind-ensure-searching-for-json-headers-searches-sysr.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/bind9 
b/meta/recipes-connectivity/bind/bind-9.18.16/bind9
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.18.15/bind9
rename to meta/recipes-connectivity/bind/bind-9.18.16/bind9
diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/conf.patch 
b/meta/recipes-connectivity/bind/bind-9.18.16/conf.patch
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.18.15/conf.patch
rename to meta/recipes-connectivity/bind/bind-9.18.16/conf.patch
diff --git a/meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh 
b/meta/recipes-connectivity/bind/bind-9.18.16/generate-rndc-key.sh
similarity index 100%
rename from meta/recipes-connectivity/bind/bind-9.18.15/generate-rndc-key.sh
rename to meta/recipes-connectivity/bind/bind-9.18.16/generate-rndc-key.sh
diff --git 
a/meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch
 
b/meta/recipes-connectivity/bind/bind-9.18.16/init.d-add-support-for-read-only-rootfs.patch
similarity index 100%
rename from 
meta/recipes-connectivity/bind/bind-9.18.15/init.d-add-support-for-read-only-rootfs.patch
rename to 

[oe-core][kirkstone][PATCH 1/1] libpcre2: fix CVE-2022-41409

[Polampalli, Archana via lists.openembedded.org]

Integer overflow vulnerability in pcre2test before 10.41 allows attackers
to cause a denial of service or other unspecified impacts via negative input.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41409

Upstream patches:
https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35

Signed-off-by: Archana Polampalli 
---
 .../libpcre/libpcre2/CVE-2022-41409.patch | 63 +++
 .../recipes-support/libpcre/libpcre2_10.40.bb |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch

diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch 
b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
new file mode 100644
index 00..45b6492fcb
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
@@ -0,0 +1,63 @@
+From: 94e1c001761373b7d9450768aa15d04c25547a3
+From: Philip Hazel 
+Date: Tue Aug 16 17:00:45 2022 +0100
+Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line
+
+drop change in ChangeLog
+
+Upstream-Status: Backport 
[https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35]
+
+CVE: CVE-2022-41916
+
+Signed-off-by: Archana Polampalli 
+---
+ src/pcre2test.c  | 4 ++--
+ testdata/testinput2  | 3 +++
+ testdata/testoutput2 | 4 
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/pcre2test.c b/src/pcre2test.c
+index ea52a20..378529a 100644
+--- a/src/pcre2test.c
 b/src/pcre2test.c
+@@ -6781,9 +6781,9 @@ while ((c = *p++) != 0)
+   }
+
+ i = (int32_t)li;
+-if (i-- == 0)
++if (i-- <= 0)
+   {
+-  fprintf(outfile, "** Zero repeat not allowed\n");
++  fprintf(outfile, "** Zero or negative repeat not allowed\n");
+   return PR_OK;
+   }
+
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index d37d8f3..717ba2a 100644
+--- a/testdata/testinput2
 b/testdata/testinput2
+@@ -5932,4 +5932,7 @@ a)"xI
+ /[Aa]{2,3}/BI
+ aabcd
+
++--
++\[X]{-10}
++
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index ce090f8..d2188d3 100644
+--- a/testdata/testoutput2
 b/testdata/testoutput2
+@@ -17746,6 +17746,10 @@ Subject length lower bound = 2
+ aabcd
+  0: aa
+
++--
++\[X]{-10}
++** Zero or negative repeat not allowed
++
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+--
+2.40.0
diff --git a/meta/recipes-support/libpcre/libpcre2_10.40.bb 
b/meta/recipes-support/libpcre/libpcre2_10.40.bb
index 3843d43b69..e88b9196a0 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.40.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.40.bb
@@ -11,6 +11,7 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=41bfb977e4933c506588724ce69bf5d2"
 
 SRC_URI = 
"https://github.com/PhilipHazel/pcre2/releases/download/pcre2-${PV}/pcre2-${PV}.tar.bz2
 \
+   file://CVE-2022-41409.patch \
 "
 UPSTREAM_CHECK_URI = "https://github.com/PhilipHazel/pcre2/releases;
 
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185466): 
https://lists.openembedded.org/g/openembedded-core/message/185466
Mute This Topic: https://lists.openembedded.org/mt/100522389/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-2861

[Polampalli, Archana via lists.openembedded.org]

9pfs: prevent opening special files

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-2861

Upstream patches:
https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/qemu/qemu.inc   |   1 +
 .../qemu/qemu/CVE-2023-2861.patch | 172 ++
 2 files changed, 173 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 83959f3c68..96a1cc93a5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -96,6 +96,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2023-0330.patch \
file://CVE-2023-3301.patch \
file://CVE-2023-3255.patch \
+   file://CVE-2023-2861.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
new file mode 100644
index 00..48f51f5d03
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -0,0 +1,172 @@
+From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
+From: Christian Schoenebeck 
+Date: Wed Jun 7 18:29:33 2023 +0200
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
+ protocol does not specifically define how server shall behave when client
+ tries to open a special file, however from security POV it does make sense
+ for 9p server to prohibit opening any special file on host side in general. A
+ sane Linux 9p client for instance would never attempt to open a special file
+ on host side, it would always handle those exclusively on its guest side. A
+ malicious client however could potentially escape from the exported 9p tree
+ by creating and opening a device file on host side.
+
+With QEMU this could only be exploited in the following unsafe setups:
+
+  - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
+security model.
+
+or
+
+  - Using 9p 'proxy' fs driver (which is running its helper daemon as
+root).
+
+These setups were already discouraged for safety reasons before,
+however for obvious reasons we are now tightening behaviour on this.
+
+Fixes: CVE-2023-2861
+Reported-by: Yanwu Shen 
+Reported-by: Jietao Xiao 
+Reported-by: Jinku Li 
+Reported-by: Wenbo Shen 
+Signed-off-by: Christian Schoenebeck 
+Reviewed-by: Greg Kurz 
+Reviewed-by: Michael Tokarev 
+Message-Id: 
+(cherry picked from commit f6b0de5)
+Signed-off-by: Michael Tokarev 
+(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
+
+CVE: CVE-2023-2861
+
+Signed-off-by: Archana Polampalli 
+---
+ fsdev/virtfs-proxy-helper.c | 27 --
+ hw/9pfs/9p-util.h   | 38 +
+ 2 files changed, 63 insertions(+), 2 deletions(-)
+
+diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
+index 15c0e79b0..f9e4669a5 100644
+--- a/fsdev/virtfs-proxy-helper.c
 b/fsdev/virtfs-proxy-helper.c
+@@ -26,6 +26,7 @@
+ #include "qemu/xattr.h"
+ #include "9p-iov-marshal.h"
+ #include "hw/9pfs/9p-proxy.h"
++#include "hw/9pfs/9p-util.h"
+ #include "fsdev/9p-iov-marshal.h"
+
+ #define PROGNAME "virtfs-proxy-helper"
+@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
+ }
+ }
+
++/*
++ * Open regular file or directory. Attempts to open any special file are
++ * rejected.
++ *
++ * returns file descriptor or -1 on error
++ */
++static int open_regular(const char *pathname, int flags, mode_t mode)
++{
++int fd;
++
++fd = open(pathname, flags, mode);
++if (fd < 0) {
++return fd;
++}
++
++if (close_if_special_file(fd) < 0) {
++return -1;
++}
++
++return fd;
++}
++
+ /*
+  * send response in two parts
+  * 1) ProxyHeader
+@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
+ if (ret < 0) {
+ goto unmarshal_err_out;
+ }
+-ret = open(path.data, flags, mode);
++ret = open_regular(path.data, flags, mode);
+ if (ret < 0) {
+ ret = -errno;
+ }
+@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
+ if (ret < 0) {
+ goto err_out;
+ }
+-ret = open(path.data, flags);
++ret = open_regular(path.data, flags, 0);
+ if (ret < 0) {
+ ret = -errno;
+ }
+diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
+index 546f46dc7..54e270ac6 100644
+--- a/hw/9pfs/9p-util.h
 b/hw/9pfs/9p-util.h
+@@ -13,6 +13,8 @@
+ #ifndef QEMU_9P_UTIL_H
+ #define QEMU_9P_UTIL_H
+
++#include "qemu/error-report.h"
++
+ #ifdef O_PATH
+ #define O_PATH_9P_UTIL O_PATH
+ #else
+@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd)
+ errno = 

[oe-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3255

[Polampalli, Archana via lists.openembedded.org]

VNC: infinite loop in inflate_buffer() leads to denial of service

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3255

Upstream patches:
https://gitlab.com/qemu-project/qemu/-/commit/d921fea338c1059a27ce7b75309d7a2e485f710b

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-3255.patch | 64 +++
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index d5d210194b..83959f3c68 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -95,6 +95,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \

file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
file://CVE-2023-0330.patch \
file://CVE-2023-3301.patch \
+   file://CVE-2023-3255.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch
new file mode 100644
index 00..f030df111f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch
@@ -0,0 +1,64 @@
+From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella 
+Date: Tue, 4 Jul 2023 10:41:22 +0200
+Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
+ (CVE-2023-3255)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A wrong exit condition may lead to an infinite loop when inflating a
+valid zlib buffer containing some extra bytes in the `inflate_buffer`
+function. The bug only occurs post-authentication. Return the buffer
+immediately if the end of the compressed data has been reached
+(Z_STREAM_END).
+
+Fixes: CVE-2023-3255
+Fixes: 0bf41cab ("ui/vnc: clipboard support")
+Reported-by: Kevin Denis 
+Signed-off-by: Mauro Matteo Cascella 
+Reviewed-by: Marc-André Lureau 
+Tested-by: Marc-André Lureau 
+Message-ID: <20230704084210.101822-1-mcasc...@redhat.com>
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b]
+
+CVE: CVE-2023-3255
+
+Signed-off-by: Archana Polampalli 
+
+---
+ ui/vnc-clipboard.c | 10 --
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
+index 8aeadfaa21..c759be3438 100644
+--- a/ui/vnc-clipboard.c
 b/ui/vnc-clipboard.c
+@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t 
in_len, uint32_t *size)
+ ret = inflate(, Z_FINISH);
+ switch (ret) {
+ case Z_OK:
+-case Z_STREAM_END:
+ break;
++case Z_STREAM_END:
++*size = stream.total_out;
++inflateEnd();
++return out;
+ case Z_BUF_ERROR:
+ out_len <<= 1;
+ if (out_len > (1 << 20)) {
+@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t 
in_len, uint32_t *size)
+ }
+ }
+
+-*size = stream.total_out;
+-inflateEnd();
+-
+-return out;
+-
+ err_end:
+ inflateEnd();
+ err:
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185189): 
https://lists.openembedded.org/g/openembedded-core/message/185189
Mute This Topic: https://lists.openembedded.org/mt/100477151/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] qemu: fix CVE-2023-3301

[Polampalli, Archana via lists.openembedded.org]

qemu: hotplug/hotunplug mlx vdpa device to the occupied addr port,
then qemu core dump occurs after shutdown guest

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-3301

Upstream patches:
https://gitlab.com/qemu-project/qemu/-/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-3301.patch | 60 +++
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index c6c6e49ebf..d5d210194b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -94,6 +94,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \

file://0001-hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch \

file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
file://CVE-2023-0330.patch \
+   file://CVE-2023-3301.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch
new file mode 100644
index 00..ffb5cd3861
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch
@@ -0,0 +1,60 @@
+From a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 Mon Sep 17 00:00:00 2001
+From: Ani Sinha 
+Date: Mon, 19 Jun 2023 12:22:09 +0530
+Subject: [PATCH] vhost-vdpa: do not cleanup the vdpa/vhost-net structures if
+ peer nic is present
+
+When a peer nic is still attached to the vdpa backend, it is too early to free
+up the vhost-net and vdpa structures. If these structures are freed here, then
+QEMU crashes when the guest is being shut down. The following call chain
+would result in an assertion failure since the pointer returned from
+vhost_vdpa_get_vhost_net() would be NULL:
+
+do_vm_stop() -> vm_state_notify() -> virtio_set_status() ->
+virtio_net_vhost_status() -> get_vhost_net().
+
+Therefore, we defer freeing up the structures until at guest shutdown
+time when qemu_cleanup() calls net_cleanup() which then calls
+qemu_del_net_client() which would eventually call vhost_vdpa_cleanup()
+again to free up the structures. This time, the loop in net_cleanup()
+ensures that vhost_vdpa_cleanup() will be called one last time when
+all the peer nics are detached and freed.
+
+All unit tests pass with this change.
+
+CC: imamm...@redhat.com
+CC: jus...@redhat.com
+CC: m...@redhat.com
+Fixes: CVE-2023-3301
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2128929
+Signed-off-by: Ani Sinha 
+Message-Id: <20230619065209.442185-1-anisi...@redhat.com>
+Reviewed-by: Michael S. Tsirkin 
+Signed-off-by: Michael S. Tsirkin 
+
+Upstream-Status: Backport 
[https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8]
+CVE: CVE-2023-3301
+
+
+Signed-off-by: Archana Polampalli 
+---
+ net/vhost-vdpa.c |8 
+ 1 file changed, 8 insertions(+)
+
+--- a/net/vhost-vdpa.c
 b/net/vhost-vdpa.c
+@@ -140,6 +140,14 @@ static void vhost_vdpa_cleanup(NetClient
+ {
+ VhostVDPAState *s = DO_UPCAST(VhostVDPAState, nc, nc);
+
++/*
++ * If a peer NIC is attached, do not cleanup anything.
++ * Cleanup will happen as a part of qemu_cleanup() -> net_cleanup()
++ * when the guest is shutting down.
++ */
++if (nc->peer && nc->peer->info->type == NET_CLIENT_DRIVER_NIC) {
++return;
++}
+ if (s->vhost_net) {
+ vhost_net_cleanup(s->vhost_net);
+ g_free(s->vhost_net);
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#185188): 
https://lists.openembedded.org/g/openembedded-core/message/185188
Mute This Topic: https://lists.openembedded.org/mt/100477143/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] openssh: fix CVE-2023-38408

[Polampalli, Archana via lists.openembedded.org]

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
insufficiently trustworthy search path, leading to remote code
execution if an agent is forwarded to an attacker-controlled system.
(Code in /usr/lib is not necessarily safe for loading into ssh-agent.)
NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-38408

Upstream patches:
https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc
https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a
https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77
https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755

Signed-off-by: Archana Polampalli 
---
 .../openssh/openssh/CVE-2023-38408-0001.patch | 585 ++
 .../openssh/openssh/CVE-2023-38408-0002.patch | 173 ++
 .../openssh/openssh/CVE-2023-38408-0003.patch |  36 ++
 .../openssh/openssh/CVE-2023-38408-0004.patch | 114 
 .../openssh/openssh_8.9p1.bb  |   4 +
 5 files changed, 912 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0001.patch
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0002.patch
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0003.patch
 create mode 100644 
meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0004.patch

diff --git 
a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0001.patch 
b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0001.patch
new file mode 100644
index 00..2ee344cb27
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-0001.patch
@@ -0,0 +1,585 @@
+From 099cdf59ce1e72f55d421c8445bf6321b3004755 Mon Sep 17 00:00:00 2001
+From: "d...@openbsd.org" 
+Date: Wed, 19 Jul 2023 14:03:45 +
+Subject: [PATCH 1/4] upstream: Separate ssh-pkcs11-helpers for each p11 module
+
+Make ssh-pkcs11-client start an independent helper for each provider,
+providing better isolation between modules and reliability if a single
+module misbehaves.
+
+This also implements reference counting of PKCS#11-hosted keys,
+allowing ssh-pkcs11-helper subprocesses to be automatically reaped
+when no remaining keys reference them. This fixes some bugs we have
+that make PKCS11 keys unusable after they have been deleted, e.g.
+https://bugzilla.mindrot.org/show_bug.cgi?id=3125
+
+ok markus@
+
+OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e
+
+Upstream-Status: Backport 
[https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755]
+
+CVE: CVE-2023-38408
+
+Signed-off-by: Archana Polampalli 
+---
+ ssh-pkcs11-client.c | 378 +---
+ 1 file changed, 285 insertions(+), 93 deletions(-)
+
+diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
+index cfd833d..7db6c6c 100644
+--- a/ssh-pkcs11-client.c
 b/ssh-pkcs11-client.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: ssh-pkcs11-client.c,v 1.17 2020/10/18 11:32:02 djm Exp $ */
++/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */
+ /*
+  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
+  * Copyright (c) 2014 Pedro Martelletto. All rights reserved.
+@@ -30,12 +30,11 @@
+ #include 
+ #include 
+ #include 
++#include 
+
+ #include 
+ #include 
+
+-#include "openbsd-compat/openssl-compat.h"
+-
+ #include "pathnames.h"
+ #include "xmalloc.h"
+ #include "sshbuf.h"
+@@ -47,18 +46,140 @@
+ #include "ssh-pkcs11.h"
+ #include "ssherr.h"
+
++#include "openbsd-compat/openssl-compat.h"
++
+ /* borrows code from sftp-server and ssh-agent */
+
+-static int fd = -1;
+-static pid_t pid = -1;
++/*
++ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up
++ * by provider path or their unique EC/RSA METHOD pointers.
++ */
++struct helper {
++  char *path;
++  pid_t pid;
++  int fd;
++  RSA_METHOD *rsa_meth;
++  EC_KEY_METHOD *ec_meth;
++  int (*rsa_finish)(RSA *rsa);
++  void (*ec_finish)(EC_KEY *key);
++  size_t nrsa, nec; /* number of active keys of each type */
++};
++static struct helper **helpers;
++static size_t nhelpers;
++
++static struct helper *
++helper_by_provider(const char *path)
++{
++  size_t i;
++
++  for (i = 0; i < nhelpers; i++) {
++  if (helpers[i] == NULL || helpers[i]->path == NULL ||
++  helpers[i]->fd == -1)
++  continue;
++  if (strcmp(helpers[i]->path, path) == 0)
++  return helpers[i];
++  }
++  return NULL;
++}
++
++static struct helper *
++helper_by_rsa(const RSA *rsa)
++{
++  size_t i;
++  const RSA_METHOD *meth;
++
++  if ((meth = RSA_get_method(rsa)) == NULL)
++  return NULL;
++  for (i = 0; i < nhelpers; i++) {
++  if (helpers[i] != NULL && 

[oe-core][mickledore][PATCH 1/1] vim: upgrade 9.0.1527 -> 9.0.1592

[Polampalli, Archana via lists.openembedded.org]

From: Trevor Gamblin 

Fixes:

https://nvd.nist.gov/vuln/detail/CVE-2023-2609
d1ae836 patch 9.0.1531: crash when register contents ends up being invalid
https://nvd.nist.gov/vuln/detail/CVE-2023-2610
ab9a2d8 patch 9.0.1532: crash when expanding "~" in substitute causes very long 
text

Signed-off-by: Trevor Gamblin 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index e1d2563316..33ae0d8079 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1527"
-SRCREV = "c28e7a2b2f23dbd246a1ad7ad7aaa6f7ab2e5887"
+PV .= ".1592"
+SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184626): 
https://lists.openembedded.org/g/openembedded-core/message/184626
Mute This Topic: https://lists.openembedded.org/mt/100252286/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][mickledore][PATCH 1/1] qemu: fix CVE-2023-0330

[Polampalli, Archana via lists.openembedded.org]

A vulnerability in the lsi53c895a device affects the latest version
of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption
bugs like stack overflow or use-after-free.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-0330

Upstream patches:
https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-0330.patch | 75 +++
 2 files changed, 76 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 4c9be91cb0..15eba6163f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -36,6 +36,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
file://ppc.patch \
+  file://CVE-2023-0330.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 00..f609ea29b4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,75 @@
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-th...@redhat.com>
+Reviewed-by: Stefan Hajnoczi 
+Reviewed-by: Alexander Bulekov 
+Signed-off-by: Thomas Huth 
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+
+Signed-off-by: Archana Polampalli 
+---
+ hw/scsi/lsi53c895a.c   | 23 +++--
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 048436352b7a..f7d45b0b20fb 100644
+--- a/hw/scsi/lsi53c895a.c
 b/hw/scsi/lsi53c895a.c
+@@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s)
+ uint32_t addr, addr_high;
+ int opcode;
+ int insn_processed = 0;
++static int reentrancy_level;
++
++reentrancy_level++;
+
+ s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-if (++insn_processed > LSI_MAX_INSN) {
+-/* Some windows drivers make the device spin waiting for a memory
+-   location to change.  If we have been executed a lot of code then
+-   assume this is the case and force an unexpected device disconnect.
+-   This is apparently sufficient to beat the drivers into submission.
+- */
++/*
++ * Some windows drivers make the device spin waiting for a memory location
++ * to change. If we have executed more than LSI_MAX_INSN instructions then
++ * assume this is the case and force an unexpected device disconnect. This
++ * is apparently sufficient to beat the drivers into submission.
++ *
++ * Another issue (CVE-2023-0330) can occur if the script is programmed to
++ * trigger itself again and again. Avoid this problem by stopping after
++ * being called multiple times in a reentrant way (8 is an arbitrary value
++ * which should be enough for all valid use cases).
++ */
++if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+ if (!(s->sien0 & LSI_SIST0_UDC)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+   "lsi_scsi: inf. loop with UDC masked");
+@@ -1596,6 +1605,8 @@ static void lsi_execute_script(LSIState *s)
+ }
+ }
+ trace_lsi_execute_script_stop();
++
++reentrancy_level--;
+ }
+
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184534): 
https://lists.openembedded.org/g/openembedded-core/message/184534
Mute This Topic: https://lists.openembedded.org/mt/100217890/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]

[oe-core][kirkstone][PATCH 1/1] ghostscript: fix CVE-2023-36664

[Polampalli, Archana via lists.openembedded.org]

Artifex Ghostscript through 10.01.2 mishandles permission validation for
pipe devices (with the %pipe% prefix or the | pipe character prefix).

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-36664

Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099

Signed-off-by: Archana Polampalli 
---
 .../ghostscript/CVE-2023-36664-0001.patch | 146 ++
 .../ghostscript/CVE-2023-36664-0002.patch |  60 +++
 .../ghostscript/ghostscript_9.55.0.bb |   2 +
 3 files changed, 208 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch

diff --git 
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
new file mode 100644
index 00..99fcc61b9b
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
@@ -0,0 +1,146 @@
+From ed607fedbcd41f4a0e71df6af4ba5b07dd630209 Mon Sep 17 00:00:00 2001
+From: Chris Liddell 
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH 1/2] Bug 706761: Don't "reduce" %pipe% file names for
+ permission validation
+
+For regular file names, we try to simplfy relative paths before we use them.
+
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea]
+CVE: CVE-2023-36664
+
+Signed-off-by: Archana Polampalli 
+---
+ base/gpmisc.c   | 31 +++
+ base/gslibctx.c | 56 -
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 8b6458a..c61ab3f 100644
+--- a/base/gpmisc.c
 b/base/gpmisc.c
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+  && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+   prefix_len = 0;
+ }
+-rlen = len+1;
+-bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
+-if (bufferfull == NULL)
+-return gs_error_VMerror;
+-
+-buffer = bufferfull + prefix_len;
+-if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
+-return gs_error_invalidfileaccess;
+-buffer[rlen] = 0;
+
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, 
len + 1, "gp_validate_path");
++if (buffer == NULL)
++return gs_error_VMerror;
++memcpy(buffer, path, len);
++buffer[len] = 0;
++rlen = len;
++}
++else {
++rlen = len+1;
++bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
++if (bufferfull == NULL)
++return gs_error_VMerror;
++
++buffer = bufferfull + prefix_len;
++if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
++return gs_error_invalidfileaccess;
++buffer[rlen] = 0;
++}
+ while (1) {
+ switch (mode[0])
+ {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 5bf497b..5fdfe25 100644
+--- a/base/gslibctx.c
 b/base/gslibctx.c
+@@ -734,14 +734,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, 
gs_path_control_t type, co
+ return gs_error_rangecheck;
+ }
+
+-rlen = len+1;
+-buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-if (buffer == NULL)
+-return gs_error_VMerror;
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++buffer = (char *)gs_alloc_bytes(core->memory, len + 1, 
"gs_add_control_path_len");
++if (buffer == NULL)
++return gs_error_VMerror;
++memcpy(buffer, path, len);
++buffer[len] = 0;
++rlen = len;
++}
++else {
++rlen = len + 1;
+
+-if (gp_file_name_reduce(path, (uint)len, buffer, ) != 
gp_combine_success)
+-return gs_error_invalidfileaccess;
+-buffer[rlen] = 0;

[oe-core][kirkstone][PATCH 1/1] vim: upgrade 9.0.1527 -> 9.0.1592

[Polampalli, Archana via lists.openembedded.org]

From: Trevor Gamblin 

Fixes:

https://nvd.nist.gov/vuln/detail/CVE-2023-2609
d1ae836 patch 9.0.1531: crash when register contents ends up being invalid
https://nvd.nist.gov/vuln/detail/CVE-2023-2610
ab9a2d8 patch 9.0.1532: crash when expanding "~" in substitute causes very long 
text

Signed-off-by: Trevor Gamblin 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
Signed-off-by: Archana Polampalli 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index e1d2563316..33ae0d8079 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1527"
-SRCREV = "c28e7a2b2f23dbd246a1ad7ad7aaa6f7ab2e5887"
+PV .= ".1592"
+SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184462): 
https://lists.openembedded.org/g/openembedded-core/message/184462
Mute This Topic: https://lists.openembedded.org/mt/100193536/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH V2 1/1] go: fix CVE-2023-29402

[Polampalli, Archana via lists.openembedded.org]

The go command may generate unexpected code at build time when using cgo.
This may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using the go
command, i.e. via "go get", are not affected (modules retrieved using 
GOPATH-mode,
i.e. GO111MODULE=off, may be affected).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29402

Upstream patches:
https://github.com/golang/go/commit/4dae3bbe0e6a5700037bb996ae84d6f457c4f58a

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
 .../go/go-1.19/CVE-2023-29402.patch   | 194 ++
 2 files changed, 195 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 9af9eb2752..3365075fe5 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -34,6 +34,7 @@ SRC_URI += "\
 file://CVE-2023-24539.patch \
 file://CVE-2023-29404.patch \
 file://CVE-2023-29405.patch \
+file://CVE-2023-29402.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch 
b/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch
new file mode 100644
index 00..bf1fbbe0d6
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch
@@ -0,0 +1,194 @@
+From  4dae3bbe0e6a5700037bb996ae84d6f457c4f58a Mon Sep 17 00:00:00 2001
+From: Bryan C. Mills 
+Date: Fri, 12 May 2023 14:15:16 -0400
+Subject: [PATCH] cmd/go: disallow package directories containing newlines
+
+Directory or file paths containing newlines may cause tools (such as
+cmd/cgo) that emit "//line" or "#line" -directives to write part of
+the path into non-comment lines in generated source code. If those
+lines contain valid Go code, it may be injected into the resulting
+binary.
+
+(Note that Go import paths and file paths within module zip files
+already could not contain newlines.)
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #60167.
+Fixes CVE-2023-29402.
+
+Change-Id: I64572e9f454bce7b685d00e2e6a1c96cd33d53df
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
+Reviewed-by: Roland Shoemaker 
+Run-TryBot: Roland Shoemaker 
+Reviewed-by: Russ Cox 
+Reviewed-by: Damien Neil 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501226
+Run-TryBot: David Chase 
+TryBot-Result: Gopher Robot 
+Reviewed-by: Michael Knyszek 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/4dae3bbe0e6a5700037bb996ae84d6f457c4f58a]
+CVE: CVE-2023-29402
+
+Signed-off-by: Archana Polampalli 
+---
+ src/cmd/go/internal/load/pkg.go   |   4 +
+ src/cmd/go/internal/work/exec.go  |   6 ++
+ src/cmd/go/script_test.go |   1 +
+ .../go/testdata/script/build_cwd_newline.txt  | 100 ++
+ 4 files changed, 111 insertions(+)
+ create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
+
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index a83cc9a..d4da86d 100644
+--- a/src/cmd/go/internal/load/pkg.go
 b/src/cmd/go/internal/load/pkg.go
+@@ -1897,6 +1897,10 @@ func (p *Package) load(ctx context.Context, opts 
PackageOpts, path string, stk *
+   setError(fmt.Errorf("invalid input directory name %q", name))
+   return
+   }
++  if strings.ContainsAny(p.Dir, "\r\n") {
++  setError(fmt.Errorf("invalid package directory %q", p.Dir))
++  return
++  }
+
+   // Build list of imported packages and full dependency list.
+   imports := make([]*Package, 0, len(p.Imports))
+diff --git a/src/cmd/go/internal/work/exec.go 
b/src/cmd/go/internal/work/exec.go
+index b35caa4..b1bf347 100644
+--- a/src/cmd/go/internal/work/exec.go
 b/src/cmd/go/internal/work/exec.go
+@@ -505,6 +505,12 @@ func (b *Builder) build(ctx context.Context, a *Action) 
(err error) {
+   b.Print(a.Package.ImportPath + "\n")
+   }
+
++  if p.Error != nil {
++  // Don't try to build anything for packages with errors. There 
may be a
++  // problem with the inputs that makes the package unsafe to 
build.
++  return p.Error
++  }
++
+   if a.Package.BinaryOnly {
+   p.Stale = true
+   p.StaleReason = "binary-only packages are no longer supported"
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index c0156d0..ce4ff37 100644
+--- a/src/cmd/go/script_test.go
 b/src/cmd/go/script_test.go
+@@ -182,6 +182,7 @@ func (ts *testScript) setup() {
+   "devnull=" + os.DevNull,
+   "goversion=" + 

[oe-core][kirkstone][PATCH 1/1] go: fix CVE-2023-29402

[Polampalli, Archana via lists.openembedded.org]

The go command may generate unexpected code at build time when using cgo.
This may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using the go
command, i.e. via "go get", are not affected (modules retrieved using 
GOPATH-mode,
i.e. GO111MODULE=off, may be affected).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29402

Upstream patches:
https://github.com/golang/go/commit/4dae3bbe0e6a5700037bb996ae84d6f457c4f58a

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
 .../go/go-1.19/CVE-2023-29402.patch   | 194 ++
 2 files changed, 195 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 9af9eb2752..3365075fe5 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -34,6 +34,7 @@ SRC_URI += "\
 file://CVE-2023-24539.patch \
 file://CVE-2023-29404.patch \
 file://CVE-2023-29405.patch \
+file://CVE-2023-29402.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch 
b/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch
new file mode 100644
index 00..c3efeeffd0
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29402.patch
@@ -0,0 +1,194 @@
+From 749bd10e0be0968b666d15ec0b255fdfe298228e Mon Sep 17 00:00:00 2001
+From: Archana Polampalli 
+Date: Fri, 23 Jun 2023 08:34:42 +
+Subject: [PATCH] cmd/go: disallow package directories containing newlines
+
+Directory or file paths containing newlines may cause tools (such as
+cmd/cgo) that emit "//line" or "#line" -directives to write part of
+the path into non-comment lines in generated source code. If those
+lines contain valid Go code, it may be injected into the resulting
+binary.
+
+(Note that Go import paths and file paths within module zip files
+already could not contain newlines.)
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #60167.
+Fixes CVE-2023-29402.
+
+Change-Id: I64572e9f454bce7b685d00e2e6a1c96cd33d53df
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1882606
+Reviewed-by: Roland Shoemaker 
+Run-TryBot: Roland Shoemaker 
+Reviewed-by: Russ Cox 
+Reviewed-by: Damien Neil 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501226
+Run-TryBot: David Chase 
+TryBot-Result: Gopher Robot 
+Reviewed-by: Michael Knyszek 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f]
+CVE: CVE-2023-29402
+
+Signed-off-by: Archana Polampalli 
+---
+ src/cmd/go/internal/load/pkg.go   |   4 +
+ src/cmd/go/internal/work/exec.go  |   6 ++
+ src/cmd/go/script_test.go |   1 +
+ .../go/testdata/script/build_cwd_newline.txt  | 100 ++
+ 4 files changed, 111 insertions(+)
+ create mode 100644 src/cmd/go/testdata/script/build_cwd_newline.txt
+
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index a83cc9a..d4da86d 100644
+--- a/src/cmd/go/internal/load/pkg.go
 b/src/cmd/go/internal/load/pkg.go
+@@ -1897,6 +1897,10 @@ func (p *Package) load(ctx context.Context, opts 
PackageOpts, path string, stk *
+   setError(fmt.Errorf("invalid input directory name %q", name))
+   return
+   }
++  if strings.ContainsAny(p.Dir, "\r\n") {
++  setError(fmt.Errorf("invalid package directory %q", p.Dir))
++  return
++  }
+
+   // Build list of imported packages and full dependency list.
+   imports := make([]*Package, 0, len(p.Imports))
+diff --git a/src/cmd/go/internal/work/exec.go 
b/src/cmd/go/internal/work/exec.go
+index b35caa4..b1bf347 100644
+--- a/src/cmd/go/internal/work/exec.go
 b/src/cmd/go/internal/work/exec.go
+@@ -505,6 +505,12 @@ func (b *Builder) build(ctx context.Context, a *Action) 
(err error) {
+   b.Print(a.Package.ImportPath + "\n")
+   }
+
++  if p.Error != nil {
++  // Don't try to build anything for packages with errors. There 
may be a
++  // problem with the inputs that makes the package unsafe to 
build.
++  return p.Error
++  }
++
+   if a.Package.BinaryOnly {
+   p.Stale = true
+   p.StaleReason = "binary-only packages are no longer supported"
+diff --git a/src/cmd/go/script_test.go b/src/cmd/go/script_test.go
+index c0156d0..ce4ff37 100644
+--- a/src/cmd/go/script_test.go
 b/src/cmd/go/script_test.go
+@@ -182,6 +182,7 @@ func (ts *testScript) setup() {
+   "devnull=" + os.DevNull,
+   "goversion=" + 

[oe-core][kirkstone][PATCH 1/1] go: fix CVE-2023-29405

[Polampalli, Archana via lists.openembedded.org]

The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing
embedded spaces are mishandled, allowing disallowed flags to be smuggled
through the LDFLAGS sanitization by including them in the argument of
another flag. This only affects usage of the gccgo compiler.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29405

Upstream patches:
https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |   1 +
 .../go/go-1.19/CVE-2023-29405.patch   | 109 ++
 2 files changed, 110 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 2c1febfe9c..9af9eb2752 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -33,6 +33,7 @@ SRC_URI += "\
 file://CVE-2023-24540.patch \
 file://CVE-2023-24539.patch \
 file://CVE-2023-29404.patch \
+file://CVE-2023-29405.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch 
b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch
new file mode 100644
index 00..d806e1e67d
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29405.patch
@@ -0,0 +1,109 @@
+From 6d8af00a630aa51134e54f0f321658621c6410f0 Mon Sep 17 00:00:00 2001
+From: Ian Lance Taylor 
+Date: Thu, 4 May 2023 14:06:39 -0700
+Subject: [PATCH] cmd/go,cmd/cgo: in _cgo_flags use one line per flag
+
+The flags that we recorded in _cgo_flags did not use any quoting,
+so a flag containing embedded spaces was mishandled.
+Change the _cgo_flags format to put each flag on a separate line.
+That is a simple format that does not require any quoting.
+
+As far as I can tell only cmd/go uses _cgo_flags, and it is only
+used for gccgo. If this patch doesn't cause any trouble, then
+in the next release we can change to only using _cgo_flags for gccgo.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #60306
+Fixes CVE-2023-29405
+
+Change-Id: I81fb5337db8a22e1f4daca22ceff4b79b96d0b4f
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1875094
+Reviewed-by: Damien Neil 
+Reviewed-by: Roland Shoemaker 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501224
+Reviewed-by: Ian Lance Taylor 
+Run-TryBot: David Chase 
+Reviewed-by: Michael Knyszek 
+Reviewed-by: Roland Shoemaker 
+TryBot-Result: Gopher Robot 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/6d8af00a630aa51134e54f0f321658621c6410f0]
+CVE: CVE-2023-29405
+
+Signed-off-by: Archana Polampalli 
+---
+ src/cmd/cgo/out.go|  4 +++-
+ src/cmd/go/internal/work/gccgo.go | 14 ++---
+ .../go/testdata/script/gccgo_link_ldflags.txt | 20 +++
+ 3 files changed, 29 insertions(+), 9 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/gccgo_link_ldflags.txt
+
+diff --git a/src/cmd/cgo/out.go b/src/cmd/cgo/out.go
+index 94152f4..62e6528 100644
+--- a/src/cmd/cgo/out.go
 b/src/cmd/cgo/out.go
+@@ -47,7 +47,9 @@ func (p *Package) writeDefs() {
+
+   fflg := creat(*objDir + "_cgo_flags")
+   for k, v := range p.CgoFlags {
+-  fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, strings.Join(v, " "))
++  for _, arg := range v {
++  fmt.Fprintf(fflg, "_CGO_%s=%s\n", k, arg)
++  }
+   if k == "LDFLAGS" && !*gccgo {
+   for _, arg := range v {
+   fmt.Fprintf(fgo2, "//go:cgo_ldflag %q\n", arg)
+diff --git a/src/cmd/go/internal/work/gccgo.go 
b/src/cmd/go/internal/work/gccgo.go
+index 1499536..bb4be2f 100644
+--- a/src/cmd/go/internal/work/gccgo.go
 b/src/cmd/go/internal/work/gccgo.go
+@@ -283,14 +283,12 @@ func (tools gccgoToolchain) link(b *Builder, root 
*Action, out, importcfg string
+   const ldflagsPrefix = "_CGO_LDFLAGS="
+   for _, line := range strings.Split(string(flags), "\n") {
+   if strings.HasPrefix(line, ldflagsPrefix) {
+-  newFlags := 
strings.Fields(line[len(ldflagsPrefix):])
+-  for _, flag := range newFlags {
+-  // Every _cgo_flags file has -g and -O2 
in _CGO_LDFLAGS
+-  // but they don't mean anything to the 
linker so filter
+-  // them out.
+-  if flag != "-g" && 
!strings.HasPrefix(flag, 

[oe-core][kirkstone][PATCH 1/1] go: fix CVE-2023-29404

[Polampalli, Archana via lists.openembedded.org]

The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a
number of flags which are non-optional are incorrectly considered optional,
allowing disallowed flags to be smuggled through the LDFLAGS sanitization.
This affects usage of both the gc and gccgo compilers.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29404

Upstream patches:
https://github.com/golang/go/commit/bbeb55f5faf93659e1cfd6ab073ab3c9d126d195

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/go/go-1.17.13.inc   |  1 +
 .../go/go-1.19/CVE-2023-29404.patch   | 78 +++
 2 files changed, 79 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29404.patch

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index d430e0669d..2c1febfe9c 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -32,6 +32,7 @@ SRC_URI += "\
 file://CVE-2023-24538.patch \
 file://CVE-2023-24540.patch \
 file://CVE-2023-24539.patch \
+file://CVE-2023-29404.patch \
 "
 SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
 
diff --git a/meta/recipes-devtools/go/go-1.19/CVE-2023-29404.patch 
b/meta/recipes-devtools/go/go-1.19/CVE-2023-29404.patch
new file mode 100644
index 00..c6beced884
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.19/CVE-2023-29404.patch
@@ -0,0 +1,78 @@
+From bbeb55f5faf93659e1cfd6ab073ab3c9d126d195 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker 
+Date: Fri, 5 May 2023 13:10:34 -0700
+Subject: [PATCH] cmd/go: enforce flags with non-optional arguments
+
+Enforce that linker flags which expect arguments get them, otherwise it
+may be possible to smuggle unexpected flags through as the linker can
+consume what looks like a flag as an argument to a preceding flag (i.e.
+"-Wl,-O -Wl,-R,-bad-flag" is interpreted as "-O=-R -bad-flag"). Also be
+somewhat more restrictive in the general format of some flags.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #60305
+Fixes CVE-2023-29404
+
+Change-Id: I913df78a692cee390deefc3cd7d8f5b031524fc9
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1876275
+Reviewed-by: Ian Lance Taylor 
+Reviewed-by: Damien Neil 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/501225
+Run-TryBot: David Chase 
+Reviewed-by: Michael Knyszek 
+TryBot-Result: Gopher Robot 
+
+Upstream-Status: Backport 
[https://github.com/golang/go/commit/bbeb55f5faf93659e1cfd6ab073ab3c9d126d195]
+CVE: CVE-2023-29404
+
+Signed-off-by: Archana Polampalli 
+---
+ src/cmd/go/internal/work/security.go  | 6 +++---
+ src/cmd/go/internal/work/security_test.go | 5 +
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/cmd/go/internal/work/security.go 
b/src/cmd/go/internal/work/security.go
+index e9b9f6c..91e6e4c 100644
+--- a/src/cmd/go/internal/work/security.go
 b/src/cmd/go/internal/work/security.go
+@@ -179,10 +179,10 @@ var validLinkerFlags = []*lazyregexp.Regexp{
+   re(`-Wl,-berok`),
+   re(`-Wl,-Bstatic`),
+   re(`-Wl,-Bsymbolic-functions`),
+-  re(`-Wl,-O([^@,\-][^,]*)?`),
++  re(`-Wl,-O[0-9]+`),
+   re(`-Wl,-d[ny]`),
+   re(`-Wl,--disable-new-dtags`),
+-  re(`-Wl,-e[=,][a-zA-Z0-9]*`),
++  re(`-Wl,-e[=,][a-zA-Z0-9]+`),
+   re(`-Wl,--enable-new-dtags`),
+   re(`-Wl,--end-group`),
+   re(`-Wl,--(no-)?export-dynamic`),
+@@ -191,7 +191,7 @@ var validLinkerFlags = []*lazyregexp.Regexp{
+   re(`-Wl,--hash-style=(sysv|gnu|both)`),
+   re(`-Wl,-headerpad_max_install_names`),
+   re(`-Wl,--no-undefined`),
+-  re(`-Wl,-R([^@\-][^,@]*$)`),
++  re(`-Wl,-R,?([^@\-,][^,@]*$)`),
+   re(`-Wl,--just-symbols[=,]([^,@\-][^,@]+)`),
+   re(`-Wl,-rpath(-link)?[=,]([^,@\-][^,]+)`),
+   re(`-Wl,-s`),
+diff --git a/src/cmd/go/internal/work/security_test.go 
b/src/cmd/go/internal/work/security_test.go
+index 8d4be0a..3616548 100644
+--- a/src/cmd/go/internal/work/security_test.go
 b/src/cmd/go/internal/work/security_test.go
+@@ -227,6 +227,11 @@ var badLinkerFlags = [][]string{
+   {"-Wl,-R,@foo"},
+   {"-Wl,--just-symbols,@foo"},
+   {"../x.o"},
++  {"-Wl,-R,"},
++  {"-Wl,-O"},
++  {"-Wl,-e="},
++  {"-Wl,-e,"},
++  {"-Wl,-R,-flag"},
+ }
+
+ func TestCheckLinkerFlags(t *testing.T) {
+--
+2.40.0
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183179): 
https://lists.openembedded.org/g/openembedded-core/message/183179
Mute This Topic: https://lists.openembedded.org/mt/99673729/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: 

[oe-core][kirkstone][PATCH 1/1] nasm: fix CVE-2022-46457

[Polampalli, Archana via lists.openembedded.org]

NASM v2.16 was discovered to contain a segmentation violation
in the component ieee_write_file at /output/outieee.c.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-46457

Upstream patches:
https://github.com/netwide-assembler/nasm/commit/c8af73112027fad0ecbb277e9cba257678c405af

Signed-off-by: Archana Polampalli 
---
 .../nasm/nasm/CVE-2022-46457.patch| 50 +++
 meta/recipes-devtools/nasm/nasm_2.15.05.bb|  1 +
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch

diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch 
b/meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch
new file mode 100644
index 00..3502d572cd
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch
@@ -0,0 +1,50 @@
+From c8af73112027fad0ecbb277e9cba257678c405af Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" 
+Date: Wed, 7 Dec 2022 10:23:46 -0800
+Subject: [PATCH] outieee: fix segfault on empty input
+
+Fix the IEEE backend crashing if the input file is empty.
+
+Signed-off-by: H. Peter Anvin 
+
+Upstream-Status: Backport 
[https://github.com/netwide-assembler/nasm/commit/c8af73112027fad0ecbb277e9cba257678c405af]
+CVE: CVE-2022-46457
+
+Signed-off-by: Archana Polampalli 
+---
+ output/outieee.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/output/outieee.c b/output/outieee.c
+index cdb8333..8bc5eaa 100644
+--- a/output/outieee.c
 b/output/outieee.c
+@@ -919,7 +919,7 @@ static void ieee_write_file(void)
+  * Write the section headers
+  */
+ seg = seghead;
+-if (!debuginfo && !strcmp(seg->name, "??LINE"))
++if (!debuginfo && seg && !strcmp(seg->name, "??LINE"))
+ seg = seg->next;
+ while (seg) {
+ char buf[256];
+@@ -954,7 +954,7 @@ static void ieee_write_file(void)
+ /*
+  * write the start address if there is one
+  */
+-if (ieee_entry_seg) {
++if (ieee_entry_seg && seghead) {
+ for (seg = seghead; seg; seg = seg->next)
+ if (seg->index == ieee_entry_seg)
+ break;
+@@ -1067,7 +1067,7 @@ static void ieee_write_file(void)
+  *  put out section data;
+  */
+ seg = seghead;
+-if (!debuginfo && !strcmp(seg->name, "??LINE"))
++if (!debuginfo && seg && !strcmp(seg->name, "??LINE"))
+ seg = seg->next;
+ while (seg) {
+ if (seg->currentpos) {
+--
+2.40.0
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.05.bb 
b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
index 59b1121bd4..bcb7e071d6 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.05.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
@@ -9,6 +9,7 @@ SRC_URI = 
"http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
file://0001-stdlib-Add-strlcat.patch \
file://0002-Add-debug-prefix-map-option.patch \
file://CVE-2022-44370.patch \
+   file://CVE-2022-46457.patch \
"
 
 SRC_URI[sha256sum] = 
"3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183096): 
https://lists.openembedded.org/g/openembedded-core/message/183096
Mute This Topic: https://lists.openembedded.org/mt/99620606/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] samba: fix CVE-2022-45142

[Polampalli, Archana via lists.openembedded.org]

Please ignore this patch

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Friday, June 16, 2023 5:34 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [OE-core] [PATCH] samba: fix CVE-2022-45142

The fix for CVE-2022-3437 included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0"
comparisons to the result of memcmp. When these patches were
backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and
possibly other branches) a logic inversion sneaked in causing the
validation of message integrity codes in gssapi/arcfour to be inverted.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Upstream patches:
https://www.openwall.com/lists/oss-security/2023/02/08/1
https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-45142.patch  | 51 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
new file mode 100644
index 0..d6b9826e4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
@@ -0,0 +1,51 @@
+From: Helmut Grohne 
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne 
+
+Upstream-Status: Backport 
[https://www.openwall.com/lists/oss-security/2023/02/08/1]
+CVE: CVE-2022-45142
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+   _gsskrb5_release_buffer(minor_status, output_message_buffer);
+   *minor_status = 0;
+--
+2.38.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 39ba85194..cc07d51dc 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
+   file://CVE-2022-45142.patch;patchdir=source4/heimdal \
"

 SRC_URI:append:libc-musl = " \
--
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183018): 
https://lists.openembedded.org/g/openembedded-core/message/183018
Mute This Topic: https://lists.openembedded.org/mt/99568906/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] samba: fix CVE-2022-3437

[Polampalli, Archana via lists.openembedded.org]

Please Ignore this patch

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Friday, June 16, 2023 5:34 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [OE-core] [PATCH] samba: fix CVE-2022-3437

A heap-based buffer overflow vulnerability was found in Samba within
the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The
DES and Triple-DES decryption routines in the Heimdal GSSAPI library
allow a length-limited write buffer overflow on malloc() allocated
memory when presented with a maliciously small packet. This flaw
allows a remote user to send specially crafted malicious data to the
application, possibly resulting in a denial of service (DoS) attack.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3437

Upstream patches:
https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3
https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49
https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd
https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d
https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d
https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-3437-0001.patch  | 77 +++
 .../samba/samba/CVE-2022-3437-0002.patch  | 35 +
 .../samba/samba/CVE-2022-3437-0003.patch  | 50 
 .../samba/samba/CVE-2022-3437-0004.patch  | 57 ++
 .../samba/samba/CVE-2022-3437-0005.patch  | 37 +
 .../samba/samba/CVE-2022-3437-0006.patch  | 65 
 .../samba/samba/CVE-2022-3437-0007.patch  | 39 ++
 .../samba/samba/CVE-2022-3437-0008.patch  | 48 
 .../samba/samba_4.14.14.bb|  8 ++
 9 files changed, 416 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
new file mode 100644
index 0..abc778b73
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
+From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton 
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
+ unwrap
+
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton 
+Reviewed-by: Andrew Bartlett 
+
+Upstream-Status: Backport 
[https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
+CVE: CVE-2022-3437
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 16 
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index a61f768..4fc46ce 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = ct_memcmp(cksum_data, p + 8, 8);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+-  cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+-  cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ memset(SND_SEQ, 0, sizeof(SND_SEQ));
+ if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_sta

Re: [OE-core] [PATCH] samba: fix CVE-2022-41916

[Polampalli, Archana via lists.openembedded.org]

Please ignore this patch

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Friday, June 16, 2023 5:35 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [OE-core] [PATCH] samba: fix CVE-2022-41916

Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos.
Versions prior to 7.7.1 are vulnerable to a denial of service
vulnerability in Heimdal's PKI certificate validation library,
affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as
any third-party applications using Heimdal's libhx509. Users
should upgrade to Heimdal 7.7.1 or 7.8. There are no known
workarounds for this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41916

Upstream patches:
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-41916.patch  | 38 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch
new file mode 100644
index 0..07f4a18a2
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch
@@ -0,0 +1,38 @@
+From eb87af0c2d189c25294c7daf483a47b03af80c2c Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman 
+Date: Wed, 17 Nov 2021 20:00:29 -0500
+Subject: [PATCH] lib/wind: find_normalize read past end of array
+
+find_normalize() can under some circumstances read one element
+beyond the input array.  The contents are discarded immediately
+without further use.
+
+This change prevents the unintended read.
+
+(cherry picked from commit 357a38fc7fb582ae73f4b7f4a90a4b0b871b149e)
+
+Change-Id: Ia2759a5632d64f7fa6553f879b5bbbf43ba3513e
+
+Upstream-Status: Backport 
[https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c]
+CVE: CVE-2022-41916
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/wind/normalize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/wind/normalize.c b/lib/wind/normalize.c
+index 20e8a4a04b..8f3991d10e 100644
+--- a/lib/wind/normalize.c
 b/lib/wind/normalize.c
+@@ -227,9 +227,9 @@ find_composition(const uint32_t *in, unsigned in_len)
+   unsigned i;
+
+   if (n % 5 == 0) {
+-  cur = *in++;
+   if (in_len-- == 0)
+   return c->val;
++  cur = *in++;
+   }
+
+   i = cur >> 16;
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index cc07d51dc..fcec63752 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
file://CVE-2022-45142.patch;patchdir=source4/heimdal \
+   file://CVE-2022-41916.patch;patchdir=source4/heimdal \
"

 SRC_URI:append:libc-musl = " \
--
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183016): 
https://lists.openembedded.org/g/openembedded-core/message/183016
Mute This Topic: https://lists.openembedded.org/mt/99568915/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-3437

[Polampalli, Archana via lists.openembedded.org]

Please ignore this patch

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Friday, June 16, 2023 5:40 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix 
CVE-2022-3437

A heap-based buffer overflow vulnerability was found in Samba within
the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The
DES and Triple-DES decryption routines in the Heimdal GSSAPI library
allow a length-limited write buffer overflow on malloc() allocated
memory when presented with a maliciously small packet. This flaw
allows a remote user to send specially crafted malicious data to the
application, possibly resulting in a denial of service (DoS) attack.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3437

Upstream patches:
https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3
https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49
https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd
https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d
https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d
https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-3437-0001.patch  | 77 +++
 .../samba/samba/CVE-2022-3437-0002.patch  | 35 +
 .../samba/samba/CVE-2022-3437-0003.patch  | 50 
 .../samba/samba/CVE-2022-3437-0004.patch  | 57 ++
 .../samba/samba/CVE-2022-3437-0005.patch  | 37 +
 .../samba/samba/CVE-2022-3437-0006.patch  | 65 
 .../samba/samba/CVE-2022-3437-0007.patch  | 39 ++
 .../samba/samba/CVE-2022-3437-0008.patch  | 48 
 .../samba/samba_4.14.14.bb|  8 ++
 9 files changed, 416 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
new file mode 100644
index 0..abc778b73
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
+From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton 
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
+ unwrap
+
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton 
+Reviewed-by: Andrew Bartlett 
+
+Upstream-Status: Backport 
[https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
+CVE: CVE-2022-3437
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 16 
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index a61f768..4fc46ce 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = ct_memcmp(cksum_data, p + 8, 8);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+-  cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+-  cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ memset(SND_SEQ, 0, sizeof(SND_SEQ));
+ if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32

Re: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-45142

[Polampalli, Archana via lists.openembedded.org]

Please ignore this patch

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Friday, June 16, 2023 5:42 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix 
CVE-2022-45142

The fix for CVE-2022-3437 included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0"
comparisons to the result of memcmp. When these patches were
backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and
possibly other branches) a logic inversion sneaked in causing the
validation of message integrity codes in gssapi/arcfour to be inverted.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Upstream patches:
https://www.openwall.com/lists/oss-security/2023/02/08/1
https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-45142.patch  | 51 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
new file mode 100644
index 0..d6b9826e4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
@@ -0,0 +1,51 @@
+From: Helmut Grohne 
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne 
+
+Upstream-Status: Backport 
[https://www.openwall.com/lists/oss-security/2023/02/08/1]
+CVE: CVE-2022-45142
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+   _gsskrb5_release_buffer(minor_status, output_message_buffer);
+   *minor_status = 0;
+--
+2.38.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 39ba85194..cc07d51dc 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
+   file://CVE-2022-45142.patch;patchdir=source4/heimdal \
"

 SRC_URI:append:libc-musl = " \
--
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183014): 
https://lists.openembedded.org/g/openembedded-core/message/183014
Mute This Topic: https://lists.openembedded.org/mt/99569013/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-45142

[Polampalli, Archana via lists.openembedded.org]

The fix for CVE-2022-3437 included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0"
comparisons to the result of memcmp. When these patches were
backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and
possibly other branches) a logic inversion sneaked in causing the
validation of message integrity codes in gssapi/arcfour to be inverted.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Upstream patches:
https://www.openwall.com/lists/oss-security/2023/02/08/1
https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-45142.patch  | 51 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
new file mode 100644
index 0..d6b9826e4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
@@ -0,0 +1,51 @@
+From: Helmut Grohne 
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne 
+
+Upstream-Status: Backport 
[https://www.openwall.com/lists/oss-security/2023/02/08/1]
+CVE: CVE-2022-45142
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+   _gsskrb5_release_buffer(minor_status, output_message_buffer);
+   *minor_status = 0;
+--
+2.38.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 39ba85194..cc07d51dc 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
+   file://CVE-2022-45142.patch;patchdir=source4/heimdal \
"
 
 SRC_URI:append:libc-musl = " \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183013): 
https://lists.openembedded.org/g/openembedded-core/message/183013
Mute This Topic: https://lists.openembedded.org/mt/99569013/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [oe][meta-networking][kirkstone][PATCH V2 1/1] samba: fix CVE-2022-3437

[Polampalli, Archana via lists.openembedded.org]

A heap-based buffer overflow vulnerability was found in Samba within
the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The
DES and Triple-DES decryption routines in the Heimdal GSSAPI library
allow a length-limited write buffer overflow on malloc() allocated
memory when presented with a maliciously small packet. This flaw
allows a remote user to send specially crafted malicious data to the
application, possibly resulting in a denial of service (DoS) attack.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3437

Upstream patches:
https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3
https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49
https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd
https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d
https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d
https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-3437-0001.patch  | 77 +++
 .../samba/samba/CVE-2022-3437-0002.patch  | 35 +
 .../samba/samba/CVE-2022-3437-0003.patch  | 50 
 .../samba/samba/CVE-2022-3437-0004.patch  | 57 ++
 .../samba/samba/CVE-2022-3437-0005.patch  | 37 +
 .../samba/samba/CVE-2022-3437-0006.patch  | 65 
 .../samba/samba/CVE-2022-3437-0007.patch  | 39 ++
 .../samba/samba/CVE-2022-3437-0008.patch  | 48 
 .../samba/samba_4.14.14.bb|  8 ++
 9 files changed, 416 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
new file mode 100644
index 0..abc778b73
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
+From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton 
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
+ unwrap
+
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton 
+Reviewed-by: Andrew Bartlett 
+
+Upstream-Status: Backport 
[https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
+CVE: CVE-2022-3437
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 16 
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index a61f768..4fc46ce 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = ct_memcmp(cksum_data, p + 8, 8);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+-  cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+-  cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ memset(SND_SEQ, 0, sizeof(SND_SEQ));
+ if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+-  cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+-  cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ if (cmp != 0) {
+   

[OE-core] [PATCH] samba: fix CVE-2022-41916

[Polampalli, Archana via lists.openembedded.org]

Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos.
Versions prior to 7.7.1 are vulnerable to a denial of service
vulnerability in Heimdal's PKI certificate validation library,
affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as
any third-party applications using Heimdal's libhx509. Users
should upgrade to Heimdal 7.7.1 or 7.8. There are no known
workarounds for this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41916

Upstream patches:
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-41916.patch  | 38 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch
new file mode 100644
index 0..07f4a18a2
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch
@@ -0,0 +1,38 @@
+From eb87af0c2d189c25294c7daf483a47b03af80c2c Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman 
+Date: Wed, 17 Nov 2021 20:00:29 -0500
+Subject: [PATCH] lib/wind: find_normalize read past end of array
+
+find_normalize() can under some circumstances read one element
+beyond the input array.  The contents are discarded immediately
+without further use.
+
+This change prevents the unintended read.
+
+(cherry picked from commit 357a38fc7fb582ae73f4b7f4a90a4b0b871b149e)
+
+Change-Id: Ia2759a5632d64f7fa6553f879b5bbbf43ba3513e
+
+Upstream-Status: Backport 
[https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c]
+CVE: CVE-2022-41916
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/wind/normalize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/wind/normalize.c b/lib/wind/normalize.c
+index 20e8a4a04b..8f3991d10e 100644
+--- a/lib/wind/normalize.c
 b/lib/wind/normalize.c
+@@ -227,9 +227,9 @@ find_composition(const uint32_t *in, unsigned in_len)
+   unsigned i;
+
+   if (n % 5 == 0) {
+-  cur = *in++;
+   if (in_len-- == 0)
+   return c->val;
++  cur = *in++;
+   }
+
+   i = cur >> 16;
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index cc07d51dc..fcec63752 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -31,6 +31,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
file://CVE-2022-45142.patch;patchdir=source4/heimdal \
+   file://CVE-2022-41916.patch;patchdir=source4/heimdal \
"
 
 SRC_URI:append:libc-musl = " \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183011): 
https://lists.openembedded.org/g/openembedded-core/message/183011
Mute This Topic: https://lists.openembedded.org/mt/99568915/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] samba: fix CVE-2022-45142

[Polampalli, Archana via lists.openembedded.org]

The fix for CVE-2022-3437 included changing memcmp to be constant
time and a workaround for a compiler bug by adding "!= 0"
comparisons to the result of memcmp. When these patches were
backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and
possibly other branches) a logic inversion sneaked in causing the
validation of message integrity codes in gssapi/arcfour to be inverted.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Upstream patches:
https://www.openwall.com/lists/oss-security/2023/02/08/1
https://github.com/heimdal/heimdal/commit/5f63215d0d82678233fdfb1c07f4b421f57c528b

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-45142.patch  | 51 +++
 .../samba/samba_4.14.14.bb|  1 +
 2 files changed, 52 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
new file mode 100644
index 0..d6b9826e4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch
@@ -0,0 +1,51 @@
+From: Helmut Grohne 
+Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions
+
+The referenced commit attempted to fix miscompilations with gcc-9 and
+gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately,
+it also inverted the result of the comparison in two occasions. This
+inversion happened during backporting the patch to 7.7.1 and 7.8.0.
+
+Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp()
+ for arcfour unwrap")
+Signed-off-by: Helmut Grohne 
+
+Upstream-Status: Backport 
[https://www.openwall.com/lists/oss-security/2023/02/08/1]
+CVE: CVE-2022-45142
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Changes since v1:
+ * Fix typo in commit message.
+ * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman.
+
+Changes since v2:
+ * Add CVE identifier.
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index e838d007a..eee6ad72f 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
++cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
+ if (cmp) {
+   _gsskrb5_release_buffer(minor_status, output_message_buffer);
+   *minor_status = 0;
+--
+2.38.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb 
b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 39ba85194..cc07d51dc 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -30,6 +30,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
+   file://CVE-2022-45142.patch;patchdir=source4/heimdal \
"
 
 SRC_URI:append:libc-musl = " \
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183010): 
https://lists.openembedded.org/g/openembedded-core/message/183010
Mute This Topic: https://lists.openembedded.org/mt/99568906/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] samba: fix CVE-2022-3437

[Polampalli, Archana via lists.openembedded.org]

A heap-based buffer overflow vulnerability was found in Samba within
the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The
DES and Triple-DES decryption routines in the Heimdal GSSAPI library
allow a length-limited write buffer overflow on malloc() allocated
memory when presented with a maliciously small packet. This flaw
allows a remote user to send specially crafted malicious data to the
application, possibly resulting in a denial of service (DoS) attack.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-3437

Upstream patches:
https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3
https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49
https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd
https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d
https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d
https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696
https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2
https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef

Signed-off-by: Archana Polampalli 
---
 .../samba/samba/CVE-2022-3437-0001.patch  | 77 +++
 .../samba/samba/CVE-2022-3437-0002.patch  | 35 +
 .../samba/samba/CVE-2022-3437-0003.patch  | 50 
 .../samba/samba/CVE-2022-3437-0004.patch  | 57 ++
 .../samba/samba/CVE-2022-3437-0005.patch  | 37 +
 .../samba/samba/CVE-2022-3437-0006.patch  | 65 
 .../samba/samba/CVE-2022-3437-0007.patch  | 39 ++
 .../samba/samba/CVE-2022-3437-0008.patch  | 48 
 .../samba/samba_4.14.14.bb|  8 ++
 9 files changed, 416 insertions(+)
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
 create mode 100644 
meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch

diff --git 
a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch 
b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
new file mode 100644
index 0..abc778b73
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
+From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton 
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
+ unwrap
+
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton 
+Reviewed-by: Andrew Bartlett 
+
+Upstream-Status: Backport 
[https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
+CVE: CVE-2022-3437
+
+Signed-off-by: Archana Polampalli 
+---
+ lib/gssapi/krb5/arcfour.c | 16 
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index a61f768..4fc46ce 100644
+--- a/lib/gssapi/krb5/arcfour.c
 b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+   return GSS_S_FAILURE;
+ }
+
+-cmp = ct_memcmp(cksum_data, p + 8, 8);
++cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
+ if (cmp) {
+   *minor_status = 0;
+   return GSS_S_BAD_MIC;
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+-  cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+-  cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ memset(SND_SEQ, 0, sizeof(SND_SEQ));
+ if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+ _gsskrb5_decode_be_om_uint32(SND_SEQ, _number);
+
+ if (context_handle->more_flags & LOCAL)
+-  cmp = memcmp(_SEQ[4], "\xff\xff\xff\xff", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+ else
+-  cmp = memcmp(_SEQ[4], "\x00\x00\x00\x00", 4);
++  cmp = (ct_memcmp(_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+
+ if (cmp != 0) {
+   

Re: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-29007

[Polampalli, Archana via lists.openembedded.org]

Reminder,

Regards,
archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Tuesday, May 9, 2023 6:44 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari ; Polampalli, Archana 

Subject: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-29007

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 
2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can 
used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. 
This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` 
when
attempting to remove the configuration section associated with that submodule. 
When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote 
code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 
2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid 
running
`git submodule deinit` on untrusted repositories or without prior inspection of 
any
submodule sections in `$GIT_DIR/config`.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-29007.patch  | 158 ++
 meta/recipes-devtools/git/git_2.39.2.bb   |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch 
b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 00..14b6933e96
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,158 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau 
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau 
+
+CVE: CVE-2023-29007
+Upstream-Status: Backport 
[https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
+
+Signed-off-by: Archana Polampalli 
+---
+ config.c  | 34 +++---
+ t/t1300-config.sh | 31 +++
+ 2 files changed, 54 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index 27f3828..3c674a6 100644
+--- a/config.c
 b/config.c
+@@ -3487,9 +3487,10 @@ void git_config_set_multivar(const char *key, const 
char *value,
+   flags);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+-  int i = 0, j = 0, dot = 0;
++  size_t i = 0, j = 0;
++  int dot = 0;
+   if (buf[i] != '[')
+   return 0;
+   for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3542,6 +3543,7 @@ static int section_name_is_ok(const char *name)
+   return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char 
*config_filename,
+ const char *old_name,
+@@ -3551,11 +3553,12 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   char *filename_buf = NULL;
+   struct lock_file lock = LOCK_INIT;
+   int out_fd;
+-  char buf[1024];
++  struct strbuf buf = STRBUF_INIT;
+   FILE *config_file = NULL;
+   struct stat st;
+   struct strbuf copystr = STRBUF_INIT;
+   struct config_store_data store;
++  uint32_t line_nr = 0;
+
+   memset(, 0, sizeof(store));
+
+@@ -3592,16 +3595,24 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   

Re: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-25652

[Polampalli, Archana via lists.openembedded.org]

Reminder,

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Tuesday, May 9, 2023 6:33 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari ; Polampalli, Archana 

Subject: [oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-25652

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when 
applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch 
before
applying; avoid applying one that create a conflict where a link corresponding 
to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-25652.patch  | 94 +++
 meta/recipes-devtools/git/git_2.39.2.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch 
b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
new file mode 100644
index 00..e8cedfcf27
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b  Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin 
+Date: Thu Mar 9 16:02:54 2023 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+The `git apply --reject` is expected to write out `.rej` files in case
+one or more hunks fail to apply cleanly. Historically, the command
+overwrites any existing `.rej` files. The idea being that
+apply/reject/edit cycles are relatively common, and the generated `.rej`
+files are not considered precious.
+
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+
+Reported-by: RyotaK 
+Helped-by: Taylor Blau 
+Helped-by: Junio C Hamano 
+Helped-by: Linus Torvalds 
+Signed-off-by: Johannes Schindelin 
+
+CVE: CVE-2023-25652
+Upstream-Status: Backport 
[https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+
+Signed-off-by: Archana Polampalli 
+---
+ apply.c  | 14 --
+ t/t4115-apply-symlink.sh | 15 +++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index eec2da2..442cf28 100644
+--- a/apply.c
 b/apply.c
+@@ -4576,7 +4576,7 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   FILE *rej;
+   char namebuf[PATH_MAX];
+   struct fragment *frag;
+-  int cnt = 0;
++  int fd, cnt = 0;
+   struct strbuf sb = STRBUF_INIT;
+
+   for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4616,7 +4616,17 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   memcpy(namebuf, patch->new_name, cnt);
+   memcpy(namebuf + cnt, ".rej", 5);
+
+-  rej = fopen(namebuf, "w");
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0) {
++  if (errno != EEXIST)
++  return error_errno(_("cannot open %s"), namebuf);
++  if (unlink(namebuf))
++  return error_errno(_("cannot unlink '%s'"), namebuf);
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0)
++  return error_errno(_("cannot open %s"), namebuf);
++  }
++  rej = fdopen(fd, "w");
+   if (!rej)
+   return error_errno(_("cannot open %s"), namebuf);
+
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 65ac7df..e95e6d4 100755
+--- a/t/t4115-apply-symlink.sh
 b/t/t4115-apply-symlink.sh
+@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when 
deleting file' '
+   test_path_is_file .git/delete-me
+ '
+
++test_expect_success SYMLINKS '--reject removes .

Re: [oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

[Polampalli, Archana via lists.openembedded.org]

Hi Steve,

As you suggested Yogita will send V2 for all seven patches

Regards,
Archana

From: openembedded-core@lists.openembedded.org 
 on behalf of Steve Sakoman via 
lists.openembedded.org 
Sent: Tuesday, June 6, 2023 7:52 PM
To: st...@sakoman.com 
Cc: Urade, Yogita ; 
openembedded-core@lists.openembedded.org 
; MacLeod, Randy 

Subject: Re: [oe-core][kirkstone][PATCH 1/1] webkitgtk: fix CVE-2022-46691

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

On Tue, Jun 6, 2023 at 4:18 AM Steve Sakoman via
lists.openembedded.org 
wrote:
>
> Hi Yogita,
>
> Thanks for helping to fix CVEs!
>
> Unfortunately I can't take this set of five patches in their current

Seven, not five!  I can't count :-)

> state.  You have crafted each as an individual patch to the current
> kirkstone head.  As a result, after I take the first patch the rest
> will not apply.
>
> In a case like this you should send a patch series, with each patch
> taking into account the previous patch.
>
> Regards,
>
> Steve
>
> On Tue, Jun 6, 2023 at 2:07 AM Urade, Yogita via
> lists.openembedded.org
>  wrote:
> >
> > A memory consumption issue was addressed with improved memory handling. 
> > This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 
> > 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing 
> > maliciously crafted web content may lead to arbitrary code execution.
> >
> > References:
> > https://nvd.nist.gov/vuln/detail/CVE-2022-46691
> > https://support.apple.com/en-us/HT213531
> >
> > Signed-off-by: Yogita Urade 
> > ---
> >  .../webkit/webkitgtk/CVE-2022-46691.patch | 43 +++
> >  meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |  1 +
> >  2 files changed, 44 insertions(+)
> >  create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> >
> > diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch 
> > b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> > new file mode 100644
> > index 00..ff9df40433
> > --- /dev/null
> > +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
> > @@ -0,0 +1,43 @@
> > +From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
> > +From: Yijia Huang 
> > +Date: Mon, 10 Oct 2022 15:42:34 -0700
> > +Subject: [PATCH] [JSC] Should model BigInt with side effects
> > + https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
> > +
> > +Reviewed by Yusuke Suzuki.
> > +
> > +Operations with two BigInt operands have side effects,
> > +which should not be hoisted from loops.
> > +
> > +* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
> > +(JSC::DFG::doesWrites):
> > +* Source/JavaScriptCore/dfg/DFGClobberize.h:
> > +(JSC::DFG::clobberize):
> > +
> > +Canonical link: https://commits.webkit.org/255368@main
> > +
> > +CVE: CVE-2022-46691
> > +
> > +Upstream-Status: Backport
> > +[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
> > +
> > +Signed-off-by: Yogita Urade 
> > +---
> > + Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
> > + 1 file changed, 2 insertions(+)
> > +
> > +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h 
> > b/Source/JavaScriptCore/dfg/DFGClobberize.h
> > +index 0363ab20dcd8..4b1bcfea1fd7 100644
> > +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
> >  b/Source/JavaScriptCore/dfg/DFGClobberize.h
> > +@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const 
> > ReadFunctor& read, const WriteFu
> > + case ValueBitRShift:
> > + // FIXME: this use of single-argument isBinaryUseKind would 
> > prevent us from specializing (for example) for a HeapBigInt left-operand 
> > and a BigInt32 right-operand.
> > + if (node->isBinaryUseKind(AnyBigIntUse) || 
> > node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) 
> > {
> > ++read(World);
> > ++write(SideState);
> > + def(PureValue(node));
> > + return;
> > + }
> > +--
> > +2.40.0
> > diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb 
> > b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > index 1dac4f5677..02258f84e4 100644
> > --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
> > @@ -17,6 +17,7 @@ SRC_URI = 
> > "https://www.webkitgtk.org/releases/${BP}.tar.xz \
> > 
> > file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
> > file://CVE-2022-32888.patch \
> > file://CVE-2022-32923.patch \
> > +   file://CVE-2022-46691.patch \
> > "
> >  SRC_URI[sha256sum] = 
> > "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
> >
> > --
> > 2.40.0
> >
> >
> >
> >
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182442): 

[oe-core][mickledore][PATCH 1/1] git: ignore CVE-2023-25815

[Polampalli, Archana via lists.openembedded.org]

This is specific to Git-for-Windows.

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/git/git_2.39.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/git/git_2.39.2.bb 
b/meta/recipes-devtools/git/git_2.39.2.bb
index 222e545f60..9fac9d13f8 100644
--- a/meta/recipes-devtools/git/git_2.39.2.bb
+++ b/meta/recipes-devtools/git/git_2.39.2.bb
@@ -33,6 +33,8 @@ CVE_PRODUCT = "git-scm:git"
 CVE_CHECK_IGNORE += "CVE-2022-24975"
 # This is specific to Git-for-Windows
 CVE_CHECK_IGNORE += "CVE-2022-41953"
+# This is specific to Git-for-Windows
+CVE_CHECK_IGNORE += "CVE-2023-25815"
 
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182007): 
https://lists.openembedded.org/g/openembedded-core/message/182007
Mute This Topic: https://lists.openembedded.org/mt/99238241/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [oe-core][kirkstone][PATCH 1/1] git: ignore CVE-2023-25815

[Polampalli, Archana via lists.openembedded.org]

Hi,

NVD site  https://nvd.nist.gov/vuln/detail/CVE-2023-25815 is stating that CVE 
affects the Git for Windows and Debain security tracker - 
https://security-tracker.debian.org/tracker/CVE-2023-25815
has provided the CVE  fix commit 
https://github.com/git/git/commit/c4137be0f5a6edf9a9044e6e43ecf4468c7a4046 and 
stated that CVE fixed in Debain unstable version(sid)


Kindly review the CVE, If it affects only Windows please approve the patch else 
please respond I will try to send patch for CVE fix.

CVE description:
In Git for Windows, the Windows port of Git, no localized messages are shipped 
with the installer. As a consequence, Git is expected not to localize messages 
at all, and skips the gettext initialization. However, due to a change in 
MINGW-packages, the `gettext()` function's implicit initialization no longer 
uses the runtime prefix but uses the hard-coded path `C:\mingw64\share\locale` 
to look for localized messages. And since any authenticated user has the 
permission to create folders in `C:\` (and since `C:\mingw64` does not 
typically exist), it is possible for low-privilege users to place fake messages 
in that location where `git.exe` will pick them up in version 2.40.1. This 
vulnerability is relatively hard to exploit and requires social engineering. 
For example, a legitimate message at the end of a clone could be maliciously 
modified to ask the user to direct their web browser to a malicious website, 
and the user might think that the message comes from Git and is legitimate. It 
does require local write access by the attacker, though, which makes this 
attack vector less likely. Version 2.40.1 contains a patch for this issue. Some 
workarounds are available. Do not work on a Windows machine with shared 
accounts, or alternatively create a `C:\mingw64` folder and leave it empty. 
Users who have administrative rights may remove the permission to create 
folders in `C:\`.


References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25815
https://github.com/git-for-windows/git/security/advisories/GHSA-9w66-8mq8-5vm8
https://security-tracker.debian.org/tracker/CVE-2023-25815
https://github.com/git/git/commit/c4137be0f5a6edf9a9044e6e43ecf4468c7a4046
[https://opengraph.githubassets.com/378f0913a5e21a34e25674de17d23163b810deb2ea3446cc80bff6a0804522c7/git/git/commit/c4137be0f5a6edf9a9044e6e43ecf4468c7a4046]<https://github.com/git/git/commit/c4137be0f5a6edf9a9044e6e43ecf4468c7a4046>
gettext: avoid using gettext if the locale dir is not present · 
git/git@c4137be<https://github.com/git/git/commit/c4137be0f5a6edf9a9044e6e43ecf4468c7a4046>
In cc5e1bf99247 (gettext: avoid initialization if the locale dir is not 
present, 2018-04-21) Git was taught to avoid a costly gettext start-up when 
there are not even any localized messages to work...
github.com


From: openembedded-core@lists.openembedded.org 
 on behalf of Polampalli, Archana via 
lists.openembedded.org 
Sent: Monday, May 22, 2023 1:06 PM
To: openembedded-core@lists.openembedded.org 

Cc: G Pillai, Hari 
Subject: [oe-core][kirkstone][PATCH 1/1] git: ignore CVE-2023-25815

This is specific to Git-for-Windows.

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/git/git_2.39.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/git/git_2.39.2.bb 
b/meta/recipes-devtools/git/git_2.39.2.bb
index 222e545f60..9fac9d13f8 100644
--- a/meta/recipes-devtools/git/git_2.39.2.bb
+++ b/meta/recipes-devtools/git/git_2.39.2.bb
@@ -33,6 +33,8 @@ CVE_PRODUCT = "git-scm:git"
 CVE_CHECK_IGNORE += "CVE-2022-24975"
 # This is specific to Git-for-Windows
 CVE_CHECK_IGNORE += "CVE-2022-41953"
+# This is specific to Git-for-Windows
+CVE_CHECK_IGNORE += "CVE-2023-25815"

 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
--
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181583): 
https://lists.openembedded.org/g/openembedded-core/message/181583
Mute This Topic: https://lists.openembedded.org/mt/99060237/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] git: ignore CVE-2023-25815

[Polampalli, Archana via lists.openembedded.org]

This is specific to Git-for-Windows.

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/git/git_2.39.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/git/git_2.39.2.bb 
b/meta/recipes-devtools/git/git_2.39.2.bb
index 222e545f60..9fac9d13f8 100644
--- a/meta/recipes-devtools/git/git_2.39.2.bb
+++ b/meta/recipes-devtools/git/git_2.39.2.bb
@@ -33,6 +33,8 @@ CVE_PRODUCT = "git-scm:git"
 CVE_CHECK_IGNORE += "CVE-2022-24975"
 # This is specific to Git-for-Windows
 CVE_CHECK_IGNORE += "CVE-2022-41953"
+# This is specific to Git-for-Windows
+CVE_CHECK_IGNORE += "CVE-2023-25815"
 
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181582): 
https://lists.openembedded.org/g/openembedded-core/message/181582
Mute This Topic: https://lists.openembedded.org/mt/99060237/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-29007

[Polampalli, Archana via lists.openembedded.org]

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 
2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can 
used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. 
This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` 
when
attempting to remove the configuration section associated with that submodule. 
When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote 
code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 
2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid 
running
`git submodule deinit` on untrusted repositories or without prior inspection of 
any
submodule sections in `$GIT_DIR/config`.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-29007.patch  | 158 ++
 meta/recipes-devtools/git/git_2.39.2.bb   |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch 
b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 00..14b6933e96
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,158 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau 
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau 
+
+CVE: CVE-2023-29007
+Upstream-Status: Backport 
[https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4]
+
+Signed-off-by: Archana Polampalli 
+---
+ config.c  | 34 +++---
+ t/t1300-config.sh | 31 +++
+ 2 files changed, 54 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index 27f3828..3c674a6 100644
+--- a/config.c
 b/config.c
+@@ -3487,9 +3487,10 @@ void git_config_set_multivar(const char *key, const 
char *value,
+   flags);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+-  int i = 0, j = 0, dot = 0;
++  size_t i = 0, j = 0;
++  int dot = 0;
+   if (buf[i] != '[')
+   return 0;
+   for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3542,6 +3543,7 @@ static int section_name_is_ok(const char *name)
+   return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char 
*config_filename,
+ const char *old_name,
+@@ -3551,11 +3553,12 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   char *filename_buf = NULL;
+   struct lock_file lock = LOCK_INIT;
+   int out_fd;
+-  char buf[1024];
++  struct strbuf buf = STRBUF_INIT;
+   FILE *config_file = NULL;
+   struct stat st;
+   struct strbuf copystr = STRBUF_INIT;
+   struct config_store_data store;
++  uint32_t line_nr = 0;
+
+   memset(, 0, sizeof(store));
+
+@@ -3592,16 +3595,24 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   goto out;
+   }
+
+-  while (fgets(buf, sizeof(buf), config_file)) {
+-  unsigned i;
+-  int length;
++  while (!strbuf_getwholeline(, config_file, '\n')) {
++  size_t i, length;
+   int is_section = 0;
+-  char *output = buf;
+-  for (i = 0; buf[i] && isspace(buf[i]); i++)
++  char *output = 

[oe-core][mickledore][PATCH 1/1] git: fix CVE-2023-25652

[Polampalli, Archana via lists.openembedded.org]

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when 
applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch 
before
applying; avoid applying one that create a conflict where a link corresponding 
to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-25652.patch  | 94 +++
 meta/recipes-devtools/git/git_2.39.2.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch 
b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
new file mode 100644
index 00..e8cedfcf27
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b  Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin 
+Date: Thu Mar 9 16:02:54 2023 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+The `git apply --reject` is expected to write out `.rej` files in case
+one or more hunks fail to apply cleanly. Historically, the command
+overwrites any existing `.rej` files. The idea being that
+apply/reject/edit cycles are relatively common, and the generated `.rej`
+files are not considered precious.
+
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+
+Reported-by: RyotaK 
+Helped-by: Taylor Blau 
+Helped-by: Junio C Hamano 
+Helped-by: Linus Torvalds 
+Signed-off-by: Johannes Schindelin 
+
+CVE: CVE-2023-25652
+Upstream-Status: Backport 
[https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+
+Signed-off-by: Archana Polampalli 
+---
+ apply.c  | 14 --
+ t/t4115-apply-symlink.sh | 15 +++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index eec2da2..442cf28 100644
+--- a/apply.c
 b/apply.c
+@@ -4576,7 +4576,7 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   FILE *rej;
+   char namebuf[PATH_MAX];
+   struct fragment *frag;
+-  int cnt = 0;
++  int fd, cnt = 0;
+   struct strbuf sb = STRBUF_INIT;
+
+   for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4616,7 +4616,17 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   memcpy(namebuf, patch->new_name, cnt);
+   memcpy(namebuf + cnt, ".rej", 5);
+
+-  rej = fopen(namebuf, "w");
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0) {
++  if (errno != EEXIST)
++  return error_errno(_("cannot open %s"), namebuf);
++  if (unlink(namebuf))
++  return error_errno(_("cannot unlink '%s'"), namebuf);
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0)
++  return error_errno(_("cannot open %s"), namebuf);
++  }
++  rej = fdopen(fd, "w");
+   if (!rej)
+   return error_errno(_("cannot open %s"), namebuf);
+
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 65ac7df..e95e6d4 100755
+--- a/t/t4115-apply-symlink.sh
 b/t/t4115-apply-symlink.sh
+@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when 
deleting file' '
+   test_path_is_file .git/delete-me
+ '
+
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++  test_when_finished "git reset --hard && git clean -dfx" &&
++
++  test_commit file &&
++  echo modified >file.t &&
++  git diff -- file.t >patch &&
++  echo modified-again >file.t &&
++
++  ln -s foo file.t.rej &&
++  test_must_fail git apply patch --reject 2>err &&
++  test_i18ngrep "Rejected hunk" err &&
++  test_path_is_missing foo &&
++  test_path_is_file file.t.rej
++'
++

[oe-core][kirkstone][PATCH 1/1] git: fix CVE-2023-25652

[Polampalli, Archana via lists.openembedded.org]

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when 
applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch 
before
applying; avoid applying one that create a conflict where a link corresponding 
to
the `*.rej` file exists.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652

Upstream patches:
https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-25652.patch  | 94 +++
 meta/recipes-devtools/git/git_2.35.7.bb   |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-25652.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-25652.patch 
b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
new file mode 100644
index 00..825701eaff
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-25652.patch
@@ -0,0 +1,94 @@
+From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin 
+Date: Thu Mar 9 16:02:54 2023 +0100
+Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it
+ exists
+
+   The `git apply --reject` is expected to write out `.rej` files in case
+   one or more hunks fail to apply cleanly. Historically, the command
+   overwrites any existing `.rej` files. The idea being that
+   apply/reject/edit cycles are relatively common, and the generated `.rej`
+   files are not considered precious.
+
+But the command does not overwrite existing `.rej` symbolic links, and
+instead follows them. This is unsafe because the same patch could
+potentially create such a symbolic link and point at arbitrary paths
+outside the current worktree, and `git apply` would write the contents
+of the `.rej` file into that location.
+
+Therefore, let's make sure that any existing `.rej` file or symbolic
+link is removed before writing it.
+
+Reported-by: RyotaK 
+Helped-by: Taylor Blau 
+Helped-by: Junio C Hamano 
+Helped-by: Linus Torvalds 
+Signed-off-by: Johannes Schindelin 
+
+CVE: CVE-2023-25652
+Upstream-Status: Backport 
[https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b]
+
+Signed-off-by: Archana Polampalli 
+---
+ apply.c  | 14 --
+ t/t4115-apply-symlink.sh | 15 +++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/apply.c b/apply.c
+index fc6f484..47f2686 100644
+--- a/apply.c
 b/apply.c
+@@ -4584,7 +4584,7 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   FILE *rej;
+   char namebuf[PATH_MAX];
+   struct fragment *frag;
+-  int cnt = 0;
++  int fd, cnt = 0;
+   struct strbuf sb = STRBUF_INIT;
+
+   for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) {
+@@ -4624,7 +4624,17 @@ static int write_out_one_reject(struct apply_state 
*state, struct patch *patch)
+   memcpy(namebuf, patch->new_name, cnt);
+   memcpy(namebuf + cnt, ".rej", 5);
+
+-  rej = fopen(namebuf, "w");
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0) {
++  if (errno != EEXIST)
++  return error_errno(_("cannot open %s"), namebuf);
++  if (unlink(namebuf))
++  return error_errno(_("cannot unlink '%s'"), namebuf);
++  fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666);
++  if (fd < 0)
++  return error_errno(_("cannot open %s"), namebuf);
++  }
++  rej = fdopen(fd, "w");
+   if (!rej)
+   return error_errno(_("cannot open %s"), namebuf);
+
+diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh
+index 65ac7df..e95e6d4 100755
+--- a/t/t4115-apply-symlink.sh
 b/t/t4115-apply-symlink.sh
+@@ -126,4 +126,19 @@ test_expect_success SYMLINKS 'symlink escape when 
deleting file' '
+   test_path_is_file .git/delete-me
+ '
+
++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' '
++  test_when_finished "git reset --hard && git clean -dfx" &&
++
++  test_commit file &&
++  echo modified >file.t &&
++  git diff -- file.t >patch &&
++  echo modified-again >file.t &&
++
++  ln -s foo file.t.rej &&
++  test_must_fail git apply patch --reject 2>err &&
++  test_i18ngrep "Rejected hunk" err &&
++  test_path_is_missing foo &&
++  test_path_is_file file.t.rej
++'
++
+ 

[oe-core][kirkstone][PATCH 1/1] git: fix CVE-2023-29007

[Polampalli, Archana via lists.openembedded.org]

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 
2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can 
used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. 
This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` 
when
attempting to remove the configuration section associated with that submodule. 
When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote 
code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 
2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid 
running
`git submodule deinit` on untrusted repositories or without prior inspection of 
any
submodule sections in `$GIT_DIR/config`.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007

Upstream patches:
https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8
https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a
https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d
https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a

Signed-off-by: Archana Polampalli 
---
 .../git/git/CVE-2023-29007.patch  | 162 ++
 meta/recipes-devtools/git/git_2.35.7.bb   |   1 +
 2 files changed, 163 insertions(+)
 create mode 100644 meta/recipes-devtools/git/git/CVE-2023-29007.patch

diff --git a/meta/recipes-devtools/git/git/CVE-2023-29007.patch 
b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
new file mode 100644
index 00..472f4022b2
--- /dev/null
+++ b/meta/recipes-devtools/git/git/CVE-2023-29007.patch
@@ -0,0 +1,162 @@
+From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001
+From: Taylor Blau 
+Date: Fri, 14 Apr 2023 11:46:59 -0400
+Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection'
+
+Avoids issues with renaming or deleting sections with long lines, where
+configuration values may be interpreted as sections, leading to
+configuration injection. Addresses CVE-2023-29007.
+
+* tb/config-copy-or-rename-in-file-injection:
+  config.c: disallow overly-long lines in `copy_or_rename_section_in_file()`
+  config.c: avoid integer truncation in `copy_or_rename_section_in_file()`
+  config: avoid fixed-sized buffer when renaming/deleting a section
+  t1300: demonstrate failure when renaming sections with long lines
+
+Signed-off-by: Taylor Blau 
+
+Upstream-Status: Backport
+CVE: CVE-2023-29007
+
+Reference to upstream patch:
+https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
+
+Signed-off-by: Archana Polampalli 
+---
+ config.c  | 36 +---
+ t/t1300-config.sh | 30 ++
+ 2 files changed, 55 insertions(+), 11 deletions(-)
+
+diff --git a/config.c b/config.c
+index 2bffa8d..6a01938 100644
+--- a/config.c
 b/config.c
+@@ -3192,9 +3192,10 @@ void git_config_set_multivar(const char *key, const 
char *value,
+   flags);
+ }
+
+-static int section_name_match (const char *buf, const char *name)
++static size_t section_name_match (const char *buf, const char *name)
+ {
+-  int i = 0, j = 0, dot = 0;
++  size_t i = 0, j = 0;
++  int dot = 0;
+   if (buf[i] != '[')
+   return 0;
+   for (i = 1; buf[i] && buf[i] != ']'; i++) {
+@@ -3247,6 +3248,8 @@ static int section_name_is_ok(const char *name)
+   return 1;
+ }
+
++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024)
++
+ /* if new_name == NULL, the section is removed instead */
+ static int git_config_copy_or_rename_section_in_file(const char 
*config_filename,
+ const char *old_name,
+@@ -3256,11 +3259,12 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   char *filename_buf = NULL;
+   struct lock_file lock = LOCK_INIT;
+   int out_fd;
+-  char buf[1024];
++  struct strbuf buf = STRBUF_INIT;
+   FILE *config_file = NULL;
+   struct stat st;
+   struct strbuf copystr = STRBUF_INIT;
+   struct config_store_data store;
++  uint32_t line_nr = 0;
+
+   memset(, 0, sizeof(store));
+
+@@ -3297,16 +3301,25 @@ static int 
git_config_copy_or_rename_section_in_file(const char *config_filename
+   goto out;
+   }
+
+-  while (fgets(buf, sizeof(buf), config_file)) {
+-  unsigned i;
+-  int length;
++  while (!strbuf_getwholeline(, config_file, '\n')) {
++  size_t i, length;
+   int is_section = 0;
+-  char *output = buf;
+-  for (i = 0; buf[i] && isspace(buf[i]); i++)

Re: [oe-core][kirkstone][PATCH 1/1] nasm: fix CVE-2022-44370

[Polampalli, Archana via lists.openembedded.org]

Reminder!


Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows

From: Polampalli, Archana via 
lists.openembedded.org<mailto:archana.polampalli=windriver@lists.openembedded.org>
Sent: 26 April 2023 12:17
To: 
openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
Cc: G Pillai, Hari<mailto:hari.gpil...@windriver.com>; Polampalli, 
Archana<mailto:archana.polampa...@windriver.com>
Subject: [oe-core][kirkstone][PATCH 1/1] nasm: fix CVE-2022-44370

NASM v2.16 was discovered to contain a heap buffer overflow in the
component quote_for_pmake() asm/nasm.c:856

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-44370

Upstream patches:
https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d

Signed-off-by: Archana Polampalli 
---
 .../nasm/nasm/CVE-2022-44370.patch| 104 ++
 meta/recipes-devtools/nasm/nasm_2.15.05.bb|   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch

diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch 
b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
new file mode 100644
index 00..b131460a69
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
@@ -0,0 +1,104 @@
+From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" 
+Date: Mon, 7 Nov 2022 10:26:03 -0800
+Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault
+
+while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix,
+introduce mempset() to make these kinds of errors less likely in the
+future.
+
+Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815
+Reported-by: <13579and24...@gmail.com>
+Signed-off-by: H. Peter Anvin 
+
+Upstream-Status: Backport
+CVE: CVE-2022-4437
+
+Reference to upstream patch:
+[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d]
+
+Signed-off-by: Archana Polampalli 
+---
+ asm/nasm.c | 12 +---
+ configure.ac   |  1 +
+ include/compiler.h |  7 +++
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/asm/nasm.c b/asm/nasm.c
+index 7a7f8b4..675cff4 100644
+--- a/asm/nasm.c
 b/asm/nasm.c
+@@ -1,6 +1,6 @@
+ /* --- *
+  *
+- *   Copyright 1996-2020 The NASM Authors - All Rights Reserved
++ *   Copyright 1996-2022 The NASM Authors - All Rights Reserved
+  *   See the file AUTHORS included with the NASM distribution for
+  *   the specific copyright holders.
+  *
+@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str)
+ }
+
+ /* Convert N backslashes at the end of filename to 2N backslashes */
+-if (nbs)
+-n += nbs;
++n += nbs;
+
+ os = q = nasm_malloc(n);
+
+@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str)
+ switch (*p) {
+ case ' ':
+ case '\t':
+-while (nbs--)
+-*q++ = '\\';
++q = mempset(q, '\\', nbs);
+ *q++ = '\\';
+ *q++ = *p;
++nbs = 0;
+ break;
+ case '$':
+ *q++ = *p;
+@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str)
+ break;
+ }
+ }
+-while (nbs--)
+-*q++ = '\\';
+
++q = mempset(q, '\\', nbs);
+ *q = '\0';
+
+ return os;
+diff --git a/configure.ac b/configure.ac
+index 39680b1..940ebe2 100644
+--- a/configure.ac
 b/configure.ac
+@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul)
+ AC_CHECK_FUNCS(iscntrl)
+ AC_CHECK_FUNCS(isascii)
+ AC_CHECK_FUNCS(mempcpy)
++AC_CHECK_FUNCS(mempset)
+
+ AC_CHECK_FUNCS(getuid)
+ AC_CHECK_FUNCS(getgid)
+diff --git a/include/compiler.h b/include/compiler.h
+index db3d6d6..b64da6a 100644
+--- a/include/compiler.h
 b/include/compiler.h
+@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, 
size_t n)
+ }
+ #endif
+
++#ifndef HAVE_MEMPSET
++static inline void *mempset(void *dst, int c, size_t n)
++{
++return (char *)memset(dst, c, n) + n;
++}
++#endif
++
+ /*
+  * Hack to support external-linkage inline functions
+  */
+--
+2.40.0
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.05.bb 
b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
index edc17aeebf..59b1121bd4 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.05.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
 SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
file://0001-stdlib-Add-strlcat.patch \
file://0002-Add-debug-prefix-map-option.patch \
+   file://CVE-2022-44370.patch \
"

 SRC_URI[sha256sum] = 
"3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2f

[oe-core][kirkstone][PATCH 1/1] nasm: fix CVE-2022-44370

[Polampalli, Archana via lists.openembedded.org]

NASM v2.16 was discovered to contain a heap buffer overflow in the
component quote_for_pmake() asm/nasm.c:856

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-44370

Upstream patches:
https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d

Signed-off-by: Archana Polampalli 
---
 .../nasm/nasm/CVE-2022-44370.patch| 104 ++
 meta/recipes-devtools/nasm/nasm_2.15.05.bb|   1 +
 2 files changed, 105 insertions(+)
 create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch

diff --git a/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch 
b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
new file mode 100644
index 00..b131460a69
--- /dev/null
+++ b/meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
@@ -0,0 +1,104 @@
+From b37677f7e40276bd8f504584bcba2c092f1146a8 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" 
+Date: Mon, 7 Nov 2022 10:26:03 -0800
+Subject: [PATCH] quote_for_pmake: fix counter underrun resulting in segfault
+
+while (nbs--) { ... } ends with nbs == -1. Rather than a minimal fix,
+introduce mempset() to make these kinds of errors less likely in the
+future.
+
+Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392815
+Reported-by: <13579and24...@gmail.com>
+Signed-off-by: H. Peter Anvin 
+
+Upstream-Status: Backport
+CVE: CVE-2022-4437
+
+Reference to upstream patch:
+[https://github.com/netwide-assembler/nasm/commit/2d4e6952417ec6f08b6f135d2b5d0e19b7dae30d]
+
+Signed-off-by: Archana Polampalli 
+---
+ asm/nasm.c | 12 +---
+ configure.ac   |  1 +
+ include/compiler.h |  7 +++
+ 3 files changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/asm/nasm.c b/asm/nasm.c
+index 7a7f8b4..675cff4 100644
+--- a/asm/nasm.c
 b/asm/nasm.c
+@@ -1,6 +1,6 @@
+ /* --- *
+  *
+- *   Copyright 1996-2020 The NASM Authors - All Rights Reserved
++ *   Copyright 1996-2022 The NASM Authors - All Rights Reserved
+  *   See the file AUTHORS included with the NASM distribution for
+  *   the specific copyright holders.
+  *
+@@ -814,8 +814,7 @@ static char *quote_for_pmake(const char *str)
+ }
+
+ /* Convert N backslashes at the end of filename to 2N backslashes */
+-if (nbs)
+-n += nbs;
++n += nbs;
+
+ os = q = nasm_malloc(n);
+
+@@ -824,10 +823,10 @@ static char *quote_for_pmake(const char *str)
+ switch (*p) {
+ case ' ':
+ case '\t':
+-while (nbs--)
+-*q++ = '\\';
++q = mempset(q, '\\', nbs);
+ *q++ = '\\';
+ *q++ = *p;
++nbs = 0;
+ break;
+ case '$':
+ *q++ = *p;
+@@ -849,9 +848,8 @@ static char *quote_for_pmake(const char *str)
+ break;
+ }
+ }
+-while (nbs--)
+-*q++ = '\\';
+
++q = mempset(q, '\\', nbs);
+ *q = '\0';
+
+ return os;
+diff --git a/configure.ac b/configure.ac
+index 39680b1..940ebe2 100644
+--- a/configure.ac
 b/configure.ac
+@@ -199,6 +199,7 @@ AC_CHECK_FUNCS(strrchrnul)
+ AC_CHECK_FUNCS(iscntrl)
+ AC_CHECK_FUNCS(isascii)
+ AC_CHECK_FUNCS(mempcpy)
++AC_CHECK_FUNCS(mempset)
+
+ AC_CHECK_FUNCS(getuid)
+ AC_CHECK_FUNCS(getgid)
+diff --git a/include/compiler.h b/include/compiler.h
+index db3d6d6..b64da6a 100644
+--- a/include/compiler.h
 b/include/compiler.h
+@@ -256,6 +256,13 @@ static inline void *mempcpy(void *dst, const void *src, 
size_t n)
+ }
+ #endif
+
++#ifndef HAVE_MEMPSET
++static inline void *mempset(void *dst, int c, size_t n)
++{
++return (char *)memset(dst, c, n) + n;
++}
++#endif
++
+ /*
+  * Hack to support external-linkage inline functions
+  */
+--
+2.40.0
diff --git a/meta/recipes-devtools/nasm/nasm_2.15.05.bb 
b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
index edc17aeebf..59b1121bd4 100644
--- a/meta/recipes-devtools/nasm/nasm_2.15.05.bb
+++ b/meta/recipes-devtools/nasm/nasm_2.15.05.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=90904486f8fbf1861cf42752e1a39efe"
 SRC_URI = "http://www.nasm.us/pub/nasm/releasebuilds/${PV}/nasm-${PV}.tar.bz2 \
file://0001-stdlib-Add-strlcat.patch \
file://0002-Add-debug-prefix-map-option.patch \
+   file://CVE-2022-44370.patch \
"
 
 SRC_URI[sha256sum] = 
"3c4b8339e5ab54b1bcb2316101f8985a5da50a3f9e504d43fa6f35668bee2fd0"
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180406): 
https://lists.openembedded.org/g/openembedded-core/message/180406
Mute This Topic: https://lists.openembedded.org/mt/98509771/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-