* [Thud][ 01/24] buildhistory: call a dependency parser only on actual dependency lists
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
@ 2019-09-24 3:12 ` Armin Kuster
2019-09-24 3:12 ` [Thud][ 02/24] patch: fix CVE-2019-13636 Armin Kuster
` (22 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:12 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
Previously it was also called on filelists and possibly other items which
broke the parser.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/lib/oe/buildhistory_analysis.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oe/buildhistory_analysis.py b/meta/lib/oe/buildhistory_analysis.py
index ad7fceb..d3cde4f 100644
--- a/meta/lib/oe/buildhistory_analysis.py
+++ b/meta/lib/oe/buildhistory_analysis.py
@@ -127,7 +127,7 @@ class ChangeRecord:
removed = list(set(aitems) - set(bitems))
added = list(set(bitems) - set(aitems))
- if not removed and not added:
+ if not removed and not added and self.fieldname in ['RPROVIDES', 'RDEPENDS', 'RRECOMMENDS', 'RSUGGESTS', 'RREPLACES', 'RCONFLICTS']:
depvera = bb.utils.explode_dep_versions2(self.oldvalue, sort=False)
depverb = bb.utils.explode_dep_versions2(self.newvalue, sort=False)
for i, j in zip(depvera.items(), depverb.items()):
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 02/24] patch: fix CVE-2019-13636
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
2019-09-24 3:12 ` [Thud][ 01/24] buildhistory: call a dependency parser only on actual dependency lists Armin Kuster
@ 2019-09-24 3:12 ` Armin Kuster
2019-09-24 3:12 ` [Thud][ 03/24] python3: fix CVE-2019-9740 Armin Kuster
` (21 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:12 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../patch/patch/CVE-2019-13636.patch | 113 +++++++++++++++++++++
meta/recipes-devtools/patch/patch_2.7.6.bb | 1 +
2 files changed, 114 insertions(+)
create mode 100644 meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
diff --git a/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
new file mode 100644
index 0000000..9f8b6db
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/CVE-2019-13636.patch
@@ -0,0 +1,113 @@
+From dce4683cbbe107a95f1f0d45fabc304acfb5d71a Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Mon, 15 Jul 2019 16:21:48 +0200
+Subject: Don't follow symlinks unless --follow-symlinks is given
+
+* src/inp.c (plan_a, plan_b), src/util.c (copy_to_fd, copy_file,
+append_to_file): Unless the --follow-symlinks option is given, open files with
+the O_NOFOLLOW flag to avoid following symlinks. So far, we were only doing
+that consistently for input files.
+* src/util.c (create_backup): When creating empty backup files, (re)create them
+with O_CREAT | O_EXCL to avoid following symlinks in that case as well.
+
+CVE: CVE-2019-13636
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ src/inp.c | 12 ++++++++++--
+ src/util.c | 14 +++++++++++---
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/inp.c b/src/inp.c
+index 32d0919..22d7473 100644
+--- a/src/inp.c
++++ b/src/inp.c
+@@ -238,8 +238,13 @@ plan_a (char const *filename)
+ {
+ if (S_ISREG (instat.st_mode))
+ {
+- int ifd = safe_open (filename, O_RDONLY|binary_transput, 0);
++ int flags = O_RDONLY | binary_transput;
+ size_t buffered = 0, n;
++ int ifd;
++
++ if (! follow_symlinks)
++ flags |= O_NOFOLLOW;
++ ifd = safe_open (filename, flags, 0);
+ if (ifd < 0)
+ pfatal ("can't open file %s", quotearg (filename));
+
+@@ -340,6 +345,7 @@ plan_a (char const *filename)
+ static void
+ plan_b (char const *filename)
+ {
++ int flags = O_RDONLY | binary_transput;
+ int ifd;
+ FILE *ifp;
+ int c;
+@@ -353,7 +359,9 @@ plan_b (char const *filename)
+
+ if (instat.st_size == 0)
+ filename = NULL_DEVICE;
+- if ((ifd = safe_open (filename, O_RDONLY | binary_transput, 0)) < 0
++ if (! follow_symlinks)
++ flags |= O_NOFOLLOW;
++ if ((ifd = safe_open (filename, flags, 0)) < 0
+ || ! (ifp = fdopen (ifd, binary_transput ? "rb" : "r")))
+ pfatal ("Can't open file %s", quotearg (filename));
+ if (TMPINNAME_needs_removal)
+diff --git a/src/util.c b/src/util.c
+index 1cc08ba..fb38307 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -388,7 +388,7 @@ create_backup (char const *to, const struct stat *to_st, bool leave_original)
+
+ try_makedirs_errno = ENOENT;
+ safe_unlink (bakname);
+- while ((fd = safe_open (bakname, O_CREAT | O_WRONLY | O_TRUNC, 0666)) < 0)
++ while ((fd = safe_open (bakname, O_CREAT | O_EXCL | O_WRONLY | O_TRUNC, 0666)) < 0)
+ {
+ if (errno != try_makedirs_errno)
+ pfatal ("Can't create file %s", quotearg (bakname));
+@@ -579,10 +579,13 @@ create_file (char const *file, int open_flags, mode_t mode,
+ static void
+ copy_to_fd (const char *from, int tofd)
+ {
++ int from_flags = O_RDONLY | O_BINARY;
+ int fromfd;
+ ssize_t i;
+
+- if ((fromfd = safe_open (from, O_RDONLY | O_BINARY, 0)) < 0)
++ if (! follow_symlinks)
++ from_flags |= O_NOFOLLOW;
++ if ((fromfd = safe_open (from, from_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (from));
+ while ((i = read (fromfd, buf, bufsize)) != 0)
+ {
+@@ -625,6 +628,8 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ else
+ {
+ assert (S_ISREG (mode));
++ if (! follow_symlinks)
++ to_flags |= O_NOFOLLOW;
+ tofd = create_file (to, O_WRONLY | O_BINARY | to_flags, mode,
+ to_dir_known_to_exist);
+ copy_to_fd (from, tofd);
+@@ -640,9 +645,12 @@ copy_file (char const *from, char const *to, struct stat *tost,
+ void
+ append_to_file (char const *from, char const *to)
+ {
++ int to_flags = O_WRONLY | O_APPEND | O_BINARY;
+ int tofd;
+
+- if ((tofd = safe_open (to, O_WRONLY | O_BINARY | O_APPEND, 0)) < 0)
++ if (! follow_symlinks)
++ to_flags |= O_NOFOLLOW;
++ if ((tofd = safe_open (to, to_flags, 0)) < 0)
+ pfatal ("Can't reopen file %s", quotearg (to));
+ copy_to_fd (from, tofd);
+ if (close (tofd) != 0)
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 85b0db7..8cf20a3 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0003-Allow-input-files-to-be-missing-for-ed-style-patches.patch \
file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
+ file://CVE-2019-13636.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 03/24] python3: fix CVE-2019-9740
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
2019-09-24 3:12 ` [Thud][ 01/24] buildhistory: call a dependency parser only on actual dependency lists Armin Kuster
2019-09-24 3:12 ` [Thud][ 02/24] patch: fix CVE-2019-13636 Armin Kuster
@ 2019-09-24 3:12 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 04/24] curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 Armin Kuster
` (20 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:12 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
CVE-2019-9947 is same as CVE-2019-9740 and mark it as such. See:
https://bugs.python.org/issue30458
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../python/python3/CVE-2019-9740.patch | 155 +++++++++++++++++++++
meta/recipes-devtools/python/python3_3.5.6.bb | 1 +
2 files changed, 156 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2019-9740.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9740.patch b/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
new file mode 100644
index 0000000..8370901
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2019-9740.patch
@@ -0,0 +1,155 @@
+From afe3a4975cf93c97e5d6eb8800e48f368011d37a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Sun, 14 Jul 2019 11:07:11 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs. (GH-12755)
+ (#13207)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib.urlopen. This addresses a potential security problem for applications that do not sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when python is built without SSL to fix test failures.
+
+Use http.client.InvalidURL instead of ValueError as the new error case's exception. (GH-13044)
+
+Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+Upstream-Status: Backport[https://github.com/python/cpython/commit/afe3a4975cf93c97e5d6eb8800e48f368011d37a]
+CVE: CVE-2019-9740
+CVE: CVE-2019-9947
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/http/client.py | 16 ++++++
+ Lib/test/test_urllib.py | 55 +++++++++++++++++++
+ Lib/test/test_xmlrpc.py | 8 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
+ 4 files changed, 79 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 352c1017adce..76b9be69a374 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -141,6 +141,16 @@
+ _is_legal_header_name = re.compile(rb'[^:\s][^:\r\n]*').fullmatch
+ _is_illegal_header_value = re.compile(rb'\n(?![ \t])|\r(?![ \t\n])').search
+
++# These characters are not allowed within HTTP URL paths.
++# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740. Includes control characters such as \r\n.
++# We don't restrict chars above \x7f as putrequest() limits us to ASCII.
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f]')
++# Arguably only these _should_ allowed:
++# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -978,6 +988,12 @@ def putrequest(self, method, url, skip_host=False,
+ self._method = method
+ if not url:
+ url = '/'
++ # Prevent CVE-2019-9740.
++ match = _contains_disallowed_url_pchar_re.search(url)
++ if match:
++ raise InvalidURL("URL can't contain control characters. {!r} "
++ "(found at least {!r})".format(url,
++ match.group()))
+ request = '%s %s %s' % (method, url, self._http_vsn_str)
+
+ # Non-ASCII characters should have been eliminated earlier
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 3afb1312de32..1e2c622e29fd 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -330,6 +330,61 @@ def test_willclose(self):
+ finally:
+ self.unfakehttp()
+
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_control_char_rejected(self):
++ for char_no in list(range(0, 0x21)) + [0x7f]:
++ char = chr(char_no)
++ schemeless_url = "//localhost:7777/test{}/".format(char)
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # We explicitly test urllib.request.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ escaped_char_repr = repr(char).replace('\\', r'\\')
++ InvalidURL = http.client.InvalidURL
++ with self.assertRaisesRegex(
++ InvalidURL,
++ "contain control.*{}".format(escaped_char_repr)):
++ urllib.request.urlopen("http:{}".format(schemeless_url))
++ with self.assertRaisesRegex(
++ InvalidURL,
++ "contain control.*{}".format(escaped_char_repr)):
++ urllib.request.urlopen("https:{}".format(schemeless_url))
++ # This code path quotes the URL so there is no injection.
++ resp = urlopen("http:{}".format(schemeless_url))
++ self.assertNotIn(char, resp.geturl())
++ finally:
++ self.unfakehttp()
++
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # We explicitly test urllib.request.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ InvalidURL = http.client.InvalidURL
++ with self.assertRaisesRegex(
++ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++ urllib.request.urlopen("http:{}".format(schemeless_url))
++ with self.assertRaisesRegex(InvalidURL, r"contain control.*\\n"):
++ urllib.request.urlopen("https:{}".format(schemeless_url))
++ # This code path quotes the URL so there is no injection.
++ resp = urlopen("http:{}".format(schemeless_url))
++ self.assertNotIn(' ', resp.geturl())
++ self.assertNotIn('\r', resp.geturl())
++ self.assertNotIn('\n', resp.geturl())
++ finally:
++ self.unfakehttp()
++
+ def test_read_0_9(self):
+ # "0.9" response accepted (but not "simple responses" without
+ # a status line)
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index c2de057ecbfa..99e510fcee86 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -896,7 +896,13 @@ def test_unicode_host(self):
+ def test_partial_post(self):
+ # Check that a partial POST doesn't make the server loop: issue #14001.
+ conn = http.client.HTTPConnection(ADDR, PORT)
+- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++ conn.send('POST /RPC2 HTTP/1.0\r\n'
++ 'Content-Length: 100\r\n\r\n'
++ 'bye HTTP/1.1\r\n'
++ 'Host: {}:{}\r\n'
++ 'Accept-Encoding: identity\r\n'
++ 'Content-Length: 0\r\n\r\n'
++ .format(ADDR, PORT).encode('ascii'))
+ conn.close()
+
+ def test_context_manager(self):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 000000000000..ed8027fb4d64
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an http.client.InvalidURL exception to be raised.
diff --git a/meta/recipes-devtools/python/python3_3.5.6.bb b/meta/recipes-devtools/python/python3_3.5.6.bb
index 6aa6df6..7e74c55 100644
--- a/meta/recipes-devtools/python/python3_3.5.6.bb
+++ b/meta/recipes-devtools/python/python3_3.5.6.bb
@@ -43,6 +43,7 @@ SRC_URI += "\
file://0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch \
file://0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch \
file://run-ptest \
+ file://CVE-2019-9740.patch \
"
inherit multilib_header python3native update-alternatives qemu ptest
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 04/24] curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (2 preceding siblings ...)
2019-09-24 3:12 ` [Thud][ 03/24] python3: fix CVE-2019-9740 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 05/24] dbus: fix CVE-2019-12749 Armin Kuster
` (19 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>
Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-support/curl/curl/CVE-2018-16890.patch | 50 ++++++++++++++++++++
meta/recipes-support/curl/curl/CVE-2019-3822.patch | 47 ++++++++++++++++++
meta/recipes-support/curl/curl/CVE-2019-3823.patch | 55 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.61.0.bb | 3 ++
4 files changed, 155 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-16890.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2019-3822.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2019-3823.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2018-16890.patch b/meta/recipes-support/curl/curl/CVE-2018-16890.patch
new file mode 100644
index 0000000..3776f36
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-16890.patch
@@ -0,0 +1,50 @@
+From 53d3c2f92b4a7561b1006494badf8cf2ef9110c0 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 2 Jan 2019 20:33:08 +0100
+Subject: [PATCH 1/3] NTLM: fix size check condition for type2 received data
+
+Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
+Reported-by: Wenxiang Qian
+CVE-2018-16890
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit
+/b780b30d1377adb10bbe774835f49e9b237fb9bb]
+
+CVE: CVE-2018-16890
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ lib/vauth/ntlm.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index cdb8d8f0d..0212756ab 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
+ target_info_len = Curl_read16_le(&buffer[40]);
+ target_info_offset = Curl_read32_le(&buffer[44]);
+ if(target_info_len > 0) {
+- if(((target_info_offset + target_info_len) > size) ||
++ if((target_info_offset >= size) ||
++ ((target_info_offset + target_info_len) > size) ||
+ (target_info_offset < 48)) {
+ infof(data, "NTLM handshake failure (bad type-2 message). "
+- "Target Info Offset Len is set incorrect by the peer\n");
++ "Target Info Offset Len is set incorrect by the peer\n");
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
+
+--
+2.22.0
+
diff --git a/meta/recipes-support/curl/curl/CVE-2019-3822.patch b/meta/recipes-support/curl/curl/CVE-2019-3822.patch
new file mode 100644
index 0000000..4f612dd
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-3822.patch
@@ -0,0 +1,47 @@
+From 761b51f66c7b1cd2cd6c71b807bfdb6a27c49b30 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH 2/3] ntlm: fix *_type3_message size check to avoid buffer
+ overflow
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit
+/50c9484278c63b958655a717844f0721263939cc]
+
+CVE: CVE-2019-3822
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index 0212756ab..3be0403d9 100644
+--- a/lib/vauth/ntlm.c
++++ b/lib/vauth/ntlm.c
+@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
+ });
+
+ #ifdef USE_NTRESPONSES
+- if(size < (NTLM_BUFSIZE - ntresplen)) {
+- DEBUGASSERT(size == (size_t)ntrespoff);
+- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+- size += ntresplen;
++ /* ntresplen + size should not be risking an integer overflow here */
++ if(ntresplen + size > sizeof(ntlmbuf)) {
++ failf(data, "incoming NTLM message too big");
++ return CURLE_OUT_OF_MEMORY;
+ }
++ DEBUGASSERT(size == (size_t)ntrespoff);
++ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
++ size += ntresplen;
+
+ DEBUG_OUT({
+ fprintf(stderr, "\n ntresp=");
+--
+2.22.0
+
diff --git a/meta/recipes-support/curl/curl/CVE-2019-3823.patch b/meta/recipes-support/curl/curl/CVE-2019-3823.patch
new file mode 100644
index 0000000..194e6e6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-3823.patch
@@ -0,0 +1,55 @@
+From 40f6c913f63cdbfa81daa7ac7f1c7415bb99edeb Mon Sep 17 00:00:00 2001
+From: Daniel Gustafsson <daniel@yesql.se>
+Date: Sat, 19 Jan 2019 00:42:47 +0100
+Subject: [PATCH 3/3] smtp: avoid risk of buffer overflow in strtol
+
+If the incoming len 5, but the buffer does not have a termination
+after 5 bytes, the strtol() call may keep reading through the line
+buffer until is exceeds its boundary. Fix by ensuring that we are
+using a bounded read with a temporary buffer on the stack.
+
+Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
+Reported-by: Brian Carpenter (Geeknik Labs)
+CVE-2019-3823
+
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit
+/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484]
+
+CVE: CVE-2019-3823
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ lib/smtp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smtp.c b/lib/smtp.c
+index ecf10a41a..1b9f92d30 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -207,8 +207,12 @@ static bool smtp_endofresp(struct connectdata *conn, char *line, size_t len,
+ Section 4. Examples of RFC-4954 but some e-mail servers ignore this and
+ only send the response code instead as per Section 4.2. */
+ if(line[3] == ' ' || len == 5) {
++ char tmpline[6];
++
+ result = TRUE;
+- *resp = curlx_sltosi(strtol(line, NULL, 10));
++ memset(tmpline, '\0', sizeof(tmpline));
++ memcpy(tmpline, line, (len == 5 ? 5 : 3));
++ *resp = curlx_sltosi(strtol(tmpline, NULL, 10));
+
+ /* Make sure real server never sends internal value */
+ if(*resp == 1)
+--
+2.22.0
+
diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb
index 1027f75..c1e4342 100644
--- a/meta/recipes-support/curl/curl_7.61.0.bb
+++ b/meta/recipes-support/curl/curl_7.61.0.bb
@@ -13,6 +13,9 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2018-16842.patch \
file://CVE-2019-5435.patch \
file://CVE-2019-5436.patch \
+ file://CVE-2018-16890.patch \
+ file://CVE-2019-3822.patch \
+ file://CVE-2019-3823.patch \
"
SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 05/24] dbus: fix CVE-2019-12749
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (3 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 04/24] curl: fix CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 06/24] glib-2.0: fix CVE-2019-13012 Armin Kuster
` (18 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>
Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/dbus/dbus/CVE-2019-12749.patch | 127 +++++++++++++++++++++++
meta/recipes-core/dbus/dbus_1.12.10.bb | 1 +
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
diff --git a/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
new file mode 100644
index 0000000..393c70c
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2019-12749.patch
@@ -0,0 +1,127 @@
+From f0120c5d97a4cc1b659e86d38f2b1f646ca20ea3 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 30 May 2019 12:53:03 +0100
+Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
+ owner
+
+The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
+of a shared home directory by having the server write a secret "cookie"
+into a .dbus-keyrings subdirectory of the desired identity's home
+directory with 0700 permissions, and having the client prove that it can
+read the cookie. This never actually worked for non-malicious clients in
+the case where server uid != client uid (unless the server and client
+both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
+Unix uid 0) because an unprivileged server would fail to write out the
+cookie, and an unprivileged client would be unable to read the resulting
+file owned by the server.
+
+Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
+is owned by the uid of the server (a side-effect of a check added to
+harden our use of XDG_RUNTIME_DIR), further ruling out successful use
+by a non-malicious client with a uid differing from the server's.
+
+Joe Vennix of Apple Information Security discovered that the
+implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
+attack: a malicious client with write access to its own home directory
+could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
+read and write in unintended locations. In the worst case this could
+result in the DBusServer reusing a cookie that is known to the
+malicious client, and treating that cookie as evidence that a subsequent
+client connection came from an attacker-chosen uid, allowing
+authentication bypass.
+
+This is mitigated by the fact that by default, the well-known system
+dbus-daemon (since 2003) and the well-known session dbus-daemon (in
+stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
+authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
+at an early stage, before manipulating cookies. As a result, this
+vulnerability only applies to:
+
+* system or session dbus-daemons with non-standard configuration
+* third-party dbus-daemon invocations such as at-spi2-core (although
+ in practice at-spi2-core also only accepts EXTERNAL by default)
+* third-party uses of DBusServer such as the one in Upstart
+
+Avoiding symlink attacks in a portable way is difficult, because APIs
+like openat() and Linux /proc/self/fd are not universally available.
+However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
+a non-matching uid, we can solve this vulnerability in an easier way
+without regressions, by rejecting it early (before looking at
+~/.dbus-keyrings) whenever the requested identity doesn't match the
+identity of the process hosting the DBusServer.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
+Closes: CVE-2019-12749
+
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/dbus/dbus/commit
+/47b1a4c41004bf494b87370987b222c934b19016]
+
+CVE: CVE-2019-12749
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
+index 37d8d4c9..7390a9d5 100644
+--- a/dbus/dbus-auth.c
++++ b/dbus/dbus-auth.c
+@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth,
+ DBusString tmp2;
+ dbus_bool_t retval = FALSE;
+ DBusError error = DBUS_ERROR_INIT;
++ DBusCredentials *myself = NULL;
+
+ _dbus_string_set_length (&auth->challenge, 0);
+
+@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth,
+ return FALSE;
+ }
+
++ myself = _dbus_credentials_new_from_current_process ();
++
++ if (myself == NULL)
++ goto out;
++
++ if (!_dbus_credentials_same_user (myself, auth->desired_identity))
++ {
++ /*
++ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
++ * client is anyone other than the user owning the process
++ * containing the DBusServer: we probably aren't allowed to write
++ * to other users' home directories. Even if we can (for example
++ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
++ * must not, because the other user controls their home directory,
++ * and could carry out symlink attacks to make us read from or
++ * write to unintended locations. It's difficult to avoid symlink
++ * attacks in a portable way, so we just don't try. This isn't a
++ * regression, because DBUS_COOKIE_SHA1 never worked for other
++ * users anyway.
++ */
++ _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
++ "but that doesn't match this process",
++ DBUS_AUTH_NAME (auth),
++ _dbus_string_get_const_data (data));
++ retval = send_rejected (auth);
++ goto out;
++ }
++
+ /* we cache the keyring for speed, so here we drop it if it's the
+ * wrong one. FIXME caching the keyring here is useless since we use
+ * a different DBusAuth for every connection.
+@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth,
+ _dbus_string_zero (&tmp2);
+ _dbus_string_free (&tmp2);
+
++ if (myself != NULL)
++ _dbus_credentials_unref (myself);
++
+ return retval;
+ }
+
+--
+2.22.0
+
diff --git a/meta/recipes-core/dbus/dbus_1.12.10.bb b/meta/recipes-core/dbus/dbus_1.12.10.bb
index d71f7f7..d7ad1d8 100644
--- a/meta/recipes-core/dbus/dbus_1.12.10.bb
+++ b/meta/recipes-core/dbus/dbus_1.12.10.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://tmpdir.patch \
file://dbus-1.init \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+ file://CVE-2019-12749.patch \
"
SRC_URI[md5sum] = "c3e12b4206e2a7da39d7cc42567790ef"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 06/24] glib-2.0: fix CVE-2019-13012
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (4 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 05/24] dbus: fix CVE-2019-12749 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 07/24] libcomps: fix CVE-2019-3817 Armin Kuster
` (17 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>
Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../glib-2.0/glib-2.0/CVE-2019-13012.patch | 47 ++++++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
new file mode 100644
index 0000000..29c5d98
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-13012.patch
@@ -0,0 +1,47 @@
+From c7f7fd53780f8caebccc903d61ffc21632b46a6c Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Tue, 22 Jan 2019 13:26:31 -0500
+Subject: [PATCH] keyfile settings: Use tighter permissions
+
+When creating directories, create them with 700 permissions,
+instead of 777.
+
+Closes: #1658
+
+Upstream-Status: Backport
+[https://gitlab.gnome.org/GNOME/glib/commit
+/5e4da714f00f6bfb2ccd6d73d61329c6f3a08429]
+
+CVE: CVE-2019-13012
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ gio/gkeyfilesettingsbackend.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
+index a37978e83..580a0b0a1 100644
+--- a/gio/gkeyfilesettingsbackend.c
++++ b/gio/gkeyfilesettingsbackend.c
+@@ -89,7 +89,8 @@ g_keyfile_settings_backend_keyfile_write (GKeyfileSettingsBackend *kfsb)
+
+ contents = g_key_file_to_data (kfsb->keyfile, &length, NULL);
+ g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ NULL, NULL, NULL);
+
+ compute_checksum (kfsb->digest, contents, length);
+@@ -640,7 +641,7 @@ g_keyfile_settings_backend_new (const gchar *filename,
+
+ kfsb->file = g_file_new_for_path (filename);
+ kfsb->dir = g_file_get_parent (kfsb->file);
+- g_file_make_directory_with_parents (kfsb->dir, NULL, NULL);
++ g_mkdir_with_parents (g_file_peek_path (kfsb->dir), 0700);
+
+ kfsb->file_monitor = g_file_monitor (kfsb->file, 0, NULL, NULL);
+ kfsb->dir_monitor = g_file_monitor (kfsb->dir, 0, NULL, NULL);
+--
+2.22.0
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
index f007596..611abd8 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
@@ -17,6 +17,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://CVE-2019-12450.patch \
file://CVE-2019-9633_p1.patch \
file://CVE-2019-9633_p2.patch \
+ file://CVE-2019-13012.patch \
"
SRC_URI_append_class-native = " file://relocate-modules.patch"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 07/24] libcomps: fix CVE-2019-3817
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (5 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 06/24] glib-2.0: fix CVE-2019-13012 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 08/24] qemu: add a patch fixing the native build on newer kernels Armin Kuster
` (16 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>
Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libcomps/libcomps/CVE-2019-3817.patch | 97 ++++++++++++++++++++++
meta/recipes-devtools/libcomps/libcomps_git.bb | 1 +
2 files changed, 98 insertions(+)
create mode 100644 meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
diff --git a/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch b/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
new file mode 100644
index 0000000..b8cfb3c
--- /dev/null
+++ b/meta/recipes-devtools/libcomps/libcomps/CVE-2019-3817.patch
@@ -0,0 +1,97 @@
+From cea10cd1f2ef6bb4edaac0c1d46d47bf237c42b8 Mon Sep 17 00:00:00 2001
+From: Riccardo Schirone <rschiron@redhat.com>
+Date: Mon, 21 Jan 2019 18:11:42 +0100
+Subject: [PATCH] Fix UAF in comps_objmrtree_unite function
+
+The added field is not used at all in many places and it is probably the
+left-over of some copy-paste.
+
+Upstream-Status: Backport
+[https://github.com/rpm-software-management/libcomps/commit
+/e3a5d056633677959ad924a51758876d415e7046]
+
+CVE: CVE-2019-3817
+
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ libcomps/src/comps_mradix.c | 2 --
+ libcomps/src/comps_objmradix.c | 2 --
+ libcomps/src/comps_objradix.c | 2 --
+ libcomps/src/comps_radix.c | 1 -
+ 4 files changed, 7 deletions(-)
+
+diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c
+index 338cb07..6ceb7c9 100644
+--- a/libcomps/src/comps_mradix.c
++++ b/libcomps/src/comps_mradix.c
+@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+ struct Pair {
+ COMPS_HSList * subnodes;
+ char * key;
+- char added;
+ } *pair, *parent_pair;
+
+ pair = malloc(sizeof(struct Pair));
+@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) {
+ parent_pair = (struct Pair*) it->data;
+ free(it);
+
+- pair->added = 0;
+ for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+ pair = malloc(sizeof(struct Pair));
+ pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c
+index 9be6648..8771c89 100644
+--- a/libcomps/src/comps_objmradix.c
++++ b/libcomps/src/comps_objmradix.c
+@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+ struct Pair {
+ COMPS_HSList * subnodes;
+ char * key;
+- char added;
+ } *pair, *parent_pair;
+
+ pair = malloc(sizeof(struct Pair));
+@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) {
+ parent_pair = (struct Pair*) it->data;
+ free(it);
+
+- pair->added = 0;
+ for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+ pair = malloc(sizeof(struct Pair));
+ pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c
+index a790270..0ebaf22 100644
+--- a/libcomps/src/comps_objradix.c
++++ b/libcomps/src/comps_objradix.c
+@@ -692,7 +692,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+ struct Pair {
+ COMPS_HSList * subnodes;
+ char * key;
+- char added;
+ } *pair, *parent_pair;
+
+ pair = malloc(sizeof(struct Pair));
+@@ -711,7 +710,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) {
+ //printf("key-part:%s\n", parent_pair->key);
+ free(it);
+
+- //pair->added = 0;
+ for (it = tmp_subnodes->first; it != NULL; it=it->next) {
+ pair = malloc(sizeof(struct Pair));
+ pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes;
+diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c
+index ada4fda..05dcaf2 100644
+--- a/libcomps/src/comps_radix.c
++++ b/libcomps/src/comps_radix.c
+@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) {
+ struct Pair {
+ COMPS_HSList * subnodes;
+ char * key;
+- char added;
+ } *pair, *parent_pair;
+
+ pair = malloc(sizeof(struct Pair));
+--
+2.22.0
+
diff --git a/meta/recipes-devtools/libcomps/libcomps_git.bb b/meta/recipes-devtools/libcomps/libcomps_git.bb
index e69bf67..b657f33 100644
--- a/meta/recipes-devtools/libcomps/libcomps_git.bb
+++ b/meta/recipes-devtools/libcomps/libcomps_git.bb
@@ -6,6 +6,7 @@ SRC_URI = "git://github.com/rpm-software-management/libcomps.git \
file://0001-Do-not-set-PYTHON_INSTALL_DIR-by-running-python.patch \
file://0002-Set-library-installation-path-correctly.patch \
file://0001-Make-__comps_objmrtree_all-static-inline.patch \
+ file://CVE-2019-3817.patch \
"
PV = "0.1.8+git${SRCPV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 08/24] qemu: add a patch fixing the native build on newer kernels
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (6 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 07/24] libcomps: fix CVE-2019-3817 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 09/24] gcc: Security fix for CVE-2019-14250 Armin Kuster
` (15 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Bartosz Golaszewski <bgolaszewski@baylibre.com>
The build fails on qemu-native if we're using kernels after commit
0768e17073dc527ccd18ed5f96ce85f9985e9115. This adds an upstream
patch that fixes the issue.
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Refactoried for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...error-messages-when-qemi_cpu_kick_thread-.patch | 19 +-
...fix-to-handle-variably-sized-SIOCGSTAMP-w.patch | 336 +++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 1 +
3 files changed, 346 insertions(+), 10 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
diff --git a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
index 8a9141a..03ec2c9 100644
--- a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
+++ b/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
@@ -18,11 +18,11 @@ Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
2 files changed, 29 insertions(+)
create mode 100644 custom_debug.h
-diff --git a/cpus.c b/cpus.c
-index 38eba8bff3..b84a60a4f3 100644
---- a/cpus.c
-+++ b/cpus.c
-@@ -1690,6 +1690,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
+Index: qemu-3.0.0/cpus.c
+===================================================================
+--- qemu-3.0.0.orig/cpus.c
++++ qemu-3.0.0/cpus.c
+@@ -1693,6 +1693,8 @@ static void *qemu_tcg_cpu_thread_fn(void
return NULL;
}
@@ -31,7 +31,7 @@ index 38eba8bff3..b84a60a4f3 100644
static void qemu_cpu_kick_thread(CPUState *cpu)
{
#ifndef _WIN32
-@@ -1702,6 +1704,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
+@@ -1705,6 +1707,9 @@ static void qemu_cpu_kick_thread(CPUStat
err = pthread_kill(cpu->thread->thread, SIG_IPI);
if (err) {
fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
@@ -41,11 +41,10 @@ index 38eba8bff3..b84a60a4f3 100644
exit(1);
}
#else /* _WIN32 */
-diff --git a/custom_debug.h b/custom_debug.h
-new file mode 100644
-index 0000000000..f029e45547
+Index: qemu-3.0.0/custom_debug.h
+===================================================================
--- /dev/null
-+++ b/custom_debug.h
++++ qemu-3.0.0/custom_debug.h
@@ -0,0 +1,24 @@
+#include <execinfo.h>
+#include <stdio.h>
diff --git a/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch b/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
new file mode 100644
index 0000000..31a7c94
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch
@@ -0,0 +1,336 @@
+From 8104018ba4c66e568d2583a3a0ee940851ee7471 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrangé <berrange@redhat.com>
+Date: Tue, 23 Jul 2019 17:50:00 +0200
+Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new
+ kernels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The SIOCGSTAMP symbol was previously defined in the
+asm-generic/sockios.h header file. QEMU sees that header
+indirectly via sys/socket.h
+
+In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
+the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
+Instead it provides only SIOCGSTAMP_OLD, which only uses a
+32-bit time_t on 32-bit architectures.
+
+The linux/sockios.h header then defines SIOCGSTAMP using
+either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
+SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
+on 32-bit architectures
+
+To cope with this we must now convert the old and new type from
+the target to the host one.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Message-Id: <20190718130641.15294-1-laurent@vivier.eu>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
+---
+Uptream-status: Backport (upstream commit: 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2)
+
+ linux-user/ioctls.h | 21 +++++-
+ linux-user/syscall.c | 140 +++++++++++++++++++++++++++++--------
+ linux-user/syscall_defs.h | 30 +++++++-
+ linux-user/syscall_types.h | 6 --
+ 4 files changed, 159 insertions(+), 38 deletions(-)
+
+Index: qemu-3.0.0/linux-user/ioctls.h
+===================================================================
+--- qemu-3.0.0.orig/linux-user/ioctls.h
++++ qemu-3.0.0/linux-user/ioctls.h
+@@ -173,8 +173,25 @@
+ IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
+ IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
+ IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
+- IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
+- IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
++
++ /*
++ * We can't use IOCTL_SPECIAL() because it will set
++ * host_cmd to XXX_OLD and XXX_NEW and these macros
++ * are not defined with kernel prior to 5.2.
++ * We must set host_cmd to the same value as in target_cmd
++ * otherwise the consistency check in syscall_init()
++ * will trigger an error.
++ * host_cmd is ignored by the do_ioctl_XXX() helpers.
++ * FIXME: create a macro to define this kind of entry
++ */
++ { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
++ "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
++ { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
++ "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
++ { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
++ "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
++ { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
++ "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
+
+ IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
+ IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
+Index: qemu-3.0.0/linux-user/syscall.c
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall.c
++++ qemu-3.0.0/linux-user/syscall.c
+@@ -37,6 +37,7 @@
+ #include <sched.h>
+ #include <sys/timex.h>
+ #include <sys/socket.h>
++#include <linux/sockios.h>
+ #include <sys/un.h>
+ #include <sys/uio.h>
+ #include <poll.h>
+@@ -1391,8 +1392,9 @@ static inline abi_long copy_from_user_ti
+ {
+ struct target_timeval *target_tv;
+
+- if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1))
++ if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) {
+ return -TARGET_EFAULT;
++ }
+
+ __get_user(tv->tv_sec, &target_tv->tv_sec);
+ __get_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1407,8 +1409,26 @@ static inline abi_long copy_to_user_time
+ {
+ struct target_timeval *target_tv;
+
+- if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0))
++ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
++ return -TARGET_EFAULT;
++ }
++
++ __put_user(tv->tv_sec, &target_tv->tv_sec);
++ __put_user(tv->tv_usec, &target_tv->tv_usec);
++
++ unlock_user_struct(target_tv, target_tv_addr, 1);
++
++ return 0;
++}
++
++static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
++ const struct timeval *tv)
++{
++ struct target__kernel_sock_timeval *target_tv;
++
++ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
+ return -TARGET_EFAULT;
++ }
+
+ __put_user(tv->tv_sec, &target_tv->tv_sec);
+ __put_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1418,6 +1438,48 @@ static inline abi_long copy_to_user_time
+ return 0;
+ }
+
++static inline abi_long target_to_host_timespec(struct timespec *host_ts,
++ abi_ulong target_addr)
++{
++ struct target_timespec *target_ts;
++
++ if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
++ return -TARGET_EFAULT;
++ }
++ __get_user(host_ts->tv_sec, &target_ts->tv_sec);
++ __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++ unlock_user_struct(target_ts, target_addr, 0);
++ return 0;
++}
++
++static inline abi_long host_to_target_timespec(abi_ulong target_addr,
++ struct timespec *host_ts)
++{
++ struct target_timespec *target_ts;
++
++ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++ return -TARGET_EFAULT;
++ }
++ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++ unlock_user_struct(target_ts, target_addr, 1);
++ return 0;
++}
++
++static inline abi_long host_to_target_timespec64(abi_ulong target_addr,
++ struct timespec *host_ts)
++{
++ struct target__kernel_timespec *target_ts;
++
++ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++ return -TARGET_EFAULT;
++ }
++ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++ unlock_user_struct(target_ts, target_addr, 1);
++ return 0;
++}
++
+ static inline abi_long copy_from_user_timezone(struct timezone *tz,
+ abi_ulong target_tz_addr)
+ {
+@@ -5733,6 +5795,54 @@ static abi_long do_ioctl_kdsigaccept(con
+ return get_errno(safe_ioctl(fd, ie->host_cmd, sig));
+ }
+
++static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp,
++ int fd, int cmd, abi_long arg)
++{
++ struct timeval tv;
++ abi_long ret;
++
++ ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv));
++ if (is_error(ret)) {
++ return ret;
++ }
++
++ if (cmd == (int)TARGET_SIOCGSTAMP_OLD) {
++ if (copy_to_user_timeval(arg, &tv)) {
++ return -TARGET_EFAULT;
++ }
++ } else {
++ if (copy_to_user_timeval64(arg, &tv)) {
++ return -TARGET_EFAULT;
++ }
++ }
++
++ return ret;
++}
++
++static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp,
++ int fd, int cmd, abi_long arg)
++{
++ struct timespec ts;
++ abi_long ret;
++
++ ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts));
++ if (is_error(ret)) {
++ return ret;
++ }
++
++ if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) {
++ if (host_to_target_timespec(arg, &ts)) {
++ return -TARGET_EFAULT;
++ }
++ } else{
++ if (host_to_target_timespec64(arg, &ts)) {
++ return -TARGET_EFAULT;
++ }
++ }
++
++ return ret;
++}
++
+ #ifdef TIOCGPTPEER
+ static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp,
+ int fd, int cmd, abi_long arg)
+@@ -7106,32 +7216,6 @@ static inline abi_long target_ftruncate6
+ }
+ #endif
+
+-static inline abi_long target_to_host_timespec(struct timespec *host_ts,
+- abi_ulong target_addr)
+-{
+- struct target_timespec *target_ts;
+-
+- if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
+- return -TARGET_EFAULT;
+- __get_user(host_ts->tv_sec, &target_ts->tv_sec);
+- __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+- unlock_user_struct(target_ts, target_addr, 0);
+- return 0;
+-}
+-
+-static inline abi_long host_to_target_timespec(abi_ulong target_addr,
+- struct timespec *host_ts)
+-{
+- struct target_timespec *target_ts;
+-
+- if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
+- return -TARGET_EFAULT;
+- __put_user(host_ts->tv_sec, &target_ts->tv_sec);
+- __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+- unlock_user_struct(target_ts, target_addr, 1);
+- return 0;
+-}
+-
+ static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec,
+ abi_ulong target_addr)
+ {
+Index: qemu-3.0.0/linux-user/syscall_defs.h
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall_defs.h
++++ qemu-3.0.0/linux-user/syscall_defs.h
+@@ -203,16 +203,34 @@ struct target_ip_mreq_source {
+ uint32_t imr_sourceaddr;
+ };
+
++#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
++struct target_timeval {
++ abi_long tv_sec;
++ abi_int tv_usec;
++};
++#define target__kernel_sock_timeval target_timeval
++#else
+ struct target_timeval {
+ abi_long tv_sec;
+ abi_long tv_usec;
+ };
+
++struct target__kernel_sock_timeval {
++ abi_llong tv_sec;
++ abi_llong tv_usec;
++};
++#endif
++
+ struct target_timespec {
+ abi_long tv_sec;
+ abi_long tv_nsec;
+ };
+
++struct target__kernel_timespec {
++ abi_llong tv_sec;
++ abi_llong tv_nsec;
++};
++
+ struct target_timezone {
+ abi_int tz_minuteswest;
+ abi_int tz_dsttime;
+@@ -738,8 +756,16 @@ struct target_pollfd {
+ #define TARGET_SIOCATMARK 0x8905
+ #define TARGET_SIOCGPGRP 0x8904
+ #endif
+-#define TARGET_SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
+-#define TARGET_SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
++#if defined(TARGET_SH4)
++#define TARGET_SIOCGSTAMP_OLD TARGET_IOR('s', 100, struct target_timeval)
++#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec)
++#else
++#define TARGET_SIOCGSTAMP_OLD 0x8906
++#define TARGET_SIOCGSTAMPNS_OLD 0x8907
++#endif
++
++#define TARGET_SIOCGSTAMP_NEW TARGET_IOR(0x89, 0x06, abi_llong[2])
++#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2])
+
+ /* Networking ioctls */
+ #define TARGET_SIOCADDRT 0x890B /* add routing table entry */
+Index: qemu-3.0.0/linux-user/syscall_types.h
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall_types.h
++++ qemu-3.0.0/linux-user/syscall_types.h
+@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct,
+ STRUCT(sockaddr,
+ TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14))
+
+-STRUCT(timeval,
+- MK_ARRAY(TYPE_LONG, 2))
+-
+-STRUCT(timespec,
+- MK_ARRAY(TYPE_LONG, 2))
+-
+ STRUCT(rtentry,
+ TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr),
+ TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID,
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index b591cc24..f02e312 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -35,6 +35,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2018-20815_p1.patch \
file://CVE-2018-20815_p2.patch \
file://CVE-2019-9824.patch \
+ file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 09/24] gcc: Security fix for CVE-2019-14250
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (7 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 08/24] qemu: add a patch fixing the native build on newer kernels Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 10/24] binutils: Security fix for CVE-2019-14444 Armin Kuster
` (14 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: gcc.org
MR: 99120
Type: Security Fix
Disposition: Backport from https://gcc.gnu.org/viewcvs?rev=273794&root=gcc&view=rev
ChangeID: 28ab763c18f1543607181cd9657f45f7752b6fcb
Description:
Affects < 9.2
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/gcc/gcc-8.2.inc | 1 +
.../gcc/gcc-8.2/CVE-2019-14250.patch | 44 ++++++++++++++++++++++
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch
diff --git a/meta/recipes-devtools/gcc/gcc-8.2.inc b/meta/recipes-devtools/gcc/gcc-8.2.inc
index 866a775..bd95ccd 100644
--- a/meta/recipes-devtools/gcc/gcc-8.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.2.inc
@@ -73,6 +73,7 @@ SRC_URI = "\
${BACKPORTS} \
"
BACKPORTS = "\
+ file://CVE-2019-14250.patch \
"
SRC_URI[md5sum] = "4ab282f414676496483b3e1793d07862"
SRC_URI[sha256sum] = "196c3c04ba2613f893283977e6011b2345d1cd1af9abeac58e916b1aab3e0080"
diff --git a/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch
new file mode 100644
index 0000000..e327684
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.2/CVE-2019-14250.patch
@@ -0,0 +1,44 @@
+From a4f1b58eb48b349a5f353bc69c30be553506d33b Mon Sep 17 00:00:00 2001
+From: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Thu, 25 Jul 2019 10:48:26 +0000
+Subject: [PATCH] 2019-07-25 Richard Biener <rguenther@suse.de>
+
+ PR lto/90924
+ Backport from mainline
+ 2019-07-12 Ren Kimura <rkx1209dev@gmail.com>
+
+ * simple-object-elf.c (simple_object_elf_match): Check zero value
+ shstrndx.
+
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-8-branch@273794 138bc75d-0d04-0410-961f-82ee72b054a4
+
+Upstream-Status: Backport
+Affectes: < 9.2
+CVE: CVE-2019-14250
+Dropped changelog
+Signed-off-by: Armin Kuster <Akustre@mvista.com>
+
+---
+ libiberty/simple-object-elf.c | 8 ++++++++
+ 2 files changed, 17 insertions(+)
+
+Index: gcc-8.2.0/libiberty/simple-object-elf.c
+===================================================================
+--- gcc-8.2.0.orig/libiberty/simple-object-elf.c
++++ gcc-8.2.0/libiberty/simple-object-elf.c
+@@ -549,6 +549,14 @@ simple_object_elf_match (unsigned char h
+ return NULL;
+ }
+
++ if (eor->shstrndx == 0)
++ {
++ *errmsg = "invalid ELF shstrndx == 0";
++ *err = 0;
++ XDELETE (eor);
++ return NULL;
++ }
++
+ return (void *) eor;
+ }
+
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 10/24] binutils: Security fix for CVE-2019-14444
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (8 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 09/24] gcc: Security fix for CVE-2019-14250 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 11/24] binutils: Security fix for CVE-2019-12972 Armin Kuster
` (13 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
Source: git://sourceware.org / binutils-gdb.git
MR: 99255
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7
ChangeID: 67ad4ab1ec34b941bdcfbb4f55d16176bbbd3d72
Description:
Affects: <= 2.32.0
Fixes CVE-2019-14444
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.31.inc | 1 +
.../binutils/binutils/CVE-2019-14444.patch | 33 ++++++++++++++++++++++
2 files changed, 34 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
index 62acec5..247f779 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -46,6 +46,7 @@ SRC_URI = "\
file://CVE-2018-18605.patch \
file://CVE-2018-18606.patch \
file://CVE-2018-18607.patch \
+ file://CVE-2019-14444.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
new file mode 100644
index 0000000..499cf0e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-14444.patch
@@ -0,0 +1,33 @@
+From e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Mon, 5 Aug 2019 10:40:35 +0100
+Subject: [PATCH] Catch potential integer overflow in readelf when processing
+ corrupt binaries.
+
+ PR 24829
+ * readelf.c (apply_relocations): Catch potential integer overflow
+ whilst checking reloc location against section size.
+
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7
+CVE: CVE-2019-14444
+Dropped changelog
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ binutils/readelf.c | 2 +-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/binutils/readelf.c
+===================================================================
+--- git.orig/binutils/readelf.c
++++ git/binutils/readelf.c
+@@ -13113,7 +13113,7 @@ apply_relocations (Filedata *
+ }
+
+ rloc = start + rp->r_offset;
+- if ((rloc + reloc_size) > end || (rloc < start))
++ if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
+ {
+ warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
+ (unsigned long) rp->r_offset,
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 11/24] binutils: Security fix for CVE-2019-12972
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (9 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 10/24] binutils: Security fix for CVE-2019-14444 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 12/24] bind: update to latest LTS 9.11.5 Armin Kuster
` (12 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: git://sourceware.org / binutils-gdb.git
MR: 98770
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
ChangeID: 7ced6bffbe01cbeadf50177eb332eef514baa19c
Description:
Fixes CVE-2019-12972
Signed-off-by: Armin Kuster <akuster@mvista.com>
[v2]
forgot to refresh inc file before sending
---
meta/recipes-devtools/binutils/binutils-2.31.inc | 1 +
.../binutils/binutils/CVE-2019-12972.patch | 39 ++++++++++++++++++++++
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
index 247f779..e1a6673 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -47,6 +47,7 @@ SRC_URI = "\
file://CVE-2018-18606.patch \
file://CVE-2018-18607.patch \
file://CVE-2019-14444.patch \
+ file://CVE-2019-12972.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
new file mode 100644
index 0000000..3e95b92
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-12972.patch
@@ -0,0 +1,39 @@
+From 890f750a3b053532a4b839a2dd6243076de12031 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Fri, 21 Jun 2019 11:51:38 +0930
+Subject: [PATCH] PR24689, string table corruption
+
+The testcase in the PR had a e_shstrndx section of type SHT_GROUP.
+hdr->contents were initialized by setup_group rather than being read
+from the file, thus last byte was not zero and string dereference ran
+off the end of the buffer.
+
+ PR 24689
+ * elfcode.h (elf_object_p): Check type of e_shstrndx section.
+
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=890f750a3b053532a4b839a2dd6243076de12031
+
+CVE: CVE-2019-12972
+Affects: <= 2.23.0
+Dropped Changelog
+Signed-off-by Armin Kuster <akuster@mvista.com>
+---
+ bfd/ChangeLog | 5 +++++
+ bfd/elfcode.h | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+Index: git/bfd/elfcode.h
+===================================================================
+--- git.orig/bfd/elfcode.h
++++ git/bfd/elfcode.h
+@@ -747,7 +747,8 @@ elf_object_p (bfd *abfd)
+ /* A further sanity check. */
+ if (i_ehdrp->e_shnum != 0)
+ {
+- if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++ if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++ || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+ {
+ /* PR 2257:
+ We used to just goto got_wrong_format_error here
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 12/24] bind: update to latest LTS 9.11.5
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (10 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 11/24] binutils: Security fix for CVE-2019-12972 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 13/24] bind: upgrade 9.11.5 -> 9.11.5-P4 Armin Kuster
` (11 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: bind.org
MR: 99750
Type: Security Fix
Disposition: Backport from bind.org
ChangeID: bca5c436229f1b8c7e8eb3e45fc6188ffdb5e224
Description:
includes:
CVE-2018-5738
drop patch for CVE-2018-5740 now included in update
see: https://ftp.isc.org/isc/bind9/9.11.5/RELEASE-NOTES-bind-9.11.5.html
Add RECIPE_NO_UPDATE_REASON for lts
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Also includes CVE-2018-5740]
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../bind/bind/CVE-2018-5740.patch | 72 ----------------------
.../bind/{bind_9.11.4.bb => bind_9.11.5.bb} | 6 +-
2 files changed, 3 insertions(+), 75 deletions(-)
delete mode 100644 meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
rename meta/recipes-connectivity/bind/{bind_9.11.4.bb => bind_9.11.5.bb} (96%)
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch b/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
deleted file mode 100644
index 7a2ba7e..0000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2018-5740.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740]
-
-CVE: CVE-2018-5740
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
-
-diff --git a/CHANGES b/CHANGES
-index 750b600..3d8d655 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -1,3 +1,9 @@
-+ --- 9.11.4-P1 released ---
-+
-+4997. [security] named could crash during recursive processing
-+ of DNAME records when "deny-answer-aliases" was
-+ in use. (CVE-2018-5740) [GL #387]
-+
- --- 9.11.4 released ---
-
- --- 9.11.4rc2 released ---
-diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
-index 8f674a2..41d1385 100644
---- a/lib/dns/resolver.c
-+++ b/lib/dns/resolver.c
-@@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
- unsigned int nlabels;
- dns_fixedname_t fixed;
- dns_name_t prefix;
-+ int order;
-
- REQUIRE(rdataset != NULL);
- REQUIRE(rdataset->type == dns_rdatatype_cname ||
-@@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
- tname = &cname.cname;
- break;
- case dns_rdatatype_dname:
-+ if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
-+ dns_namereln_subdomain)
-+ {
-+ return (ISC_TRUE);
-+ }
- result = dns_rdata_tostruct(&rdata, &dname, NULL);
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- dns_name_init(&prefix, NULL);
- tname = dns_fixedname_initname(&fixed);
-- nlabels = dns_name_countlabels(qname) -
-- dns_name_countlabels(rname);
-+ nlabels = dns_name_countlabels(rname);
- dns_name_split(qname, nlabels, &prefix, NULL);
- result = dns_name_concatenate(&prefix, &dname.dname, tname,
- NULL);
-- if (result == DNS_R_NAMETOOLONG)
-+ if (result == DNS_R_NAMETOOLONG) {
-+ if (chainingp != NULL) {
-+ *chainingp = ISC_TRUE;
-+ }
- return (ISC_TRUE);
-+ }
- RUNTIME_CHECK(result == ISC_R_SUCCESS);
- break;
- default:
-@@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) {
- }
- if ((ardataset->type == dns_rdatatype_cname ||
- ardataset->type == dns_rdatatype_dname) &&
-- !is_answertarget_allowed(fctx, qname, aname, ardataset,
-+ type != ardataset->type &&
-+ type != dns_rdatatype_any &&
-+ !is_answertarget_allowed(fctx, qname, aname, ardataset,
- NULL))
- {
- return (DNS_R_SERVFAIL);
diff --git a/meta/recipes-connectivity/bind/bind_9.11.4.bb b/meta/recipes-connectivity/bind/bind_9.11.5.bb
similarity index 96%
rename from meta/recipes-connectivity/bind/bind_9.11.4.bb
rename to meta/recipes-connectivity/bind/bind_9.11.5.bb
index cb4a21a..21e979f 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.5.bb
@@ -20,14 +20,14 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
file://0001-avoid-start-failure-with-bind-user.patch \
- file://CVE-2018-5740.patch \
"
-SRC_URI[md5sum] = "9b4834d78f30cdb796ce437262272a36"
-SRC_URI[sha256sum] = "595070b031f869f8939656b5a5d11b121211967f15f6afeafa895df745279617"
+SRC_URI[md5sum] = "17a0d02102117c9a221e857cf2cc8157"
+SRC_URI[sha256sum] = "a4cae11dad954bdd4eb592178f875bfec09fcc7e29fe0f6b7a4e5b5c6bc61322"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
+RECIPE_NO_UPDATE_REASON = "9.11 is LTS 2021"
inherit autotools update-rc.d systemd useradd pkgconfig multilib_script
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 13/24] bind: upgrade 9.11.5 -> 9.11.5-P4
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (11 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 12/24] bind: update to latest LTS 9.11.5 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 14/24] go: update to 1.11.13, minor updates Armin Kuster
` (10 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Adrian Bunk <bunk@stusta.de>
Source: OE.org
MR: 99751, 99752, 99753
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-connectivity/bind?h=warrior&id=5d286da0fbe1a7ded2f84eec990e49d221bdeab4
ChangeID: ce3719ea11bd03af3baeca51a22115badf84be01
Description:
Bugfix-only compared to 9.11.5, mostly CVE fixes.
COPYRIGHT checksum changed due to 2018 -> 2019.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Included cves:
CVE-2018-5744
CVE-2018-5745
CVE-2019-6465
]
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../recipes-connectivity/bind/{bind_9.11.5.bb => bind_9.11.5-P4.bb} | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
rename meta/recipes-connectivity/bind/{bind_9.11.5.bb => bind_9.11.5-P4.bb} (96%)
diff --git a/meta/recipes-connectivity/bind/bind_9.11.5.bb b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
similarity index 96%
rename from meta/recipes-connectivity/bind/bind_9.11.5.bb
rename to meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
index 21e979f..432bad0 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.5.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.5-P4.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
SECTION = "console/network"
LICENSE = "ISC & BSD"
-LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=6ba7c9fe0c888a943c79c93e6de744fb"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=8f17f64e47e83b60cd920a1e4b54419e"
DEPENDS = "openssl libcap zlib"
@@ -22,8 +22,8 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-avoid-start-failure-with-bind-user.patch \
"
-SRC_URI[md5sum] = "17a0d02102117c9a221e857cf2cc8157"
-SRC_URI[sha256sum] = "a4cae11dad954bdd4eb592178f875bfec09fcc7e29fe0f6b7a4e5b5c6bc61322"
+SRC_URI[md5sum] = "8ddab4b61fa4516fe404679c74e37960"
+SRC_URI[sha256sum] = "7e8c08192bcbaeb6e9f2391a70e67583b027b90e8c4bc1605da6eb126edde434"
UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 14/24] go: update to 1.11.13, minor updates
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (12 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 13/24] bind: upgrade 9.11.5 -> 9.11.5-P4 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 15/24] dhcp: fix issue with new bind changes Armin Kuster
` (9 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: golang.org
MR: 99376
Type: Security Fix
Disposition: Backport from golang.org
ChangeID: 41576ab4a0abdebbc44f1a35a83bf04e5f2fde06
Description:
https://golang.org/doc/devel/release.html
go1.11.11 (released 2019/06/11) includes a fix to the crypto/x509 package. See the Go 1.11.11 milestone on our issue tracker for details.
go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker. See the Go 1.11.12 milestone on our issue tracker for details.
go1.11.13 (released 2019/08/13) includes security fixes to the net/http and net/url packages. See the Go 1.11.13 milestone on our issue tracker for details.
Includes CVE: CVE-2019-14809
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/go/go-1.11.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-devtools/go/go-1.11.inc b/meta/recipes-devtools/go/go-1.11.inc
index 401e71f..90d4037 100644
--- a/meta/recipes-devtools/go/go-1.11.inc
+++ b/meta/recipes-devtools/go/go-1.11.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.11"
-GO_MINOR = ".10"
+GO_MINOR = ".13"
PV .= "${GO_MINOR}"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
@@ -19,5 +19,5 @@ SRC_URI += "\
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
-SRC_URI[main.md5sum] = "f2d2e44b9954b827daa8ad4d936a7a82"
-SRC_URI[main.sha256sum] = "df27e96a9d1d362c46ecd975f1faa56b8c300f5c529074e9ea79bdd885493c1b"
+SRC_URI[main.md5sum] = "32e71746981695517387a2149eb541ef"
+SRC_URI[main.sha256sum] = "5032095fd3f641cafcce164f551e5ae873785ce7b07ca7c143aecd18f7ba4076"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 15/24] dhcp: fix issue with new bind changes
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (13 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 14/24] go: update to 1.11.13, minor updates Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 7:02 ` Adrian Bunk
2019-09-24 3:13 ` [Thud][ 16/24] binutils: Fix 4 CVEs Armin Kuster
` (8 subsequent siblings)
23 siblings, 1 reply; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...eplace-custom-isc_boolean_t-with-C-standa.patch | 2882 ++++++++++++++++++++
meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb | 1 +
2 files changed, 2883 insertions(+)
create mode 100644 meta/recipes-connectivity/dhcp/dhcp/0001-dhcpd-fix-Replace-custom-isc_boolean_t-with-C-standa.patch
diff --git a/meta/recipes-connectivity/dhcp/dhcp/0001-dhcpd-fix-Replace-custom-isc_boolean_t-with-C-standa.patch b/meta/recipes-connectivity/dhcp/dhcp/0001-dhcpd-fix-Replace-custom-isc_boolean_t-with-C-standa.patch
new file mode 100644
index 0000000..d2e5771
--- /dev/null
+++ b/meta/recipes-connectivity/dhcp/dhcp/0001-dhcpd-fix-Replace-custom-isc_boolean_t-with-C-standa.patch
@@ -0,0 +1,2882 @@
+From ffb1d1325bd6503df9a324befac5f5039ac77432 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Tue, 23 Oct 2018 10:36:56 +0000
+Subject: [PATCH] dhcpd: fix Replace custom isc_boolean_t with C standard bool
+ type
+
+
+Upstream-Status: Pending
+
+Fixes issues introduced by bind when they changed their headers.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ includes/dhcpd.h | 34 +++++++++++++++++-----------------
+ includes/heap.h | 2 +-
+ includes/omapip/omapip.h | 2 +-
+ includes/omapip/omapip_p.h | 6 +++---
+ includes/tree.h | 2 +-
+ 5 files changed, 23 insertions(+), 23 deletions(-)
+
+Index: dhcp-4.4.1/includes/dhcpd.h
+===================================================================
+--- dhcp-4.4.1.orig/includes/dhcpd.h
++++ dhcp-4.4.1/includes/dhcpd.h
+@@ -461,20 +461,20 @@ struct packet {
+ * options we got in a previous exchange were still there, we need
+ * to signal this in a reliable way.
+ */
+- isc_boolean_t agent_options_stashed;
++ bool agent_options_stashed;
+
+ /*
+ * ISC_TRUE if packet received unicast (as opposed to multicast).
+ * Only used in DHCPv6.
+ */
+- isc_boolean_t unicast;
++ bool unicast;
+
+ /* Propagates server value SV_ECHO_CLIENT_ID so it is available
+ * in cons_options() */
+ int sv_echo_client_id;
+
+ /* Relay port check */
+- isc_boolean_t relay_source_port;
++ bool relay_source_port;
+ };
+
+ /*
+@@ -1174,7 +1174,7 @@ struct dhc6_lease {
+ struct dhc6_lease *next;
+ struct data_string server_id;
+
+- isc_boolean_t released;
++ bool released;
+ int score;
+ u_int8_t pref;
+
+@@ -1695,8 +1695,8 @@ struct ipv6_pool {
+ int bits; /* number of bits, CIDR style */
+ int units; /* allocation unit in bits */
+ iasubopt_hash_t *leases; /* non-free leases */
+- isc_uint64_t num_active; /* count of active leases */
+- isc_uint64_t num_abandoned; /* count of abandoned leases */
++ uint64_t num_active; /* count of active leases */
++ uint64_t num_abandoned; /* count of abandoned leases */
+ isc_heap_t *active_timeouts; /* timeouts for active leases */
+ int num_inactive; /* count of inactive leases */
+ isc_heap_t *inactive_timeouts; /* timeouts for expired or
+@@ -1732,11 +1732,11 @@ struct ipv6_pond {
+ struct ipv6_pool **ipv6_pools; /* NULL-terminated array */
+ int last_ipv6_pool; /* offset of last IPv6 pool
+ used to issue a lease */
+- isc_uint64_t num_total; /* Total number of elements in the pond */
+- isc_uint64_t num_active; /* Number of elements in the pond in use */
+- isc_uint64_t num_abandoned; /* count of abandoned leases */
++ uint64_t num_total; /* Total number of elements in the pond */
++ uint64_t num_active; /* Number of elements in the pond in use */
++ uint64_t num_abandoned; /* count of abandoned leases */
+ int logged; /* already logged a message */
+- isc_uint64_t low_threshold; /* low threshold to restart logging */
++ uint64_t low_threshold; /* low threshold to restart logging */
+ int jumbo_range;
+ #ifdef EUI_64
+ int use_eui_64; /* use EUI-64 address assignment when true */
+@@ -1745,9 +1745,9 @@ struct ipv6_pond {
+
+ /*
+ * Max addresses in a pond that can be supported by log threshold
+- * Currently based on max value supported by isc_uint64_t.
++ * Currently based on max value supported by uint64_t.
+ */
+-#define POND_TRACK_MAX ISC_UINT64_MAX
++#define POND_TRACK_MAX UINT64_MAX
+
+ /* Flags for dhcp_ddns_cb_t */
+ #define DDNS_UPDATE_ADDR 0x0001
+@@ -1868,7 +1868,7 @@ lookup_fqdn6_option(struct universe *uni
+ unsigned code);
+ void
+ save_fqdn6_option(struct universe *universe, struct option_state *options,
+- struct option_cache *oc, isc_boolean_t appendp);
++ struct option_cache *oc, bool appendp);
+ void
+ delete_fqdn6_option(struct universe *universe, struct option_state *options,
+ int code);
+@@ -1953,7 +1953,7 @@ void save_option(struct universe *, stru
+ void also_save_option(struct universe *, struct option_state *,
+ struct option_cache *);
+ void save_hashed_option(struct universe *, struct option_state *,
+- struct option_cache *, isc_boolean_t appendp);
++ struct option_cache *, bool appendp);
+ void delete_option (struct universe *, struct option_state *, int);
+ void delete_hashed_option (struct universe *,
+ struct option_state *, int);
+@@ -2041,7 +2041,7 @@ int linked_option_state_dereference (str
+ struct option_state *,
+ const char *, int);
+ void save_linked_option(struct universe *, struct option_state *,
+- struct option_cache *, isc_boolean_t appendp);
++ struct option_cache *, bool appendp);
+ void linked_option_space_foreach (struct packet *, struct lease *,
+ struct client_state *,
+ struct option_state *,
+@@ -2069,7 +2069,7 @@ void do_packet (struct interface_info *,
+ struct dhcp_packet *, unsigned,
+ unsigned int, struct iaddr, struct hardware *);
+ void do_packet6(struct interface_info *, const char *,
+- int, int, const struct iaddr *, isc_boolean_t);
++ int, int, const struct iaddr *, bool);
+ int packet6_len_okay(const char *, int);
+
+ int validate_packet(struct packet *);
+@@ -2224,7 +2224,7 @@ uint32_t parse_byte_order_uint32(const v
+ int ddns_updates(struct packet *, struct lease *, struct lease *,
+ struct iasubopt *, struct iasubopt *, struct option_state *);
+ isc_result_t ddns_removals(struct lease *, struct iasubopt *,
+- struct dhcp_ddns_cb *, isc_boolean_t);
++ struct dhcp_ddns_cb *, bool);
+ u_int16_t get_conflict_mask(struct option_state *input_options);
+ #if defined (TRACING)
+ void trace_ddns_init(void);
+@@ -2450,7 +2450,7 @@ void dhcpleasequery (struct packet *, in
+ void dhcpv6_leasequery (struct data_string *, struct packet *);
+
+ /* dhcpv6.c */
+-isc_boolean_t server_duid_isset(void);
++bool server_duid_isset(void);
+ void copy_server_duid(struct data_string *ds, const char *file, int line);
+ void set_server_duid(struct data_string *new_duid);
+ isc_result_t set_server_duid_from_option(void);
+@@ -2852,7 +2852,7 @@ extern void (*bootp_packet_handler) (str
+ struct iaddr, struct hardware *);
+ extern void (*dhcpv6_packet_handler)(struct interface_info *,
+ const char *, int,
+- int, const struct iaddr *, isc_boolean_t);
++ int, const struct iaddr *, bool);
+ extern struct timeout *timeouts;
+ extern omapi_object_type_t *dhcp_type_interface;
+ #if defined (TRACING)
+@@ -2943,7 +2943,7 @@ int addr_or(struct iaddr *result,
+ const struct iaddr *a1, const struct iaddr *a2);
+ int addr_and(struct iaddr *result,
+ const struct iaddr *a1, const struct iaddr *a2);
+-isc_boolean_t is_cidr_mask_valid(const struct iaddr *addr, int bits);
++bool is_cidr_mask_valid(const struct iaddr *addr, int bits);
+ isc_result_t range2cidr(struct iaddrcidrnetlist **result,
+ const struct iaddr *lo, const struct iaddr *hi);
+ isc_result_t free_iaddrcidrnetlist(struct iaddrcidrnetlist **result);
+@@ -3787,7 +3787,7 @@ isc_result_t ia_add_iasubopt(struct ia_x
+ const char *file, int line);
+ void ia_remove_iasubopt(struct ia_xx *ia, struct iasubopt *iasubopt,
+ const char *file, int line);
+-isc_boolean_t ia_equal(const struct ia_xx *a, const struct ia_xx *b);
++bool ia_equal(const struct ia_xx *a, const struct ia_xx *b);
+
+ isc_result_t ipv6_pool_allocate(struct ipv6_pool **pool, u_int16_t type,
+ const struct in6_addr *start_addr,
+@@ -3820,9 +3820,9 @@ isc_result_t expire_lease6(struct iasubo
+ struct ipv6_pool *pool, time_t now);
+ isc_result_t release_lease6(struct ipv6_pool *pool, struct iasubopt *lease);
+ isc_result_t decline_lease6(struct ipv6_pool *pool, struct iasubopt *lease);
+-isc_boolean_t lease6_exists(const struct ipv6_pool *pool,
++bool lease6_exists(const struct ipv6_pool *pool,
+ const struct in6_addr *addr);
+-isc_boolean_t lease6_usable(struct iasubopt *lease);
++bool lease6_usable(struct iasubopt *lease);
+ isc_result_t cleanup_lease6(ia_hash_t *ia_table,
+ struct ipv6_pool *pool,
+ struct iasubopt *lease,
+@@ -3834,13 +3834,13 @@ isc_result_t create_prefix6(struct ipv6_
+ unsigned int *attempts,
+ const struct data_string *uid,
+ time_t soft_lifetime_end_time);
+-isc_boolean_t prefix6_exists(const struct ipv6_pool *pool,
++bool prefix6_exists(const struct ipv6_pool *pool,
+ const struct in6_addr *pref, u_int8_t plen);
+
+ isc_result_t add_ipv6_pool(struct ipv6_pool *pool);
+ isc_result_t find_ipv6_pool(struct ipv6_pool **pool, u_int16_t type,
+ const struct in6_addr *addr);
+-isc_boolean_t ipv6_in_pool(const struct in6_addr *addr,
++bool ipv6_in_pool(const struct in6_addr *addr,
+ const struct ipv6_pool *pool);
+ isc_result_t ipv6_pond_allocate(struct ipv6_pond **pond,
+ const char *file, int line);
+Index: dhcp-4.4.1/includes/heap.h
+===================================================================
+--- dhcp-4.4.1.orig/includes/heap.h
++++ dhcp-4.4.1/includes/heap.h
+@@ -26,7 +26,7 @@
+ * The comparision function returns ISC_TRUE if the first argument has
+ * higher priority than the second argument, and ISC_FALSE otherwise.
+ */
+-typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
++typedef bool (*isc_heapcompare_t)(void *, void *);
+
+ /*%
+ * The index function allows the client of the heap to receive a callback
+Index: dhcp-4.4.1/includes/omapip/omapip.h
+===================================================================
+--- dhcp-4.4.1.orig/includes/omapip/omapip.h
++++ dhcp-4.4.1/includes/omapip/omapip.h
+@@ -264,7 +264,7 @@ isc_result_t omapi_protocol_connect (oma
+ isc_result_t omapi_connect_list (omapi_object_t *, omapi_addr_list_t *,
+ omapi_addr_t *);
+ isc_result_t omapi_protocol_listen (omapi_object_t *, unsigned, int);
+-isc_boolean_t omapi_protocol_authenticated (omapi_object_t *);
++bool omapi_protocol_authenticated (omapi_object_t *);
+ isc_result_t omapi_protocol_configure_security (omapi_object_t *,
+ isc_result_t (*)
+ (omapi_object_t *,
+Index: dhcp-4.4.1/includes/omapip/omapip_p.h
+===================================================================
+--- dhcp-4.4.1.orig/includes/omapip/omapip_p.h
++++ dhcp-4.4.1/includes/omapip/omapip_p.h
+@@ -149,7 +149,7 @@ typedef struct __omapi_protocol_object {
+ omapi_remote_auth_t *remote_auth_list; /* Authenticators active on
+ this connection. */
+
+- isc_boolean_t insecure; /* Set to allow unauthenticated
++ bool insecure; /* Set to allow unauthenticated
+ messages. */
+
+ isc_result_t (*verify_auth) (omapi_object_t *, omapi_auth_key_t *);
+@@ -158,7 +158,7 @@ typedef struct __omapi_protocol_object {
+ typedef struct {
+ OMAPI_OBJECT_PREAMBLE;
+
+- isc_boolean_t insecure; /* Set to allow unauthenticated
++ bool insecure; /* Set to allow unauthenticated
+ messages. */
+
+ isc_result_t (*verify_auth) (omapi_object_t *, omapi_auth_key_t *);
+@@ -208,7 +208,7 @@ typedef struct __omapi_io_object {
+ isc_result_t (*writer) (omapi_object_t *);
+ isc_result_t (*reaper) (omapi_object_t *);
+ isc_socket_t *fd;
+- isc_boolean_t closed; /* ISC_TRUE = closed, do not use */
++ bool closed; /* ISC_TRUE = closed, do not use */
+ } omapi_io_object_t;
+
+ typedef struct __omapi_generic_object {
+Index: dhcp-4.4.1/includes/tree.h
+===================================================================
+--- dhcp-4.4.1.orig/includes/tree.h
++++ dhcp-4.4.1/includes/tree.h
+@@ -304,7 +304,7 @@ struct universe {
+ struct option_state *,
+ unsigned);
+ void (*save_func) (struct universe *, struct option_state *,
+- struct option_cache *, isc_boolean_t);
++ struct option_cache *, bool );
+ void (*foreach) (struct packet *,
+ struct lease *, struct client_state *,
+ struct option_state *, struct option_state *,
+Index: dhcp-4.4.1/common/conflex.c
+===================================================================
+--- dhcp-4.4.1.orig/common/conflex.c
++++ dhcp-4.4.1/common/conflex.c
+@@ -322,7 +322,7 @@ get_raw_token(struct parse *cfile) {
+
+ static enum dhcp_token
+ get_next_token(const char **rval, unsigned *rlen,
+- struct parse *cfile, isc_boolean_t raw) {
++ struct parse *cfile, bool raw) {
+ int rv;
+
+ if (cfile -> token) {
+@@ -367,7 +367,7 @@ get_next_token(const char **rval, unsign
+
+ enum dhcp_token
+ next_token(const char **rval, unsigned *rlen, struct parse *cfile) {
+- return get_next_token(rval, rlen, cfile, ISC_FALSE);
++ return get_next_token(rval, rlen, cfile, false);
+ }
+
+
+@@ -378,7 +378,7 @@ next_token(const char **rval, unsigned *
+
+ enum dhcp_token
+ next_raw_token(const char **rval, unsigned *rlen, struct parse *cfile) {
+- return get_next_token(rval, rlen, cfile, ISC_TRUE);
++ return get_next_token(rval, rlen, cfile, true);
+ }
+
+
+@@ -393,7 +393,7 @@ next_raw_token(const char **rval, unsign
+
+ enum dhcp_token
+ do_peek_token(const char **rval, unsigned int *rlen,
+- struct parse *cfile, isc_boolean_t raw) {
++ struct parse *cfile, bool raw) {
+ int x;
+
+ if (!cfile->token || (!raw && (cfile->token == WHITESPACE))) {
+@@ -441,7 +441,7 @@ do_peek_token(const char **rval, unsigne
+
+ enum dhcp_token
+ peek_token(const char **rval, unsigned *rlen, struct parse *cfile) {
+- return do_peek_token(rval, rlen, cfile, ISC_FALSE);
++ return do_peek_token(rval, rlen, cfile, false);
+ }
+
+
+@@ -452,7 +452,7 @@ peek_token(const char **rval, unsigned *
+
+ enum dhcp_token
+ peek_raw_token(const char **rval, unsigned *rlen, struct parse *cfile) {
+- return do_peek_token(rval, rlen, cfile, ISC_TRUE);
++ return do_peek_token(rval, rlen, cfile, true);
+ }
+
+ static void skip_to_eol (cfile)
+Index: dhcp-4.4.1/common/discover.c
+===================================================================
+--- dhcp-4.4.1.orig/common/discover.c
++++ dhcp-4.4.1/common/discover.c
+@@ -73,7 +73,7 @@ void (*bootp_packet_handler) (struct int
+ void (*dhcpv6_packet_handler)(struct interface_info *,
+ const char *, int,
+ int, const struct iaddr *,
+- isc_boolean_t);
++ bool);
+ #endif /* DHCPv6 */
+
+
+@@ -236,7 +236,7 @@ struct iface_conf_list {
+ struct iface_info {
+ char name[IF_NAMESIZE+1]; /* name of the interface, e.g. "bge0" */
+ struct sockaddr_storage addr; /* address information */
+- isc_uint64_t flags; /* interface flags, e.g. IFF_LOOPBACK */
++ uint64_t flags; /* interface flags, e.g. IFF_LOOPBACK */
+ };
+
+ /*
+@@ -312,14 +312,14 @@ int
+ next_iface(struct iface_info *info, int *err, struct iface_conf_list *ifaces) {
+ struct LIFREQ *p;
+ struct LIFREQ tmp;
+- isc_boolean_t foundif;
++ bool foundif;
+ #if defined(sun) || defined(__linux)
+ /* Pointer used to remove interface aliases. */
+ char *s;
+ #endif
+
+ do {
+- foundif = ISC_FALSE;
++ foundif = false;
+
+ if (ifaces->next >= ifaces->num) {
+ *err = 0;
+@@ -353,8 +353,8 @@ next_iface(struct iface_info *info, int
+ }
+ #endif /* defined(sun) || defined(__linux) */
+
+- foundif = ISC_TRUE;
+- } while ((foundif == ISC_FALSE) ||
++ foundif = true;
++ } while ((foundif == false) ||
+ (strncmp(info->name, "dummy", 5) == 0));
+
+ memset(&tmp, 0, sizeof(tmp));
+@@ -410,7 +410,7 @@ struct iface_conf_list {
+ struct iface_info {
+ char name[IFNAMSIZ]; /* name of the interface, e.g. "bge0" */
+ struct sockaddr_storage addr; /* address information */
+- isc_uint64_t flags; /* interface flags, e.g. IFF_LOOPBACK */
++ uint64_t flags; /* interface flags, e.g. IFF_LOOPBACK */
+ };
+
+ /*
+@@ -1190,9 +1190,9 @@ got_one_v6(omapi_object_t *h) {
+ * If a packet is not multicast, we assume it is unicast.
+ */
+ if (IN6_IS_ADDR_MULTICAST(&to)) {
+- is_unicast = ISC_FALSE;
++ is_unicast = false;
+ } else {
+- is_unicast = ISC_TRUE;
++ is_unicast = true;
+ }
+
+ ifrom.len = 16;
+Index: dhcp-4.4.1/omapip/iscprint.c
+===================================================================
+--- dhcp-4.4.1.orig/omapip/iscprint.c
++++ dhcp-4.4.1/omapip/iscprint.c
+@@ -59,8 +59,8 @@ isc_print_vsnprintf(char *str, size_t si
+ int plus;
+ int space;
+ int neg;
+- isc_int64_t tmpi;
+- isc_uint64_t tmpui;
++ int64_t tmpi;
++ uint64_t tmpui;
+ unsigned long width;
+ unsigned long precision;
+ unsigned int length;
+@@ -234,7 +234,7 @@ isc_print_vsnprintf(char *str, size_t si
+ goto printint;
+ case 'o':
+ if (q)
+- tmpui = va_arg(ap, isc_uint64_t);
++ tmpui = va_arg(ap, uint64_t);
+ else if (l)
+ tmpui = va_arg(ap, long int);
+ else
+@@ -244,7 +244,7 @@ isc_print_vsnprintf(char *str, size_t si
+ goto printint;
+ case 'u':
+ if (q)
+- tmpui = va_arg(ap, isc_uint64_t);
++ tmpui = va_arg(ap, uint64_t);
+ else if (l)
+ tmpui = va_arg(ap, unsigned long int);
+ else
+@@ -253,7 +253,7 @@ isc_print_vsnprintf(char *str, size_t si
+ goto printint;
+ case 'x':
+ if (q)
+- tmpui = va_arg(ap, isc_uint64_t);
++ tmpui = va_arg(ap, uint64_t);
+ else if (l)
+ tmpui = va_arg(ap, unsigned long int);
+ else
+@@ -267,7 +267,7 @@ isc_print_vsnprintf(char *str, size_t si
+ goto printint;
+ case 'X':
+ if (q)
+- tmpui = va_arg(ap, isc_uint64_t);
++ tmpui = va_arg(ap, uint64_t);
+ else if (l)
+ tmpui = va_arg(ap, unsigned long int);
+ else
+Index: dhcp-4.4.1/server/confpars.c
+===================================================================
+--- dhcp-4.4.1.orig/server/confpars.c
++++ dhcp-4.4.1/server/confpars.c
+@@ -4005,15 +4005,15 @@ add_ipv6_pool_to_subnet(struct subnet *s
+
+ /* Only bother if we aren't already flagged as jumbo */
+ if (pond->jumbo_range == 0) {
+- if ((units - bits) > (sizeof(isc_uint64_t) * 8)) {
++ if ((units - bits) > (sizeof(uint64_t) * 8)) {
+ pond->jumbo_range = 1;
+ pond->num_total = POND_TRACK_MAX;
+ }
+ else {
+- isc_uint64_t space_left
++ uint64_t space_left
+ = POND_TRACK_MAX - pond->num_total;
+- isc_uint64_t addon
+- = (isc_uint64_t)(1) << (units - bits);
++ uint64_t addon
++ = (uint64_t)(1) << (units - bits);
+
+ if (addon > space_left) {
+ pond->jumbo_range = 1;
+@@ -4739,7 +4739,7 @@ parse_ia_na_declaration(struct parse *cf
+ struct iasubopt *iaaddr;
+ struct ipv6_pool *pool;
+ char addr_buf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+- isc_boolean_t newbinding;
++ bool newbinding;
+ struct binding_scope *scope = NULL;
+ struct binding *bnd;
+ struct binding_value *nv = NULL;
+@@ -4959,9 +4959,9 @@ parse_ia_na_declaration(struct parse *cf
+ }
+ strcpy(bnd->name, val);
+
+- newbinding = ISC_TRUE;
++ newbinding = true;
+ } else {
+- newbinding = ISC_FALSE;
++ newbinding = false;
+ }
+
+ if (!binding_value_allocate(&nv, MDL)) {
+@@ -5186,7 +5186,7 @@ parse_ia_ta_declaration(struct parse *cf
+ struct iasubopt *iaaddr;
+ struct ipv6_pool *pool;
+ char addr_buf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+- isc_boolean_t newbinding;
++ bool newbinding;
+ struct binding_scope *scope = NULL;
+ struct binding *bnd;
+ struct binding_value *nv = NULL;
+@@ -5406,9 +5406,9 @@ parse_ia_ta_declaration(struct parse *cf
+ }
+ strcpy(bnd->name, val);
+
+- newbinding = ISC_TRUE;
++ newbinding = true;
+ } else {
+- newbinding = ISC_FALSE;
++ newbinding = false;
+ }
+
+ if (!binding_value_allocate(&nv, MDL)) {
+@@ -5623,7 +5623,7 @@ parse_ia_pd_declaration(struct parse *cf
+ struct iasubopt *iapref;
+ struct ipv6_pool *pool;
+ char addr_buf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+- isc_boolean_t newbinding;
++ bool newbinding;
+ struct binding_scope *scope = NULL;
+ struct binding *bnd;
+ struct binding_value *nv = NULL;
+@@ -5843,9 +5843,9 @@ parse_ia_pd_declaration(struct parse *cf
+ }
+ strcpy(bnd->name, val);
+
+- newbinding = ISC_TRUE;
++ newbinding = true;
+ } else {
+- newbinding = ISC_FALSE;
++ newbinding = false;
+ }
+
+ if (!binding_value_allocate(&nv, MDL)) {
+Index: dhcp-4.4.1/server/dhcpv6.c
+===================================================================
+--- dhcp-4.4.1.orig/server/dhcpv6.c
++++ dhcp-4.4.1/server/dhcpv6.c
+@@ -71,8 +71,8 @@ struct reply_state {
+ unsigned ia_count;
+ unsigned pd_count;
+ unsigned client_resources;
+- isc_boolean_t resources_included;
+- isc_boolean_t static_lease;
++ bool resources_included;
++ bool static_lease;
+ unsigned static_prefixes;
+ struct ia_xx *ia;
+ struct ia_xx *old_ia;
+@@ -123,7 +123,7 @@ static isc_result_t shared_network_from_
+ struct packet *packet);
+ static void seek_shared_host(struct host_decl **hp,
+ struct shared_network *shared);
+-static isc_boolean_t fixed_matches_shared(struct host_decl *host,
++static bool fixed_matches_shared(struct host_decl *host,
+ struct shared_network *shared);
+ static isc_result_t reply_process_ia_na(struct reply_state *reply,
+ struct option_cache *ia);
+@@ -131,9 +131,9 @@ static isc_result_t reply_process_ia_ta(
+ struct option_cache *ia);
+ static isc_result_t reply_process_addr(struct reply_state *reply,
+ struct option_cache *addr);
+-static isc_boolean_t address_is_owned(struct reply_state *reply,
++static bool address_is_owned(struct reply_state *reply,
+ struct iaddr *addr);
+-static isc_boolean_t temporary_is_available(struct reply_state *reply,
++static bool temporary_is_available(struct reply_state *reply,
+ struct iaddr *addr);
+ static isc_result_t find_client_temporaries(struct reply_state *reply);
+ static isc_result_t reply_process_try_addr(struct reply_state *reply,
+@@ -151,7 +151,7 @@ static isc_result_t reply_process_ia_pd(
+ static struct group *find_group_by_prefix(struct reply_state *reply);
+ static isc_result_t reply_process_prefix(struct reply_state *reply,
+ struct option_cache *pref);
+-static isc_boolean_t prefix_is_owned(struct reply_state *reply,
++static bool prefix_is_owned(struct reply_state *reply,
+ struct iaddrcidrnet *pref);
+ static isc_result_t find_client_prefix(struct reply_state *reply);
+ static isc_result_t reply_process_try_prefix(struct reply_state *reply,
+@@ -174,7 +174,7 @@ static void unicast_reject(struct data_s
+ const struct data_string *client_id,
+ const struct data_string *server_id);
+
+-static isc_boolean_t is_unicast_option_defined(struct packet *packet);
++static bool is_unicast_option_defined(struct packet *packet);
+ static isc_result_t shared_network_from_requested_addr (struct shared_network
+ **shared,
+ struct packet* packet);
+@@ -363,7 +363,7 @@ static struct data_string server_duid;
+ /*
+ * Check if the server_duid has been set.
+ */
+-isc_boolean_t
++bool
+ server_duid_isset(void) {
+ return (server_duid.data != NULL);
+ }
+@@ -992,7 +992,7 @@ void check_pool6_threshold(struct reply_
+ struct iasubopt *lease)
+ {
+ struct ipv6_pond *pond;
+- isc_uint64_t used, count, high_threshold;
++ uint64_t used, count, high_threshold;
+ int poolhigh = 0, poollow = 0;
+ char *shared_name = "no name";
+ char tmp_addr[INET6_ADDRSTRLEN];
+@@ -1310,9 +1310,9 @@ pick_v6_address(struct reply_state *repl
+ unsigned int attempts;
+ char tmp_buf[INET6_ADDRSTRLEN];
+ struct iasubopt **addr = &reply->lease;
+- isc_uint64_t total = 0;
+- isc_uint64_t active = 0;
+- isc_uint64_t abandoned = 0;
++ uint64_t total = 0;
++ uint64_t active = 0;
++ uint64_t abandoned = 0;
+ int jumbo_range = 0;
+ char *shared_name = (reply->shared->name ?
+ reply->shared->name : "(no name)");
+@@ -1825,7 +1825,7 @@ lease_to_client(struct data_string *repl
+
+ /* Start counting resources (addresses) offered. */
+ reply.client_resources = 0;
+- reply.resources_included = ISC_FALSE;
++ reply.resources_included = false;
+
+ status = reply_process_ia_na(&reply, oc);
+
+@@ -1843,7 +1843,7 @@ lease_to_client(struct data_string *repl
+
+ /* Start counting resources (addresses) offered. */
+ reply.client_resources = 0;
+- reply.resources_included = ISC_FALSE;
++ reply.resources_included = false;
+
+ status = reply_process_ia_ta(&reply, oc);
+
+@@ -1864,7 +1864,7 @@ lease_to_client(struct data_string *repl
+
+ /* Start counting resources (prefixes) offered. */
+ reply.client_resources = 0;
+- reply.resources_included = ISC_FALSE;
++ reply.resources_included = false;
+
+ status = reply_process_ia_pd(&reply, oc);
+
+@@ -2077,9 +2077,9 @@ reply_process_ia_na(struct reply_state *
+ tmp_addr, MDL) == 0)
+ log_fatal("Impossible condition at %s:%d.", MDL);
+
+- reply->static_lease = ISC_TRUE;
++ reply->static_lease = true;
+ } else
+- reply->static_lease = ISC_FALSE;
++ reply->static_lease = false;
+
+ /*
+ * Save the cursor position at the start of the IA, so we can
+@@ -2778,7 +2778,7 @@ reply_process_addr(struct reply_state *r
+ * (fault out all else). Otherwise it's a dynamic address, so lookup
+ * that address and make sure it belongs to this DUID:IAID pair.
+ */
+-static isc_boolean_t
++static bool
+ address_is_owned(struct reply_state *reply, struct iaddr *addr) {
+ int i;
+ struct ipv6_pond *pond;
+@@ -2791,13 +2791,13 @@ address_is_owned(struct reply_state *rep
+ log_fatal("Impossible condition at %s:%d.", MDL);
+
+ if (memcmp(addr->iabuf, reply->fixed.data, 16) == 0)
+- return (ISC_TRUE);
++ return (true);
+
+- return (ISC_FALSE);
++ return (false);
+ }
+
+ if ((reply->old_ia == NULL) || (reply->old_ia->num_iasubopt == 0))
+- return (ISC_FALSE);
++ return (false);
+
+ for (i = 0 ; i < reply->old_ia->num_iasubopt ; i++) {
+ struct iasubopt *tmp;
+@@ -2805,8 +2805,8 @@ address_is_owned(struct reply_state *rep
+ tmp = reply->old_ia->iasubopt[i];
+
+ if (memcmp(addr->iabuf, &tmp->addr, 16) == 0) {
+- if (lease6_usable(tmp) == ISC_FALSE) {
+- return (ISC_FALSE);
++ if (lease6_usable(tmp) == false) {
++ return (false);
+ }
+
+ pond = tmp->ipv6_pool->ipv6_pond;
+@@ -2814,15 +2814,15 @@ address_is_owned(struct reply_state *rep
+ (permitted(reply->packet, pond->prohibit_list))) ||
+ ((pond->permit_list != NULL) &&
+ (!permitted(reply->packet, pond->permit_list))))
+- return (ISC_FALSE);
++ return (false);
+
+ iasubopt_reference(&reply->lease, tmp, MDL);
+
+- return (ISC_TRUE);
++ return (true);
+ }
+ }
+
+- return (ISC_FALSE);
++ return (false);
+ }
+
+ /* Process a client-supplied IA_TA. This may append options to the tail of
+@@ -2890,7 +2890,7 @@ reply_process_ia_ta(struct reply_state *
+ /*
+ * Temporary leases are dynamic by definition.
+ */
+- reply->static_lease = ISC_FALSE;
++ reply->static_lease = false;
+
+ /*
+ * Save the cursor position at the start of the IA, so we can
+@@ -2972,7 +2972,7 @@ reply_process_ia_ta(struct reply_state *
+ }
+ status = ISC_R_CANCELED;
+ reply->client_resources = 0;
+- reply->resources_included = ISC_FALSE;
++ reply->resources_included = false;
+ if (reply->lease != NULL)
+ iasubopt_dereference(&reply->lease, MDL);
+ }
+@@ -3364,7 +3364,7 @@ void shorten_lifetimes(struct reply_stat
+ /*
+ * Verify the temporary address is available.
+ */
+-static isc_boolean_t
++static bool
+ temporary_is_available(struct reply_state *reply, struct iaddr *addr) {
+ struct in6_addr tmp_addr;
+ struct subnet *subnet;
+@@ -3379,7 +3379,7 @@ temporary_is_available(struct reply_stat
+ * So this is not a request for this address.
+ */
+ if (IN6_IS_ADDR_UNSPECIFIED(&tmp_addr))
+- return ISC_FALSE;
++ return false;
+
+ /*
+ * Verify that this address is on the client's network.
+@@ -3393,13 +3393,13 @@ temporary_is_available(struct reply_stat
+
+ /* Address not found on shared network. */
+ if (subnet == NULL)
+- return ISC_FALSE;
++ return false;
+
+ /*
+ * Check if this address is owned (must be before next step).
+ */
+ if (address_is_owned(reply, addr))
+- return ISC_TRUE;
++ return true;
+
+ /*
+ * Verify that this address is in a temporary pool and try to get it.
+@@ -3424,18 +3424,18 @@ temporary_is_available(struct reply_stat
+ }
+
+ if (pool == NULL)
+- return ISC_FALSE;
++ return false;
+ if (lease6_exists(pool, &tmp_addr))
+- return ISC_FALSE;
++ return false;
+ if (iasubopt_allocate(&reply->lease, MDL) != ISC_R_SUCCESS)
+- return ISC_FALSE;
++ return false;
+ reply->lease->addr = tmp_addr;
+ reply->lease->plen = 0;
+ /* Default is soft binding for 2 minutes. */
+ if (add_lease6(pool, reply->lease, cur_time + 120) != ISC_R_SUCCESS)
+- return ISC_FALSE;
++ return false;
+
+- return ISC_TRUE;
++ return true;
+ }
+
+ /*
+@@ -3652,7 +3652,7 @@ find_client_address(struct reply_state *
+ */
+
+ if ((candidate_shared != reply->shared) ||
+- (lease6_usable(lease) != ISC_TRUE))
++ (lease6_usable(lease) != true))
+ continue;
+
+ if (((pond->prohibit_list != NULL) &&
+@@ -3971,7 +3971,7 @@ reply_process_send_addr(struct reply_sta
+ goto cleanup;
+ }
+
+- reply->resources_included = ISC_TRUE;
++ reply->resources_included = true;
+
+ cleanup:
+ if (data.data != NULL)
+@@ -4722,7 +4722,7 @@ reply_process_prefix(struct reply_state
+ * (fault out all else). Otherwise it's a dynamic prefix, so lookup
+ * that prefix and make sure it belongs to this DUID:IAID pair.
+ */
+-static isc_boolean_t
++static bool
+ prefix_is_owned(struct reply_state *reply, struct iaddrcidrnet *pref) {
+ struct iaddrcidrnetlist *l;
+ int i;
+@@ -4736,14 +4736,14 @@ prefix_is_owned(struct reply_state *repl
+ if ((pref->bits == l->cidrnet.bits) &&
+ (memcmp(pref->lo_addr.iabuf,
+ l->cidrnet.lo_addr.iabuf, 16) == 0))
+- return (ISC_TRUE);
++ return (true);
+ }
+- return (ISC_FALSE);
++ return (false);
+ }
+
+ if ((reply->old_ia == NULL) ||
+ (reply->old_ia->num_iasubopt == 0))
+- return (ISC_FALSE);
++ return (false);
+
+ for (i = 0 ; i < reply->old_ia->num_iasubopt ; i++) {
+ struct iasubopt *tmp;
+@@ -4752,8 +4752,8 @@ prefix_is_owned(struct reply_state *repl
+
+ if ((pref->bits == (int) tmp->plen) &&
+ (memcmp(pref->lo_addr.iabuf, &tmp->addr, 16) == 0)) {
+- if (lease6_usable(tmp) == ISC_FALSE) {
+- return (ISC_FALSE);
++ if (lease6_usable(tmp) == false) {
++ return (false);
+ }
+
+ pond = tmp->ipv6_pool->ipv6_pond;
+@@ -4761,14 +4761,14 @@ prefix_is_owned(struct reply_state *repl
+ (permitted(reply->packet, pond->prohibit_list))) ||
+ ((pond->permit_list != NULL) &&
+ (!permitted(reply->packet, pond->permit_list))))
+- return (ISC_FALSE);
++ return (false);
+
+ iasubopt_reference(&reply->lease, tmp, MDL);
+- return (ISC_TRUE);
++ return (true);
+ }
+ }
+
+- return (ISC_FALSE);
++ return (false);
+ }
+
+ /*
+@@ -4914,7 +4914,7 @@ find_client_prefix(struct reply_state *r
+ */
+ if (((candidate_shared != NULL) &&
+ (candidate_shared != reply->shared)) ||
+- (lease6_usable(prefix) != ISC_TRUE))
++ (lease6_usable(prefix) != true))
+ continue;
+
+ /*
+@@ -5233,7 +5233,7 @@ reply_process_send_prefix(struct reply_s
+ goto cleanup;
+ }
+
+- reply->resources_included = ISC_TRUE;
++ reply->resources_included = true;
+
+ cleanup:
+ if (data.data != NULL)
+@@ -5383,8 +5383,8 @@ dhcpv6_request(struct data_string *reply
+
+ /* If the REQUEST arrived via unicast and unicast option isn't set,
+ * reject it per RFC 3315, Sec 18.2.1 */
+- if (packet->unicast == ISC_TRUE &&
+- is_unicast_option_defined(packet) == ISC_FALSE) {
++ if (packet->unicast == true &&
++ is_unicast_option_defined(packet) == false) {
+ unicast_reject(reply_ret, packet, &client_id, &server_id);
+ } else {
+ /*
+@@ -5505,7 +5505,7 @@ dhcpv6_confirm(struct data_string *reply
+ struct option_state *cli_enc_opt_state, *opt_state;
+ struct iaddr cli_addr;
+ int pass;
+- isc_boolean_t inappropriate, has_addrs;
++ bool inappropriate, has_addrs;
+ char reply_data[65536];
+ struct dhcpv6_packet *reply = (struct dhcpv6_packet *)reply_data;
+ int reply_ofs = (int)(offsetof(struct dhcpv6_packet, options));
+@@ -5556,7 +5556,7 @@ dhcpv6_confirm(struct data_string *reply
+ goto exit;
+
+ /* Are the addresses in all the IA's appropriate for that link? */
+- has_addrs = inappropriate = ISC_FALSE;
++ has_addrs = inappropriate = false;
+ pass = D6O_IA_NA;
+ while(!inappropriate) {
+ /* If we've reached the end of the IA_NA pass, move to the
+@@ -5602,7 +5602,7 @@ dhcpv6_confirm(struct data_string *reply
+ data_string_forget(&iaaddr, MDL);
+
+ /* Record that we've processed at least one address. */
+- has_addrs = ISC_TRUE;
++ has_addrs = true;
+
+ /* Find out if any subnets cover this address. */
+ for (subnet = shared->subnets ; subnet != NULL ;
+@@ -5621,7 +5621,7 @@ dhcpv6_confirm(struct data_string *reply
+ * continue searching.
+ */
+ if (subnet == NULL) {
+- inappropriate = ISC_TRUE;
++ inappropriate = true;
+ break;
+ }
+ }
+@@ -5719,8 +5719,8 @@ dhcpv6_renew(struct data_string *reply,
+
+ /* If the RENEW arrived via unicast and unicast option isn't set,
+ * reject it per RFC 3315, Sec 18.2.3 */
+- if (packet->unicast == ISC_TRUE &&
+- is_unicast_option_defined(packet) == ISC_FALSE) {
++ if (packet->unicast == true &&
++ is_unicast_option_defined(packet) == false) {
+ unicast_reject(reply, packet, &client_id, &server_id);
+ } else {
+ /*
+@@ -6142,8 +6142,8 @@ dhcpv6_decline(struct data_string *reply
+
+ /* If the DECLINE arrived via unicast and unicast option isn't set,
+ * reject it per RFC 3315, Sec 18.2.7 */
+- if (packet->unicast == ISC_TRUE &&
+- is_unicast_option_defined(packet) == ISC_FALSE) {
++ if (packet->unicast == true &&
++ is_unicast_option_defined(packet) == false) {
+ unicast_reject(reply, packet, &client_id, &server_id);
+ } else {
+ /*
+@@ -6597,8 +6597,8 @@ dhcpv6_release(struct data_string *reply
+
+ /* If the RELEASE arrived via unicast and unicast option isn't set,
+ * reject it per RFC 3315, Sec 18.2.6 */
+- if (packet->unicast == ISC_TRUE &&
+- is_unicast_option_defined(packet) == ISC_FALSE) {
++ if (packet->unicast == true &&
++ is_unicast_option_defined(packet) == false) {
+ unicast_reject(reply, packet, &client_id, &server_id);
+ } else {
+ /*
+@@ -6897,7 +6897,7 @@ dhcpv6_relay_forw(struct data_string *re
+ }
+ data_string_forget(&a_opt, MDL);
+
+- packet->relay_source_port = ISC_TRUE;
++ packet->relay_source_port = true;
+ }
+ #endif
+
+@@ -7219,7 +7219,7 @@ dhcp4o6_relay_forw(struct data_string *r
+ }
+ data_string_forget(&a_opt, MDL);
+
+- packet->relay_source_port = ISC_TRUE;
++ packet->relay_source_port = true;
+ }
+ #endif
+
+@@ -8036,35 +8036,35 @@ seek_shared_host(struct host_decl **hp,
+ host_reference(hp, seek, MDL);
+ }
+
+-static isc_boolean_t
++static bool
+ fixed_matches_shared(struct host_decl *host, struct shared_network *shared) {
+ struct subnet *subnet;
+ struct data_string addr;
+- isc_boolean_t matched;
++ bool matched;
+ struct iaddr fixed;
+
+ if (host->fixed_addr == NULL)
+- return ISC_FALSE;
++ return false;
+
+ memset(&addr, 0, sizeof(addr));
+ if (!evaluate_option_cache(&addr, NULL, NULL, NULL, NULL, NULL,
+ &global_scope, host->fixed_addr, MDL))
+- return ISC_FALSE;
++ return false;
+
+ if (addr.len < 16) {
+ data_string_forget(&addr, MDL);
+- return ISC_FALSE;
++ return false;
+ }
+
+ fixed.len = 16;
+ memcpy(fixed.iabuf, addr.data, 16);
+
+- matched = ISC_FALSE;
++ matched = false;
+ for (subnet = shared->subnets ; subnet != NULL ;
+ subnet = subnet->next_sibling) {
+ if (addr_eq(subnet_number(fixed, subnet->netmask),
+ subnet->net)) {
+- matched = ISC_TRUE;
++ matched = true;
+ break;
+ }
+ }
+@@ -8167,15 +8167,15 @@ unicast_reject(struct data_string *reply
+ * statements from the network's group outward into a local option cache.
+ * The option cache is then scanned for the presence of unicast option. If
+ * the packet cannot be mapped to a shared network, the function returns
+- * ISC_FALSE.
++ * false.
+ * \param packet inbound packet from the client
+ *
+- * \return ISC_TRUE if the dhcp6.unicast option is defined, false otherwise.
++ * \return true if the dhcp6.unicast option is defined, false otherwise.
+ *
+ */
+-isc_boolean_t
++bool
+ is_unicast_option_defined(struct packet *packet) {
+- isc_boolean_t is_defined = ISC_FALSE;
++ bool is_defined = false;
+ struct option_state *opt_state = NULL;
+ struct option_cache *oc = NULL;
+ struct shared_network *shared = NULL;
+@@ -8195,7 +8195,7 @@ is_unicast_option_defined(struct packet
+ * logic will catch it */
+ log_error("is_unicast_option_defined:"
+ "cannot attribute packet to a network.");
+- return (ISC_FALSE);
++ return (false);
+ }
+
+ /* Now that we've mapped it to a network, execute statments to that
+@@ -8205,7 +8205,7 @@ is_unicast_option_defined(struct packet
+ &global_scope, shared->group, NULL, NULL);
+
+ oc = lookup_option(&dhcpv6_universe, opt_state, D6O_UNICAST);
+- is_defined = (oc != NULL ? ISC_TRUE : ISC_FALSE);
++ is_defined = (oc != NULL ? true : false);
+ log_debug("is_unicast_option_defined: option found : %d", is_defined);
+
+ if (shared != NULL) {
+Index: dhcp-4.4.1/client/clparse.c
+===================================================================
+--- dhcp-4.4.1.orig/client/clparse.c
++++ dhcp-4.4.1/client/clparse.c
+@@ -1527,7 +1527,7 @@ parse_client6_lease_statement(struct par
+
+ case TOKEN_RELEASED:
+ case TOKEN_ABANDONED:
+- lease->released = ISC_TRUE;
++ lease->released = true;
+ break;
+
+ default:
+Index: dhcp-4.4.1/client/dhc6.c
+===================================================================
+--- dhcp-4.4.1.orig/client/dhc6.c
++++ dhcp-4.4.1/client/dhc6.c
+@@ -109,7 +109,7 @@ static isc_result_t dhc6_add_ia_pd(struc
+ u_int8_t message,
+ int wanted,
+ int *added);
+-static isc_boolean_t stopping_finished(void);
++static bool stopping_finished(void);
+ static void dhc6_merge_lease(struct dhc6_lease *src, struct dhc6_lease *dst);
+ void do_select6(void *input);
+ void do_refresh6(void *input);
+@@ -131,7 +131,7 @@ static void script_write_params6(struct
+ const char *prefix,
+ struct option_state *options);
+ static void script_write_requested6(struct client_state *client);
+-static isc_boolean_t active_prefix(struct client_state *client);
++static bool active_prefix(struct client_state *client);
+
+ static int check_timing6(struct client_state *client, u_int8_t msg_type,
+ char *msg_str, struct dhc6_lease *lease,
+@@ -149,7 +149,7 @@ static isc_result_t dhc6_add_ia_na_decli
+ struct data_string *packet,
+ struct dhc6_lease *lease);
+ static int drop_declined_addrs(struct dhc6_lease *lease);
+-static isc_boolean_t unexpired_address_in_lease(struct dhc6_lease *lease);
++static bool unexpired_address_in_lease(struct dhc6_lease *lease);
+
+ extern int onetry;
+ extern int stateless;
+@@ -418,14 +418,14 @@ valid_reply(struct packet *packet, struc
+ {
+ struct data_string sid, cid;
+ struct option_cache *oc;
+- int rval = ISC_TRUE;
++ int rval = true;
+
+ memset(&sid, 0, sizeof(sid));
+ memset(&cid, 0, sizeof(cid));
+
+ if (!lookup_option(&dhcpv6_universe, packet->options, D6O_SERVERID)) {
+ log_error("Response without a server identifier received.");
+- rval = ISC_FALSE;
++ rval = false;
+ }
+
+ oc = lookup_option(&dhcpv6_universe, packet->options, D6O_CLIENTID);
+@@ -434,7 +434,7 @@ valid_reply(struct packet *packet, struc
+ client->sent_options, &global_scope, oc,
+ MDL)) {
+ log_error("Response without a client identifier.");
+- rval = ISC_FALSE;
++ rval = false;
+ }
+
+ oc = lookup_option(&dhcpv6_universe, client->sent_options,
+@@ -444,7 +444,7 @@ valid_reply(struct packet *packet, struc
+ client->sent_options, NULL, &global_scope,
+ oc, MDL)) {
+ log_error("Local client identifier is missing!");
+- rval = ISC_FALSE;
++ rval = false;
+ }
+
+ if (sid.len == 0 ||
+@@ -452,7 +452,7 @@ valid_reply(struct packet *packet, struc
+ memcmp(sid.data, cid.data, sid.len)) {
+ log_error("Advertise with matching transaction ID, but "
+ "mismatching client id.");
+- rval = ISC_FALSE;
++ rval = false;
+ }
+
+ /* clean up pointers to the strings */
+@@ -2375,7 +2375,7 @@ start_release6(struct client_state *clie
+ /* Note this in the lease file. */
+ if (client->active_lease == NULL)
+ return;
+- client->active_lease->released = ISC_TRUE;
++ client->active_lease->released = true;
+ write_client6_lease(client, client->active_lease, 0, 1);
+
+ /* Set timers per RFC3315 section 18.1.6. */
+@@ -2612,7 +2612,7 @@ dhc6_check_advertise(struct dhc6_lease *
+ {
+ struct dhc6_ia *ia;
+ isc_result_t rval = ISC_R_SUCCESS;
+- int have_addrs = ISC_FALSE;
++ int have_addrs = false;
+ unsigned code;
+ const char *scope;
+ int got_na = 0, got_ta = 0, got_pd = 0;
+@@ -2650,14 +2650,14 @@ dhc6_check_advertise(struct dhc6_lease *
+ * Should we check the addr itself for usability?
+ */
+ if (ia->addrs != NULL) {
+- have_addrs = ISC_TRUE;
++ have_addrs = true;
+ }
+ }
+
+ /* If we didn't get some addrs or the user required us to
+ * get all of the requested IAs and we didn't return an error
+ */
+- if ((have_addrs != ISC_TRUE) ||
++ if ((have_addrs != true) ||
+ ((require_all_ias != 0) &&
+ ((got_na < wanted_ia_na) ||
+ (got_ta < wanted_ia_ta) ||
+@@ -2670,7 +2670,7 @@ dhc6_check_advertise(struct dhc6_lease *
+ /* status code <-> action matrix for the client in INIT state
+ * (rapid/commit). Returns always false as no action is defined.
+ */
+-static isc_boolean_t
++static bool
+ dhc6_init_action(struct client_state *client, isc_result_t *rvalp,
+ unsigned code)
+ {
+@@ -2679,21 +2679,21 @@ dhc6_init_action(struct client_state *cl
+
+ if (client == NULL) {
+ *rvalp = DHCP_R_INVALIDARG;
+- return ISC_FALSE;
++ return false;
+ }
+
+ if (*rvalp == ISC_R_SUCCESS)
+- return ISC_FALSE;
++ return false;
+
+ /* No possible action in any case... */
+- return ISC_FALSE;
++ return false;
+ }
+
+ /* status code <-> action matrix for the client in SELECT state
+ * (request/reply). Returns true if action was taken (and the
+ * packet should be ignored), or false if no action was taken.
+ */
+-static isc_boolean_t
++static bool
+ dhc6_select_action(struct client_state *client, isc_result_t *rvalp,
+ unsigned code)
+ {
+@@ -2705,12 +2705,12 @@ dhc6_select_action(struct client_state *
+
+ if (client == NULL) {
+ *rvalp = DHCP_R_INVALIDARG;
+- return ISC_FALSE;
++ return false;
+ }
+ rval = *rvalp;
+
+ if (rval == ISC_R_SUCCESS)
+- return ISC_FALSE;
++ return false;
+
+ switch (code) {
+ /* We may have an earlier failure status code (so no
+@@ -2723,7 +2723,7 @@ dhc6_select_action(struct client_state *
+ case STATUS_NoBinding:
+ case STATUS_UseMulticast:
+ /* Take no action. */
+- return ISC_FALSE;
++ return false;
+
+ /* If the server can't deal with us, either try the
+ * next advertised server, or continue retrying if there
+@@ -2739,7 +2739,7 @@ dhc6_select_action(struct client_state *
+
+ break;
+ } else /* Take no action - continue to retry. */
+- return ISC_FALSE;
++ return false;
+
+ /* If the server has no addresses, try other servers if
+ * we got some, otherwise go to INIT to hope for more
+@@ -2748,7 +2748,7 @@ dhc6_select_action(struct client_state *
+ case STATUS_NoAddrsAvail:
+ case STATUS_NoPrefixAvail:
+ if (client->state == S_REBOOTING)
+- return ISC_FALSE;
++ return false;
+
+ if (client->selected_lease == NULL)
+ log_fatal("Impossible case at %s:%d.", MDL);
+@@ -2794,7 +2794,7 @@ dhc6_select_action(struct client_state *
+ break;
+ }
+
+- return ISC_TRUE;
++ return true;
+ }
+
+ static void
+@@ -2821,7 +2821,7 @@ dhc6_withdraw_lease(struct client_state
+ * (request/reply). Returns true if action was taken (and the
+ * packet should be ignored), or false if no action was taken.
+ */
+-static isc_boolean_t
++static bool
+ dhc6_reply_action(struct client_state *client, isc_result_t *rvalp,
+ unsigned code)
+ {
+@@ -2832,12 +2832,12 @@ dhc6_reply_action(struct client_state *c
+
+ if (client == NULL) {
+ *rvalp = DHCP_R_INVALIDARG;
+- return ISC_FALSE;
++ return false;
+ }
+ rval = *rvalp;
+
+ if (rval == ISC_R_SUCCESS)
+- return ISC_FALSE;
++ return false;
+
+ switch (code) {
+ /* It's possible an earlier status code set rval to a failure
+@@ -2852,7 +2852,7 @@ dhc6_reply_action(struct client_state *c
+ case STATUS_UnspecFail:
+ /* For unknown codes...it's a soft (retryable) error. */
+ default:
+- return ISC_FALSE;
++ return false;
+
+ /* The server is telling us to use a multicast address, so
+ * we have to delete the unicast option from the active
+@@ -2865,7 +2865,7 @@ dhc6_reply_action(struct client_state *c
+ delete_option(&dhcp_universe,
+ client->active_lease->options,
+ D6O_UNICAST);
+- return ISC_FALSE;
++ return false;
+
+ /* "When the client receives a NotOnLink status from the
+ * server in response to a Request, the client can either
+@@ -2914,7 +2914,7 @@ dhc6_reply_action(struct client_state *c
+ break;
+ }
+
+- return ISC_TRUE;
++ return true;
+ }
+
+ /* status code <-> action matrix for the client in STOPPED state
+@@ -2922,7 +2922,7 @@ dhc6_reply_action(struct client_state *c
+ * packet should be ignored), or false if no action was taken.
+ * NoBinding is translated into Success.
+ */
+-static isc_boolean_t
++static bool
+ dhc6_stop_action(struct client_state *client, isc_result_t *rvalp,
+ unsigned code)
+ {
+@@ -2933,12 +2933,12 @@ dhc6_stop_action(struct client_state *cl
+
+ if (client == NULL) {
+ *rvalp = DHCP_R_INVALIDARG;
+- return ISC_FALSE;
++ return false;
+ }
+ rval = *rvalp;
+
+ if (rval == ISC_R_SUCCESS)
+- return ISC_FALSE;
++ return false;
+
+ switch (code) {
+ /* It's possible an earlier status code set rval to a failure
+@@ -2948,13 +2948,13 @@ dhc6_stop_action(struct client_state *cl
+ /* For unknown codes...it's a soft (retryable) error. */
+ case STATUS_UnspecFail:
+ default:
+- return ISC_FALSE;
++ return false;
+
+ /* NoBinding is not an error */
+ case STATUS_NoBinding:
+ if (rval == ISC_R_FAILURE)
+ *rvalp = ISC_R_SUCCESS;
+- return ISC_FALSE;
++ return false;
+
+ /* Should not happen */
+ case STATUS_NoAddrsAvail:
+@@ -2976,13 +2976,13 @@ dhc6_stop_action(struct client_state *cl
+ delete_option(&dhcp_universe,
+ client->active_lease->options,
+ D6O_UNICAST);
+- return ISC_FALSE;
++ return false;
+ }
+
+- return ISC_TRUE;
++ return true;
+ }
+
+-static isc_boolean_t
++static bool
+ dhc6_decline_action(struct client_state *client, isc_result_t *rvalp,
+ unsigned code)
+ {
+@@ -2993,12 +2993,12 @@ dhc6_decline_action(struct client_state
+
+ if (client == NULL) {
+ *rvalp = DHCP_R_INVALIDARG;
+- return ISC_FALSE;
++ return false;
+ }
+ rval = *rvalp;
+
+ if (rval == ISC_R_SUCCESS) {
+- return ISC_FALSE;
++ return false;
+ }
+
+ switch (code) {
+@@ -3013,13 +3013,13 @@ dhc6_decline_action(struct client_state
+ delete_option(&dhcp_universe,
+ client->active_lease->options,
+ D6O_UNICAST);
+- return ISC_FALSE;
++ return false;
+ default:
+ /* Anything else is basically meaningless */
+ break;
+ }
+
+- return ISC_TRUE;
++ return true;
+ }
+
+
+@@ -3029,14 +3029,14 @@ dhc6_decline_action(struct client_state
+ static isc_result_t
+ dhc6_check_reply(struct client_state *client, struct dhc6_lease *new)
+ {
+- isc_boolean_t (*action)(struct client_state *,
++ bool (*action)(struct client_state *,
+ isc_result_t *, unsigned);
+ struct dhc6_ia *ia;
+ isc_result_t rval = ISC_R_SUCCESS;
+ unsigned code;
+ const char *scope;
+ int nscore, sscore;
+- int have_addrs = ISC_FALSE;
++ int have_addrs = false;
+ int got_na = 0, got_ta = 0, got_pd = 0;
+
+ if ((client == NULL) || (new == NULL))
+@@ -3102,7 +3102,7 @@ dhc6_check_reply(struct client_state *cl
+ return ISC_R_CANCELED;
+
+ if (ia->addrs != NULL) {
+- have_addrs = ISC_TRUE;
++ have_addrs = true;
+ }
+ }
+
+@@ -3119,13 +3119,13 @@ dhc6_check_reply(struct client_state *cl
+ * check in and commented it as I eventually do want
+ * us to check for TAs as well. SAR
+ */
+- if ((have_addrs != ISC_TRUE) ||
++ if ((have_addrs != true) ||
+ ((require_all_ias != 0) &&
+ ((got_na < wanted_ia_na) ||
+ /*(got_ta < wanted_ia_ta) ||*/
+ (got_pd < wanted_ia_pd)))) {
+ rval = ISC_R_FAILURE;
+- if (action(client, &rval, STATUS_NoAddrsAvail) == ISC_TRUE) {
++ if (action(client, &rval, STATUS_NoAddrsAvail) == true) {
+ return ISC_R_CANCELED;
+ }
+ }
+@@ -4256,7 +4256,7 @@ dhc6_add_ia_pd(struct client_state *clie
+
+ /* stopping_finished() checks if there is a remaining work to do.
+ */
+-static isc_boolean_t
++static bool
+ stopping_finished(void)
+ {
+ struct interface_info *ip;
+@@ -4265,12 +4265,12 @@ stopping_finished(void)
+ for (ip = interfaces; ip; ip = ip -> next) {
+ for (client = ip -> client; client; client = client -> next) {
+ if (client->state != S_STOPPED)
+- return ISC_FALSE;
++ return false;
+ if (client->active_lease != NULL)
+- return ISC_FALSE;
++ return false;
+ }
+ }
+- return ISC_TRUE;
++ return true;
+ }
+
+ /* reply_handler() accepts a Reply while we're attempting Select or Renew or
+@@ -4474,8 +4474,8 @@ dhc6_check_times(struct client_state *cl
+ struct dhc6_addr *addr;
+ TIME renew=MAX_TIME, rebind=MAX_TIME, depref=MAX_TIME,
+ lo_expire=MAX_TIME, hi_expire=0, max_ia_starts = 0, tmp;
+- int has_addrs = ISC_FALSE;
+- int has_preferred_addrs = ISC_FALSE;
++ int has_addrs = false;
++ int has_preferred_addrs = false;
+ struct timeval tv;
+
+ lease = client->active_lease;
+@@ -4506,7 +4506,7 @@ dhc6_check_times(struct client_state *cl
+ depref = tmp;
+
+ if (!(addr->flags & DHC6_ADDR_EXPIRED)) {
+- has_preferred_addrs = ISC_TRUE;
++ has_preferred_addrs = true;
+ }
+ }
+
+@@ -4525,7 +4525,7 @@ dhc6_check_times(struct client_state *cl
+ if (tmp < this_ia_lo_expire)
+ this_ia_lo_expire = tmp;
+
+- has_addrs = ISC_TRUE;
++ has_addrs = true;
+ }
+ }
+
+@@ -4603,7 +4603,7 @@ dhc6_check_times(struct client_state *cl
+ * In the future, we may decide that we're done here, or to
+ * schedule a future request (using 4-pkt info-request model).
+ */
+- if (has_addrs == ISC_FALSE) {
++ if (has_addrs == false) {
+ dhc6_lease_destroy(&client->active_lease, MDL);
+ client->active_lease = NULL;
+
+@@ -4855,7 +4855,7 @@ start_bound(struct client_state *client)
+ "is selected.");
+ return;
+ }
+- lease->released = ISC_FALSE;
++ lease->released = false;
+ old = client->old_lease;
+
+ client->v6_handler = bound_handler;
+@@ -5448,8 +5448,8 @@ do_expire(void *input)
+ struct dhc6_lease *lease;
+ struct dhc6_ia *ia, **tia;
+ struct dhc6_addr *addr;
+- int has_addrs = ISC_FALSE;
+- int ia_has_addrs = ISC_FALSE;
++ int has_addrs = false;
++ int ia_has_addrs = false;
+
+ client = (struct client_state *)input;
+
+@@ -5458,7 +5458,7 @@ do_expire(void *input)
+ return;
+
+ for (ia = lease->bindings, tia = &lease->bindings; ia != NULL ; ) {
+- ia_has_addrs = ISC_FALSE;
++ ia_has_addrs = false;
+ for (addr = ia->addrs ; addr != NULL ; addr = addr->next) {
+ if (addr->flags & DHC6_ADDR_EXPIRED)
+ continue;
+@@ -5495,14 +5495,14 @@ do_expire(void *input)
+ continue;
+ }
+
+- ia_has_addrs = ISC_TRUE;
+- has_addrs = ISC_TRUE;
++ ia_has_addrs = true;
++ has_addrs = true;
+ }
+
+ /* Update to the next ia and git rid of this ia
+ * if it doesn't have any leases.
+ */
+- if (ia_has_addrs == ISC_TRUE) {
++ if (ia_has_addrs == true) {
+ /* leases, just advance the list pointer */
+ tia = &(*tia)->next;
+ } else {
+@@ -5517,7 +5517,7 @@ do_expire(void *input)
+ }
+
+ /* Clean up empty leases. */
+- if (has_addrs == ISC_FALSE) {
++ if (has_addrs == false) {
+ log_info("PRC: Bound lease is devoid of active addresses."
+ " Re-initializing.");
+
+@@ -5596,14 +5596,14 @@ dhc6_check_irt(struct client_state *clie
+ TIME expire = MAX_TIME;
+ struct timeval tv;
+ int i;
+- isc_boolean_t found = ISC_FALSE;
++ bool found = false;
+
+ cancel_timeout(refresh_info_request6, client);
+
+ req = client->config->requested_options;
+ for (i = 0; req[i] != NULL; i++) {
+ if (req[i] == irt_option) {
+- found = ISC_TRUE;
++ found = true;
+ break;
+ }
+ }
+@@ -5924,7 +5924,7 @@ static void script_write_requested6(clie
+ /*
+ * Check if there is something not fully defined in the active lease.
+ */
+-static isc_boolean_t
++static bool
+ active_prefix(struct client_state *client)
+ {
+ struct dhc6_lease *lease;
+@@ -5934,21 +5934,21 @@ active_prefix(struct client_state *clien
+
+ lease = client->active_lease;
+ if (lease == NULL)
+- return ISC_FALSE;
++ return false;
+ memset(zeros, 0, 16);
+ for (ia = lease->bindings; ia != NULL; ia = ia->next) {
+ if (ia->ia_type != D6O_IA_PD)
+ continue;
+ for (pref = ia->addrs; pref != NULL; pref = pref->next) {
+ if (pref->plen == 0)
+- return ISC_FALSE;
++ return false;
+ if (pref->address.len != 16)
+- return ISC_FALSE;
++ return false;
+ if (memcmp(pref->address.iabuf, zeros, 16) == 0)
+- return ISC_FALSE;
++ return false;
+ }
+ }
+- return ISC_TRUE;
++ return true;
+ }
+
+ /* Adds a leases's declined addreses to the outbound packet
+@@ -6111,26 +6111,26 @@ int drop_declined_addrs(struct dhc6_leas
+ /* Run through the addresses in lease and return true if there's any unexpired.
+ * Return false otherwise.
+ */
+-static isc_boolean_t
++static bool
+ unexpired_address_in_lease(struct dhc6_lease *lease)
+ {
+ struct dhc6_ia *ia;
+ struct dhc6_addr *addr;
+
+ if (lease == NULL) {
+- return ISC_FALSE;
++ return false;
+ }
+
+ for (ia = lease->bindings ; ia != NULL ; ia = ia->next) {
+ for (addr = ia->addrs ; addr != NULL ; addr = addr->next) {
+ if (!(addr->flags & DHC6_ADDR_EXPIRED) &&
+ (addr->starts + addr->max_life > cur_time)) {
+- return ISC_TRUE;
++ return true;
+ }
+ }
+ }
+
+ log_debug("PRC: Previous lease is devoid of active addresses.");
+- return ISC_FALSE;
++ return false;
+ }
+ #endif /* DHCPv6 */
+Index: dhcp-4.4.1/client/dhclient.c
+===================================================================
+--- dhcp-4.4.1.orig/client/dhclient.c
++++ dhcp-4.4.1/client/dhclient.c
+@@ -52,7 +52,7 @@ char *path_dhclient_script = path_dhclie
+ const char *path_dhclient_duid = NULL;
+
+ /* False (default) => we write and use a pid file */
+-isc_boolean_t no_pid_file = ISC_FALSE;
++bool no_pid_file = false;
+
+ int dhcp_max_agent_option_packet_length = 0;
+
+@@ -397,7 +397,7 @@ main(int argc, char **argv) {
+ path_dhclient_pid = argv[i];
+ no_dhclient_pid = 1;
+ } else if (!strcmp(argv[i], "--no-pid")) {
+- no_pid_file = ISC_TRUE;
++ no_pid_file = true;
+ } else if (!strcmp(argv[i], "-cf")) {
+ if (++i == argc)
+ usage(use_noarg, argv[i-1]);
+@@ -652,7 +652,7 @@ main(int argc, char **argv) {
+ * to write a pid file - we assume they are controlling
+ * the process in some other fashion.
+ */
+- if ((release_mode || exit_mode) && (no_pid_file == ISC_FALSE)) {
++ if ((release_mode || exit_mode) && (no_pid_file == false)) {
+ FILE *pidfd;
+ pid_t oldpid;
+ long temp;
+@@ -4469,7 +4469,7 @@ void write_client_pid_file ()
+ int pfdesc;
+
+ /* nothing to do if the user doesn't want a pid file */
+- if (no_pid_file == ISC_TRUE) {
++ if (no_pid_file == true) {
+ return;
+ }
+
+@@ -4727,7 +4727,7 @@ unsigned cons_agent_information_options
+ static void shutdown_exit (void *foo)
+ {
+ /* get rid of the pid if we can */
+- if (no_pid_file == ISC_FALSE)
++ if (no_pid_file == false)
+ (void) unlink(path_dhclient_pid);
+ finish(0);
+ }
+Index: dhcp-4.4.1/common/inet.c
+===================================================================
+--- dhcp-4.4.1.orig/common/inet.c
++++ dhcp-4.4.1/common/inet.c
+@@ -299,7 +299,7 @@ addr_and(struct iaddr *result, const str
+ *
+ * Because the final ".1" would get masked out by the /8.
+ */
+-isc_boolean_t
++bool
+ is_cidr_mask_valid(const struct iaddr *addr, int bits) {
+ int zero_bits;
+ int zero_bytes;
+@@ -311,10 +311,10 @@ is_cidr_mask_valid(const struct iaddr *a
+ * Check our bit boundaries.
+ */
+ if (bits < 0) {
+- return ISC_FALSE;
++ return false;
+ }
+ if (bits > (addr->len * 8)) {
+- return ISC_FALSE;
++ return false;
+ }
+
+ /*
+@@ -328,7 +328,7 @@ is_cidr_mask_valid(const struct iaddr *a
+ */
+ for (i=1; i<=zero_bytes; i++) {
+ if (addr->iabuf[addr->len-i] != 0) {
+- return ISC_FALSE;
++ return false;
+ }
+ }
+
+@@ -340,7 +340,7 @@ is_cidr_mask_valid(const struct iaddr *a
+ * happy.
+ */
+ shift_bits = zero_bits % 8;
+- if (shift_bits == 0) return ISC_TRUE;
++ if (shift_bits == 0) return true;
+ byte = addr->iabuf[addr->len-zero_bytes-1];
+ return (((byte >> shift_bits) << shift_bits) == byte);
+ }
+Index: dhcp-4.4.1/common/options.c
+===================================================================
+--- dhcp-4.4.1.orig/common/options.c
++++ dhcp-4.4.1/common/options.c
+@@ -676,7 +676,7 @@ cons_options(struct packet *inpacket, st
+ * the priority_list. This way we'll send it whether or not it
+ * is in the PRL. */
+ if ((inpacket != NULL) && (priority_len < PRIORITY_COUNT) &&
+- (inpacket->sv_echo_client_id == ISC_TRUE)) {
++ (inpacket->sv_echo_client_id == true)) {
+ priority_list[priority_len++] =
+ DHO_DHCP_CLIENT_IDENTIFIER;
+ }
+@@ -1802,7 +1802,7 @@ const char *pretty_print_option (option,
+ const unsigned char *dp = data;
+ char comma;
+ unsigned long tval;
+- isc_boolean_t a_array = ISC_FALSE;
++ bool a_array = false;
+ int len_used;
+
+ if (emit_commas)
+@@ -1828,7 +1828,7 @@ const char *pretty_print_option (option,
+ fmtbuf [l] = option -> format [i];
+ switch (option -> format [i]) {
+ case 'a':
+- a_array = ISC_TRUE;
++ a_array = true;
+ /* Fall through */
+ case 'A':
+ --numelem;
+@@ -1858,7 +1858,7 @@ const char *pretty_print_option (option,
+ hunksize++;
+ comma = ':';
+ numhunk = 0;
+- a_array = ISC_TRUE;
++ a_array = true;
+ hunkinc = 1;
+ }
+ fmtbuf [l + 1] = 0;
+@@ -1954,7 +1954,7 @@ const char *pretty_print_option (option,
+
+ /* If this is an array, compute its size. */
+ if (numhunk == 0) {
+- if (a_array == ISC_TRUE) {
++ if (a_array == true) {
+ /*
+ * It is an 'a' type array - we repeat the
+ * last format type. A binary string for 'X'
+@@ -2006,7 +2006,7 @@ const char *pretty_print_option (option,
+
+ /* Cycle through the array (or hunk) printing the data. */
+ for (i = 0; i < numhunk; i++) {
+- if ((a_array == ISC_TRUE) && (i != 0) && (numelem > 0)) {
++ if ((a_array == true) && (i != 0) && (numelem > 0)) {
+ /*
+ * For 'a' type of arrays we repeat
+ * only the last format character
+@@ -2734,7 +2734,7 @@ save_option(struct universe *universe, s
+ struct option_cache *oc)
+ {
+ if (universe->save_func)
+- (*universe->save_func)(universe, options, oc, ISC_FALSE);
++ (*universe->save_func)(universe, options, oc, true);
+ else
+ log_error("can't store options in %s space.", universe->name);
+ }
+@@ -2745,14 +2745,14 @@ also_save_option(struct universe *univer
+ struct option_cache *oc)
+ {
+ if (universe->save_func)
+- (*universe->save_func)(universe, options, oc, ISC_TRUE);
++ (*universe->save_func)(universe, options, oc, true);
+ else
+ log_error("can't store options in %s space.", universe->name);
+ }
+
+ void
+ save_hashed_option(struct universe *universe, struct option_state *options,
+- struct option_cache *oc, isc_boolean_t appendp)
++ struct option_cache *oc, bool appendp)
+ {
+ int hashix;
+ pair bptr;
+@@ -3062,7 +3062,7 @@ store_option(struct data_string *result,
+ cfg_options, scope, subu);
+ subu = NULL;
+ }
+- } while (ISC_FALSE);
++ } while (false);
+
+ status = append_option(result, universe, oc->option, &tmp);
+ data_string_forget(&tmp, MDL);
+@@ -3459,7 +3459,7 @@ lookup_fqdn6_option(struct universe *uni
+ */
+ void
+ save_fqdn6_option(struct universe *universe, struct option_state *options,
+- struct option_cache *oc, isc_boolean_t appendp)
++ struct option_cache *oc, bool appendp)
+ {
+ log_fatal("Impossible condition at %s:%d.", MDL);
+ }
+@@ -3784,7 +3784,7 @@ void hashed_option_space_foreach (struct
+
+ void
+ save_linked_option(struct universe *universe, struct option_state *options,
+- struct option_cache *oc, isc_boolean_t appendp)
++ struct option_cache *oc, bool appendp)
+ {
+ pair *tail;
+ struct option_chain_head *head;
+@@ -4073,7 +4073,7 @@ packet6_len_okay(const char *packet, int
+ void
+ do_packet6(struct interface_info *interface, const char *packet,
+ int len, int from_port, const struct iaddr *from,
+- isc_boolean_t was_unicast) {
++ bool was_unicast) {
+ unsigned char msg_type;
+ const struct dhcpv6_packet *msg;
+ const struct dhcpv6_relay_packet *relay;
+Index: dhcp-4.4.1/common/parse.c
+===================================================================
+--- dhcp-4.4.1.orig/common/parse.c
++++ dhcp-4.4.1/common/parse.c
+@@ -4952,7 +4952,7 @@ int parse_option_token (rv, cfile, fmt,
+ unsigned len;
+ struct iaddr addr;
+ int compress;
+- isc_boolean_t freeval = ISC_FALSE;
++ bool freeval = false;
+ const char *f, *g;
+ struct enumeration_value *e;
+
+@@ -5038,7 +5038,7 @@ int parse_option_token (rv, cfile, fmt,
+ return 0;
+ }
+ len = strlen (val);
+- freeval = ISC_TRUE;
++ freeval = true;
+ goto make_string;
+
+ case 't': /* Text string... */
+@@ -5055,9 +5055,9 @@ int parse_option_token (rv, cfile, fmt,
+ if (!make_const_data (&t, (const unsigned char *)val,
+ len, 1, 1, MDL))
+ log_fatal ("No memory for concatenation");
+- if (freeval == ISC_TRUE) {
++ if (freeval == true) {
+ dfree((char *)val, MDL);
+- freeval = ISC_FALSE;
++ freeval = false;
+ POST(freeval);
+ }
+ break;
+Index: dhcp-4.4.1/omapip/dispatch.c
+===================================================================
+--- dhcp-4.4.1.orig/omapip/dispatch.c
++++ dhcp-4.4.1/omapip/dispatch.c
+@@ -156,7 +156,7 @@ omapi_iscsock_cb(isc_task_t *task,
+ * This should be a temporary fix until we arrange to properly
+ * close the socket.
+ */
+- if (obj->closed == ISC_TRUE) {
++ if (obj->closed == true) {
+ return(0);
+ }
+ #endif
+@@ -223,7 +223,7 @@ isc_result_t omapi_register_io_object (o
+ status = omapi_io_allocate (&obj, MDL);
+ if (status != ISC_R_SUCCESS)
+ return status;
+- obj->closed = ISC_FALSE; /* mark as open */
++ obj->closed = false; /* mark as open */
+
+ status = omapi_object_reference (&obj -> inner, h, MDL);
+ if (status != ISC_R_SUCCESS) {
+@@ -404,7 +404,7 @@ isc_result_t omapi_unregister_io_object
+ isc_socket_detach(&obj->fd);
+ }
+ #else
+- obj->closed = ISC_TRUE;
++ obj->closed = true;
+ #endif
+
+ omapi_io_dereference (&ph, MDL);
+Index: dhcp-4.4.1/omapip/isclib.c
+===================================================================
+--- dhcp-4.4.1.orig/omapip/isclib.c
++++ dhcp-4.4.1/omapip/isclib.c
+@@ -106,9 +106,9 @@ isclib_cleanup(void)
+ if (dhcp_gbl_ctx.taskmgr != NULL)
+ isc_taskmgr_destroy(&dhcp_gbl_ctx.taskmgr);
+
+- if (dhcp_gbl_ctx.actx_started != ISC_FALSE) {
++ if (dhcp_gbl_ctx.actx_started != false) {
+ isc_app_ctxfinish(dhcp_gbl_ctx.actx);
+- dhcp_gbl_ctx.actx_started = ISC_FALSE;
++ dhcp_gbl_ctx.actx_started = false;
+ }
+
+ if (dhcp_gbl_ctx.actx != NULL)
+@@ -211,7 +211,7 @@ dhcp_context_create(int flags,
+ result = isc_app_ctxstart(dhcp_gbl_ctx.actx);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+- dhcp_gbl_ctx.actx_started = ISC_TRUE;
++ dhcp_gbl_ctx.actx_started = true;
+
+ /* Not all OSs support suppressing SIGPIPE through socket
+ * options, so set the sigal action to be ignore. This allows
+Index: dhcp-4.4.1/omapip/protocol.c
+===================================================================
+--- dhcp-4.4.1.orig/omapip/protocol.c
++++ dhcp-4.4.1/omapip/protocol.c
+@@ -950,14 +950,14 @@ isc_result_t omapi_protocol_stuff_values
+ /* Returns a boolean indicating whether this protocol requires that
+ messages be authenticated or not. */
+
+-isc_boolean_t omapi_protocol_authenticated (omapi_object_t *h)
++bool omapi_protocol_authenticated (omapi_object_t *h)
+ {
+ if (h -> type != omapi_type_protocol)
+- return isc_boolean_false;
++ return false;
+ if (((omapi_protocol_object_t *)h) -> insecure)
+- return isc_boolean_false;
++ return false;
+ else
+- return isc_boolean_true;
++ return true;
+ }
+
+ /* Sets the address and authenticator verification callbacks. The handle
+Index: dhcp-4.4.1/relay/dhcrelay.c
+===================================================================
+--- dhcp-4.4.1.orig/relay/dhcrelay.c
++++ dhcp-4.4.1/relay/dhcrelay.c
+@@ -45,9 +45,9 @@ char *token_line;
+ char *tlname;
+
+ const char *path_dhcrelay_pid = _PATH_DHCRELAY_PID;
+-isc_boolean_t no_dhcrelay_pid = ISC_FALSE;
++bool no_dhcrelay_pid = false;
+ /* False (default) => we write and use a pid file */
+-isc_boolean_t no_pid_file = ISC_FALSE;
++bool no_pid_file = false;
+
+ int bogus_agent_drops = 0; /* Packets dropped because agent option
+ field was specified and we're not relaying
+@@ -82,7 +82,7 @@ int dfd[2] = { -1, -1 };
+
+ #ifdef DHCPv6
+ /* Force use of DHCPv6 interface-id option. */
+-isc_boolean_t use_if_id = ISC_FALSE;
++bool use_if_id = false;
+ #endif
+
+ /* Maximum size of a packet with agent options added. */
+@@ -556,7 +556,7 @@ main(int argc, char **argv) {
+ }
+ local_family_set = 1;
+ local_family = AF_INET6;
+- use_if_id = ISC_TRUE;
++ use_if_id = true;
+ } else if (!strcmp(argv[i], "-l")) {
+ if (local_family_set && (local_family == AF_INET)) {
+ usage(use_v6command, argv[i]);
+@@ -564,7 +564,7 @@ main(int argc, char **argv) {
+ local_family_set = 1;
+ local_family = AF_INET6;
+ if (downstreams != NULL)
+- use_if_id = ISC_TRUE;
++ use_if_id = true;
+ if (++i == argc)
+ usage(use_noarg, argv[i-1]);
+ sl = parse_downstream(argv[i]);
+@@ -595,9 +595,9 @@ main(int argc, char **argv) {
+ if (++i == argc)
+ usage(use_noarg, argv[i-1]);
+ path_dhcrelay_pid = argv[i];
+- no_dhcrelay_pid = ISC_TRUE;
++ no_dhcrelay_pid = true;
+ } else if (!strcmp(argv[i], "--no-pid")) {
+- no_pid_file = ISC_TRUE;
++ no_pid_file = true;
+ } else if (argv[i][0] == '-') {
+ usage("Unknown command: %s", argv[i]);
+ } else {
+@@ -645,7 +645,7 @@ main(int argc, char **argv) {
+ * If the user didn't specify a pid file directly
+ * find one from environment variables or defaults
+ */
+- if (no_dhcrelay_pid == ISC_FALSE) {
++ if (no_dhcrelay_pid == false) {
+ if (local_family == AF_INET) {
+ path_dhcrelay_pid = getenv("PATH_DHCRELAY_PID");
+ if (path_dhcrelay_pid == NULL)
+@@ -774,7 +774,7 @@ main(int argc, char **argv) {
+ }
+
+ /* Create the pid file. */
+- if (no_pid_file == ISC_FALSE) {
++ if (no_pid_file == false) {
+ pfdesc = open(path_dhcrelay_pid,
+ O_CREAT | O_TRUNC | O_WRONLY, 0644);
+
+@@ -1569,7 +1569,7 @@ static void
+ setup_streams(void) {
+ struct stream_list *dp, *up;
+ int i;
+- isc_boolean_t link_is_set;
++ bool link_is_set;
+
+ for (dp = downstreams; dp; dp = dp->next) {
+ /* Check interface */
+@@ -1579,9 +1579,9 @@ setup_streams(void) {
+
+ /* Check/set link. */
+ if (IN6_IS_ADDR_UNSPECIFIED(&dp->link.sin6_addr))
+- link_is_set = ISC_FALSE;
++ link_is_set = false;
+ else
+- link_is_set = ISC_TRUE;
++ link_is_set = true;
+ for (i = 0; i < dp->ifp->v6address_count; i++) {
+ if (IN6_IS_ADDR_LINKLOCAL(&dp->ifp->v6addresses[i]))
+ continue;
+@@ -2076,7 +2076,7 @@ dhcp_set_control_state(control_object_st
+ if (newstate != server_shutdown)
+ return ISC_R_SUCCESS;
+
+- if (no_pid_file == ISC_FALSE)
++ if (no_pid_file == false)
+ (void) unlink(path_dhcrelay_pid);
+
+ if (!no_daemon && dfd[0] != -1 && dfd[1] != -1) {
+Index: dhcp-4.4.1/server/dhcp.c
+===================================================================
+--- dhcp-4.4.1.orig/server/dhcp.c
++++ dhcp-4.4.1/server/dhcp.c
+@@ -225,7 +225,7 @@ dhcp (struct packet *packet) {
+ packet->options->universe_count =
+ agent_universe.index + 1;
+
+- packet->agent_options_stashed = ISC_TRUE;
++ packet->agent_options_stashed = true;
+ }
+ nolease:
+
+@@ -1094,7 +1094,7 @@ void dhcpinform (packet, ms_nulltp)
+ int nulltp;
+ struct sockaddr_in to;
+ struct in_addr from;
+- isc_boolean_t zeroed_ciaddr;
++ bool zeroed_ciaddr;
+ struct interface_info *interface;
+ int result, h_m_client_ip = 0;
+ struct host_decl *host = NULL, *hp = NULL, *h;
+@@ -1109,7 +1109,7 @@ void dhcpinform (packet, ms_nulltp)
+ it's common for clients not to do this, so we'll use their IP
+ source address if they didn't set ciaddr. */
+ if (!packet->raw->ciaddr.s_addr) {
+- zeroed_ciaddr = ISC_TRUE;
++ zeroed_ciaddr = true;
+ /* With DHCPv4-over-DHCPv6 it can be an IPv6 address
+ so we check its length. */
+ if (packet->client_addr.len == 4) {
+@@ -1122,7 +1122,7 @@ void dhcpinform (packet, ms_nulltp)
+ addr_type = "v4o6";
+ }
+ } else {
+- zeroed_ciaddr = ISC_FALSE;
++ zeroed_ciaddr = false;
+ cip.len = 4;
+ memcpy(cip.iabuf, &packet->raw->ciaddr, 4);
+ addr_type = "client";
+@@ -1133,7 +1133,7 @@ void dhcpinform (packet, ms_nulltp)
+ if (packet->raw->giaddr.s_addr) {
+ gip.len = 4;
+ memcpy(gip.iabuf, &packet->raw->giaddr, 4);
+- if (zeroed_ciaddr == ISC_TRUE) {
++ if (zeroed_ciaddr == true) {
+ addr_type = "relay";
+ memcpy(sip.iabuf, gip.iabuf, 4);
+ }
+@@ -1207,7 +1207,7 @@ void dhcpinform (packet, ms_nulltp)
+ save_option(&dhcp_universe, options, noc);
+ option_cache_dereference(&noc, MDL);
+
+- if ((zeroed_ciaddr == ISC_TRUE) && (gip.len != 0))
++ if ((zeroed_ciaddr == true) && (gip.len != 0))
+ addr_type = "relay link select";
+ else
+ addr_type = "selected";
+@@ -1261,7 +1261,7 @@ void dhcpinform (packet, ms_nulltp)
+ NULL, NULL);
+
+ /* If we have ciaddr, find its lease so we can find its pool. */
+- if (zeroed_ciaddr == ISC_FALSE) {
++ if (zeroed_ciaddr == false) {
+ struct lease* cip_lease = NULL;
+
+ find_lease_by_ip_addr (&cip_lease, cip, MDL);
+@@ -2036,7 +2036,7 @@ void echo_client_id(packet, lease, in_op
+ unsigned int opcode = DHO_DHCP_CLIENT_IDENTIFIER;
+
+ /* Save knowledge that echo is enabled to the packet */
+- packet->sv_echo_client_id = ISC_TRUE;
++ packet->sv_echo_client_id = true;
+
+ /* Now see if inbound packet contains client-id */
+ oc = lookup_option(&dhcp_universe, packet->options, opcode);
+@@ -2187,7 +2187,7 @@ void ack_lease (packet, lease, offer, wh
+ struct iaddr cip;
+ #if defined(DELAYED_ACK)
+ /* By default we don't do the enqueue */
+- isc_boolean_t enqueue = ISC_FALSE;
++ bool enqueue = false;
+ #endif
+ int use_old_lease = 0;
+
+@@ -3217,7 +3217,7 @@ void ack_lease (packet, lease, offer, wh
+ * can just answer right away, set a flag to indicate this.
+ */
+ if (commit)
+- enqueue = ISC_TRUE;
++ enqueue = true;
+
+ /* Install the new information on 'lt' onto the lease at
+ * 'lease'. We will not 'commit' this information to disk
+@@ -4234,7 +4234,7 @@ int find_lease (struct lease **lp,
+ * preference, so the first one is the best one.
+ */
+ while (uid_lease) {
+- isc_boolean_t do_release = !packet->raw->ciaddr.s_addr;
++ bool do_release = !packet->raw->ciaddr.s_addr;
+ #if defined (DEBUG_FIND_LEASE)
+ log_info ("trying next lease matching client id: %s",
+ piaddr (uid_lease -> ip_addr));
+@@ -4267,7 +4267,7 @@ int find_lease (struct lease **lp,
+ #endif
+ /* Allow multiple leases using the same UID
+ on different subnetworks. */
+- do_release = ISC_FALSE;
++ do_release = false;
+ goto n_uid;
+ }
+
+@@ -5331,7 +5331,7 @@ get_server_source_address(struct in_addr
+ struct option_cache *oc = NULL;
+ struct data_string d;
+ struct in_addr *a = NULL;
+- isc_boolean_t found = ISC_FALSE;
++ bool found = false;
+ int allocate = 0;
+
+ memset(&d, 0, sizeof(d));
+@@ -5344,7 +5344,7 @@ get_server_source_address(struct in_addr
+ packet->options, options,
+ &global_scope, oc, MDL)) {
+ if (d.len == sizeof(*from)) {
+- found = ISC_TRUE;
++ found = true;
+ memcpy(from, d.data, sizeof(*from));
+
+ /*
+@@ -5362,7 +5362,7 @@ get_server_source_address(struct in_addr
+ oc = NULL;
+ }
+
+- if ((found == ISC_FALSE) &&
++ if ((found == false) &&
+ (packet->interface->address_count > 0)) {
+ *from = packet->interface->addresses[0];
+
+Index: dhcp-4.4.1/server/failover.c
+===================================================================
+--- dhcp-4.4.1.orig/server/failover.c
++++ dhcp-4.4.1/server/failover.c
+@@ -45,7 +45,7 @@ static isc_result_t failover_message_der
+ static void dhcp_failover_pool_balance(dhcp_failover_state_t *state);
+ static void dhcp_failover_pool_reqbalance(dhcp_failover_state_t *state);
+ static int dhcp_failover_pool_dobalance(dhcp_failover_state_t *state,
+- isc_boolean_t *sendreq);
++ bool *sendreq);
+ static inline int secondary_not_hoarding(dhcp_failover_state_t *state,
+ struct pool *p);
+ static void scrub_lease(struct lease* lease, const char *file, int line);
+@@ -2464,7 +2464,7 @@ void
+ dhcp_failover_pool_rebalance(void *failover_state)
+ {
+ dhcp_failover_state_t *state;
+- isc_boolean_t sendreq = ISC_FALSE;
++ bool sendreq = false;
+
+ state = (dhcp_failover_state_t *)failover_state;
+
+@@ -2512,7 +2512,7 @@ dhcp_failover_pool_reqbalance(dhcp_failo
+ */
+ static int
+ dhcp_failover_pool_dobalance(dhcp_failover_state_t *state,
+- isc_boolean_t *sendreq)
++ bool *sendreq)
+ {
+ int lts, total, thresh, hold, panic, pass;
+ int leases_queued = 0;
+@@ -2581,7 +2581,7 @@ dhcp_failover_pool_dobalance(dhcp_failov
+
+ if ((sendreq != NULL) && (lts < panic)) {
+ reqlog = " (requesting peer rebalance!)";
+- *sendreq = ISC_TRUE;
++ *sendreq = true;
+ } else
+ reqlog = "";
+
+@@ -5111,7 +5111,7 @@ isc_result_t dhcp_failover_send_update_d
+ * a more detailed system of preferences is required, so this is something we
+ * should monitor as we gain experience with these dueling events.
+ */
+-static isc_boolean_t
++static bool
+ failover_lease_is_better(dhcp_failover_state_t *state, struct lease *lease,
+ failover_message_t *msg)
+ {
+@@ -5132,15 +5132,15 @@ failover_lease_is_better(dhcp_failover_s
+ case FTS_ACTIVE:
+ if (msg->binding_status == FTS_ACTIVE) {
+ if (msg_cltt < lease->cltt)
+- return ISC_TRUE;
++ return true;
+ else if (msg_cltt > lease->cltt)
+- return ISC_FALSE;
++ return false;
+ else if (state->i_am == primary)
+- return ISC_TRUE;
++ return true;
+ else
+- return ISC_FALSE;
++ return false;
+ } else if (msg->binding_status == FTS_EXPIRED) {
+- return ISC_FALSE;
++ return false;
+ }
+ /* FALL THROUGH */
+
+@@ -5151,11 +5151,11 @@ failover_lease_is_better(dhcp_failover_s
+ case FTS_ABANDONED:
+ case FTS_RESET:
+ if (msg->binding_status == FTS_ACTIVE)
+- return ISC_FALSE;
++ return false;
+ else if (state->i_am == primary)
+- return ISC_TRUE;
++ return true;
+ else
+- return ISC_FALSE;
++ return false;
+ /* FALL THROUGH to impossible condition */
+
+ default:
+@@ -5164,7 +5164,7 @@ failover_lease_is_better(dhcp_failover_s
+
+ log_fatal("Impossible condition at %s:%d.", MDL);
+ /* Silence compiler warning. */
+- return ISC_FALSE;
++ return false;
+ }
+
+ isc_result_t dhcp_failover_process_bind_update (dhcp_failover_state_t *state,
+@@ -5177,8 +5177,8 @@ isc_result_t dhcp_failover_process_bind_
+ int new_binding_state;
+ int send_to_backup = 0;
+ int required_options;
+- isc_boolean_t chaddr_changed = ISC_FALSE;
+- isc_boolean_t ident_changed = ISC_FALSE;
++ bool chaddr_changed = false;
++ bool ident_changed = false;
+
+ /* Validate the binding update. */
+ required_options = FTB_ASSIGNED_IP_ADDRESS | FTB_BINDING_STATUS;
+@@ -5250,7 +5250,7 @@ isc_result_t dhcp_failover_process_bind_
+ if ((lt->hardware_addr.hlen != msg->chaddr.count) ||
+ (memcmp(lt->hardware_addr.hbuf, msg->chaddr.data,
+ msg->chaddr.count) != 0))
+- chaddr_changed = ISC_TRUE;
++ chaddr_changed = true;
+
+ lt -> hardware_addr.hlen = msg -> chaddr.count;
+ memcpy (lt -> hardware_addr.hbuf, msg -> chaddr.data,
+@@ -5262,7 +5262,7 @@ isc_result_t dhcp_failover_process_bind_
+ reason = FTR_MISSING_BINDINFO;
+ goto bad;
+ } else if (msg->binding_status == FTS_ABANDONED) {
+- chaddr_changed = ISC_TRUE;
++ chaddr_changed = true;
+ lt->hardware_addr.hlen = 0;
+ if (lt->scope)
+ binding_scope_dereference(<->scope, MDL);
+@@ -5282,7 +5282,7 @@ isc_result_t dhcp_failover_process_bind_
+ (lt->uid == NULL) || /* Sanity; should never happen. */
+ (memcmp(lt->uid, msg->client_identifier.data,
+ lt->uid_len) != 0))
+- ident_changed = ISC_TRUE;
++ ident_changed = true;
+
+ lt->uid_len = msg->client_identifier.count;
+
+@@ -5312,7 +5312,7 @@ isc_result_t dhcp_failover_process_bind_
+ } else if (lt->uid && msg->binding_status != FTS_RESET &&
+ msg->binding_status != FTS_FREE &&
+ msg->binding_status != FTS_BACKUP) {
+- ident_changed = ISC_TRUE;
++ ident_changed = true;
+ if (lt->uid != lt->uid_buf)
+ dfree (lt->uid, MDL);
+ lt->uid = NULL;
+@@ -5347,7 +5347,7 @@ isc_result_t dhcp_failover_process_bind_
+ if (msg->binding_status == FTS_ACTIVE &&
+ (chaddr_changed || ident_changed)) {
+ #if defined (NSUPDATE)
+- (void) ddns_removals(lease, NULL, NULL, ISC_FALSE);
++ (void) ddns_removals(lease, NULL, NULL, false);
+ #endif /* NSUPDATE */
+
+ if (lease->scope != NULL)
+@@ -5534,7 +5534,7 @@ isc_result_t dhcp_failover_process_bind_
+ struct iaddr ia;
+ const char *message = "no memory";
+ u_int32_t pot_expire;
+- int send_to_backup = ISC_FALSE;
++ int send_to_backup = false;
+ struct timeval tv;
+
+ ia.len = sizeof msg -> assigned_addr;
+@@ -5621,7 +5621,7 @@ isc_result_t dhcp_failover_process_bind_
+ if (state->i_am == primary &&
+ !(lease->flags & (RESERVED_LEASE | BOOTP_LEASE)) &&
+ peer_wants_lease(lease))
+- send_to_backup = ISC_TRUE;
++ send_to_backup = true;
+
+ if (!send_to_backup && state->me.state == normal)
+ commit_leases();
+Index: dhcp-4.4.1/server/dhcpd.c
+===================================================================
+--- dhcp-4.4.1.orig/server/dhcpd.c
++++ dhcp-4.4.1/server/dhcpd.c
+@@ -98,7 +98,7 @@ const char *path_dhcpd_conf = _PATH_DHCP
+ const char *path_dhcpd_db = _PATH_DHCPD_DB;
+ const char *path_dhcpd_pid = _PATH_DHCPD_PID;
+ /* False (default) => we write and use a pid file */
+-isc_boolean_t no_pid_file = ISC_FALSE;
++bool no_pid_file = false;
+
+ int dhcp_max_agent_option_packet_length = DHCP_MTU_MAX;
+
+@@ -476,7 +476,7 @@ main(int argc, char **argv) {
+ path_dhcpd_pid = argv [i];
+ have_dhcpd_pid = 1;
+ } else if (!strcmp(argv[i], "--no-pid")) {
+- no_pid_file = ISC_TRUE;
++ no_pid_file = true;
+ } else if (!strcmp (argv [i], "-t")) {
+ /* test configurations only */
+ #ifndef DEBUG
+@@ -863,7 +863,7 @@ main(int argc, char **argv) {
+ * - we don't have a pid file to check
+ * - there is no other process running
+ */
+- if ((lftest == 0) && (no_pid_file == ISC_FALSE)) {
++ if ((lftest == 0) && (no_pid_file == false)) {
+ /*Read previous pid file. */
+ if ((i = open(path_dhcpd_pid, O_RDONLY)) >= 0) {
+ status = read(i, pbuf, (sizeof pbuf) - 1);
+@@ -974,7 +974,7 @@ main(int argc, char **argv) {
+ * that we have forked we can write our pid if
+ * appropriate.
+ */
+- if (no_pid_file == ISC_FALSE) {
++ if (no_pid_file == false) {
+ i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC, 0644);
+ if (i >= 0) {
+ sprintf(pbuf, "%d\n", (int) getpid());
+@@ -1730,7 +1730,7 @@ static isc_result_t dhcp_io_shutdown_cou
+ free_everything ();
+ omapi_print_dmalloc_usage_by_caller ();
+ #endif
+- if (no_pid_file == ISC_FALSE)
++ if (no_pid_file == false)
+ (void) unlink(path_dhcpd_pid);
+ exit (0);
+ }
+@@ -1741,7 +1741,7 @@ static isc_result_t dhcp_io_shutdown_cou
+ free_everything ();
+ omapi_print_dmalloc_usage_by_caller ();
+ #endif
+- if (no_pid_file == ISC_FALSE)
++ if (no_pid_file == false)
+ (void) unlink(path_dhcpd_pid);
+ exit (0);
+ }
+@@ -1750,7 +1750,7 @@ static isc_result_t dhcp_io_shutdown_cou
+ #if defined(FAILOVER_PROTOCOL)
+ !failover_connection_count &&
+ #endif
+- ISC_TRUE) {
++ true) {
+ shutdown_state = shutdown_done;
+ shutdown_time = cur_time;
+ goto oncemore;
+Index: dhcp-4.4.1/server/mdb6.c
+===================================================================
+--- dhcp-4.4.1.orig/server/mdb6.c
++++ dhcp-4.4.1/server/mdb6.c
+@@ -514,10 +514,10 @@ ia_remove_all_lease(struct ia_xx *ia, co
+ /*
+ * Compare two IA.
+ */
+-isc_boolean_t
++bool
+ ia_equal(const struct ia_xx *a, const struct ia_xx *b)
+ {
+- isc_boolean_t found;
++ bool found;
+ int i, j;
+
+ /*
+@@ -525,9 +525,9 @@ ia_equal(const struct ia_xx *a, const st
+ */
+ if (a == NULL) {
+ if (b == NULL) {
+- return ISC_TRUE;
++ return true;
+ } else {
+- return ISC_FALSE;
++ return false;
+ }
+ }
+
+@@ -535,58 +535,58 @@ ia_equal(const struct ia_xx *a, const st
+ * Check the type is the same.
+ */
+ if (a->ia_type != b->ia_type) {
+- return ISC_FALSE;
++ return false;
+ }
+
+ /*
+ * Check the DUID is the same.
+ */
+ if (a->iaid_duid.len != b->iaid_duid.len) {
+- return ISC_FALSE;
++ return false;
+ }
+ if (memcmp(a->iaid_duid.data,
+ b->iaid_duid.data, a->iaid_duid.len) != 0) {
+- return ISC_FALSE;
++ return false;
+ }
+
+ /*
+ * Make sure we have the same number of addresses/prefixes in each.
+ */
+ if (a->num_iasubopt != b->num_iasubopt) {
+- return ISC_FALSE;
++ return false;
+ }
+
+ /*
+ * Check that each address/prefix is present in both.
+ */
+ for (i=0; i<a->num_iasubopt; i++) {
+- found = ISC_FALSE;
++ found = false;
+ for (j=0; j<a->num_iasubopt; j++) {
+ if (a->iasubopt[i]->plen != b->iasubopt[i]->plen)
+ continue;
+ if (memcmp(&(a->iasubopt[i]->addr),
+ &(b->iasubopt[j]->addr),
+ sizeof(struct in6_addr)) == 0) {
+- found = ISC_TRUE;
++ found = true;
+ break;
+ }
+ }
+ if (!found) {
+- return ISC_FALSE;
++ return false;
+ }
+ }
+
+ /*
+ * These are the same in every way we care about.
+ */
+- return ISC_TRUE;
++ return true;
+ }
+
+ /*
+ * Helper function for lease heaps.
+ * Makes the top of the heap the oldest lease.
+ */
+-static isc_boolean_t
++static bool
+ lease_older(void *a, void *b) {
+ struct iasubopt *la = (struct iasubopt *)a;
+ struct iasubopt *lb = (struct iasubopt *)b;
+@@ -1038,8 +1038,8 @@ create_lease6(struct ipv6_pool *pool, st
+ struct data_string new_ds;
+ struct iasubopt *iaaddr;
+ isc_result_t result;
+- isc_boolean_t reserved_iid;
+- static isc_boolean_t init_resiid = ISC_FALSE;
++ bool reserved_iid;
++ static bool init_resiid = false;
+
+ /*
+ * Fill the reserved IIDs.
+@@ -1049,7 +1049,7 @@ create_lease6(struct ipv6_pool *pool, st
+ memset(&resany, 0, 8);
+ resany.s6_addr[8] = 0xfd;
+ memset(&resany.s6_addr[9], 0xff, 6);
+- init_resiid = ISC_TRUE;
++ init_resiid = true;
+ }
+
+ /*
+@@ -1094,14 +1094,14 @@ create_lease6(struct ipv6_pool *pool, st
+ /*
+ * Avoid reserved interface IDs. (cf. RFC 5453)
+ */
+- reserved_iid = ISC_FALSE;
++ reserved_iid = false;
+ if (memcmp(&tmp.s6_addr[8], &rtany.s6_addr[8], 8) == 0) {
+- reserved_iid = ISC_TRUE;
++ reserved_iid = true;
+ }
+ if (!reserved_iid &&
+ (memcmp(&tmp.s6_addr[8], &resany.s6_addr[8], 7) == 0) &&
+ ((tmp.s6_addr[15] & 0x80) == 0x80)) {
+- reserved_iid = ISC_TRUE;
++ reserved_iid = true;
+ }
+
+ /*
+@@ -1177,7 +1177,7 @@ create_lease6_eui_64(struct ipv6_pool *p
+ struct iasubopt *test_iaaddr;
+ struct iasubopt *iaaddr;
+ isc_result_t result;
+- static isc_boolean_t init_resiid = ISC_FALSE;
++ static bool init_resiid = false;
+
+ /* Fill the reserved IIDs. */
+ if (!init_resiid) {
+@@ -1185,7 +1185,7 @@ create_lease6_eui_64(struct ipv6_pool *p
+ memset(&resany, 0, 8);
+ resany.s6_addr[8] = 0xfd;
+ memset(&resany.s6_addr[9], 0xff, 6);
+- init_resiid = ISC_TRUE;
++ init_resiid = true;
+ }
+
+ /* Pool must be IA_NA */
+@@ -1520,7 +1520,7 @@ add_lease6(struct ipv6_pool *pool, struc
+ /*
+ * Determine if an address is present in a pool or not.
+ */
+-isc_boolean_t
++bool
+ lease6_exists(const struct ipv6_pool *pool, const struct in6_addr *addr) {
+ struct iasubopt *test_iaaddr;
+
+@@ -1528,9 +1528,9 @@ lease6_exists(const struct ipv6_pool *po
+ if (iasubopt_hash_lookup(&test_iaaddr, pool->leases,
+ (void *)addr, sizeof(*addr), MDL)) {
+ iasubopt_dereference(&test_iaaddr, MDL);
+- return ISC_TRUE;
++ return true;
+ } else {
+- return ISC_FALSE;
++ return false;
+ }
+ }
+
+@@ -1545,20 +1545,20 @@ lease6_exists(const struct ipv6_pool *po
+ * \param[in] lease = lease to check
+ *
+ * \return
+- * ISC_TRUE = The lease is allowed to use that address
+- * ISC_FALSE = The lease isn't allowed to use that address
++ * true = The lease is allowed to use that address
++ * false = The lease isn't allowed to use that address
+ */
+-isc_boolean_t
++bool
+ lease6_usable(struct iasubopt *lease) {
+ struct iasubopt *test_iaaddr;
+- isc_boolean_t status = ISC_TRUE;
++ bool status = true;
+
+ test_iaaddr = NULL;
+ if (iasubopt_hash_lookup(&test_iaaddr, lease->ipv6_pool->leases,
+ (void *)&lease->addr,
+ sizeof(lease->addr), MDL)) {
+ if (test_iaaddr != lease) {
+- status = ISC_FALSE;
++ status = false;
+ }
+ iasubopt_dereference(&test_iaaddr, MDL);
+ }
+@@ -1697,7 +1697,7 @@ move_lease_to_inactive(struct ipv6_pool
+ #if defined (NSUPDATE)
+ /* Process events upon expiration. */
+ if (pool->pool_type != D6O_IA_PD) {
+- (void) ddns_removals(NULL, lease, NULL, ISC_FALSE);
++ (void) ddns_removals(NULL, lease, NULL, false);
+ }
+ #endif
+
+@@ -1977,21 +1977,21 @@ create_prefix6(struct ipv6_pool *pool, s
+ /*
+ * Determine if a prefix is present in a pool or not.
+ */
+-isc_boolean_t
++bool
+ prefix6_exists(const struct ipv6_pool *pool,
+ const struct in6_addr *pref, u_int8_t plen) {
+ struct iasubopt *test_iapref;
+
+ if ((int)plen != pool->units)
+- return ISC_FALSE;
++ return false;
+
+ test_iapref = NULL;
+ if (iasubopt_hash_lookup(&test_iapref, pool->leases,
+ (void *)pref, sizeof(*pref), MDL)) {
+ iasubopt_dereference(&test_iapref, MDL);
+- return ISC_TRUE;
++ return true;
+ } else {
+- return ISC_FALSE;
++ return false;
+ }
+ }
+
+@@ -2267,15 +2267,15 @@ ipv6_network_portion(struct in6_addr *re
+ /*
+ * Determine if the given address/prefix is in the pool.
+ */
+-isc_boolean_t
++bool
+ ipv6_in_pool(const struct in6_addr *addr, const struct ipv6_pool *pool) {
+ struct in6_addr tmp;
+
+ ipv6_network_portion(&tmp, addr, pool->bits);
+ if (memcmp(&tmp, &pool->start_addr, sizeof(tmp)) == 0) {
+- return ISC_TRUE;
++ return true;
+ } else {
+- return ISC_FALSE;
++ return false;
+ }
+ }
+
+Index: dhcp-4.4.1/server/ddns.c
+===================================================================
+--- dhcp-4.4.1.orig/server/ddns.c
++++ dhcp-4.4.1/server/ddns.c
+@@ -373,7 +373,7 @@ ddns_updates(struct packet *packet, stru
+
+ /* If desired do the removals */
+ if (do_remove != 0) {
+- (void) ddns_removals(lease, lease6, NULL, ISC_TRUE);
++ (void) ddns_removals(lease, lease6, NULL, true);
+ }
+ goto out;
+ }
+@@ -618,7 +618,7 @@ ddns_updates(struct packet *packet, stru
+ * We should log a more specific error closer to the actual
+ * error if we want one. ddns_removal failure not logged here.
+ */
+- (void) ddns_removals(lease, lease6, ddns_cb, ISC_TRUE);
++ (void) ddns_removals(lease, lease6, ddns_cb, true);
+ }
+ else {
+ ddns_fwd_srv_connector(lease, lease6, scope, ddns_cb,
+@@ -1907,7 +1907,7 @@ ddns_fwd_srv_rem1(dhcp_ddns_cb_t *ddns_c
+ * the current entry.
+ *
+ * \li active - indication about the status of the lease. It is
+- * ISC_TRUE if the lease is still active, and FALSE if the lease
++ * true if the lease is still active, and FALSE if the lease
+ * is inactive. This is used to indicate if the lease is inactive or going
+ * to inactive so we can avoid trying to update the lease with cb pointers
+ * and text information if it isn't useful.
+@@ -1923,7 +1923,7 @@ isc_result_t
+ ddns_removals(struct lease *lease,
+ struct iasubopt *lease6,
+ dhcp_ddns_cb_t *add_ddns_cb,
+- isc_boolean_t active)
++ bool active)
+ {
+ isc_result_t rcode, execute_add = ISC_R_FAILURE;
+ struct binding_scope **scope = NULL;
+@@ -1970,7 +1970,7 @@ ddns_removals(struct lease *lease,
+ if (((ddns_cb->state == DDNS_STATE_ADD_PTR) ||
+ (ddns_cb->state == DDNS_STATE_ADD_FW_NXDOMAIN) ||
+ (ddns_cb->state == DDNS_STATE_ADD_FW_YXDHCID)) ||
+- ((active == ISC_FALSE) &&
++ ((active == false) &&
+ ((ddns_cb->flags & DDNS_ACTIVE_LEASE) != 0))) {
+ /* Cancel the current request */
+ ddns_cancel(lease->ddns_cb, MDL);
+@@ -1998,7 +1998,7 @@ ddns_removals(struct lease *lease,
+ if (((ddns_cb->state == DDNS_STATE_ADD_PTR) ||
+ (ddns_cb->state == DDNS_STATE_ADD_FW_NXDOMAIN) ||
+ (ddns_cb->state == DDNS_STATE_ADD_FW_YXDHCID)) ||
+- ((active == ISC_FALSE) &&
++ ((active == false) &&
+ ((ddns_cb->flags & DDNS_ACTIVE_LEASE) != 0))) {
+ /* Cancel the current request */
+ ddns_cancel(lease6->ddns_cb, MDL);
+@@ -2053,7 +2053,7 @@ ddns_removals(struct lease *lease,
+ * the lease information for v6 when the response
+ * from the DNS code is processed.
+ */
+- if (active == ISC_TRUE) {
++ if (active == true) {
+ ddns_cb->flags |= DDNS_ACTIVE_LEASE;
+ }
+
+Index: dhcp-4.4.1/server/mdb.c
+===================================================================
+--- dhcp-4.4.1.orig/server/mdb.c
++++ dhcp-4.4.1/server/mdb.c
+@@ -1504,7 +1504,7 @@ void make_binding_state_transition (stru
+ lease -> binding_state == FTS_ACTIVE &&
+ lease -> next_binding_state != FTS_RELEASED))) {
+ #if defined (NSUPDATE)
+- (void) ddns_removals(lease, NULL, NULL, ISC_TRUE);
++ (void) ddns_removals(lease, NULL, NULL, true);
+ #endif
+ if (lease->on_star.on_expiry) {
+ execute_statements(NULL, NULL, lease,
+@@ -1568,7 +1568,7 @@ void make_binding_state_transition (stru
+ * release message. This is not true of expiry, where the
+ * peer may have extended the lease.
+ */
+- (void) ddns_removals(lease, NULL, NULL, ISC_TRUE);
++ (void) ddns_removals(lease, NULL, NULL, true);
+ #endif
+ if (lease->on_star.on_release) {
+ execute_statements(NULL, NULL, lease,
+@@ -1736,7 +1736,7 @@ void release_lease (lease, packet)
+ /* If there are statements to execute when the lease is
+ released, execute them. */
+ #if defined (NSUPDATE)
+- (void) ddns_removals(lease, NULL, NULL, ISC_FALSE);
++ (void) ddns_removals(lease, NULL, NULL, false);
+ #endif
+ if (lease->on_star.on_release) {
+ execute_statements (NULL, packet, lease,
+@@ -1810,7 +1810,7 @@ void abandon_lease (lease, message)
+ {
+ struct lease *lt = NULL;
+ #if defined (NSUPDATE)
+- (void) ddns_removals(lease, NULL, NULL, ISC_FALSE);
++ (void) ddns_removals(lease, NULL, NULL, false);
+ #endif
+
+ if (!lease_copy(<, lease, MDL)) {
+@@ -1860,7 +1860,7 @@ void dissociate_lease (lease)
+ {
+ struct lease *lt = (struct lease *)0;
+ #if defined (NSUPDATE)
+- (void) ddns_removals(lease, NULL, NULL, ISC_FALSE);
++ (void) ddns_removals(lease, NULL, NULL, false);
+ #endif
+
+ if (!lease_copy (<, lease, MDL))
+@@ -2072,38 +2072,38 @@ int find_lease_by_hw_addr (struct lease
+ * should never see reset leases for this.
+ * 4) Abandoned leases are always dead last.
+ */
+-static isc_boolean_t
++static bool
+ client_lease_preferred(struct lease *cand, struct lease *lease)
+ {
+ if (cand->binding_state == FTS_ACTIVE) {
+ if (lease->binding_state == FTS_ACTIVE &&
+ lease->ends >= cand->ends)
+- return ISC_TRUE;
++ return true;
+ } else if (cand->binding_state == FTS_EXPIRED ||
+ cand->binding_state == FTS_RELEASED) {
+ if (lease->binding_state == FTS_ACTIVE)
+- return ISC_TRUE;
++ return true;
+
+ if ((lease->binding_state == FTS_EXPIRED ||
+ lease->binding_state == FTS_RELEASED) &&
+ lease->cltt >= cand->cltt)
+- return ISC_TRUE;
++ return true;
+ } else if (cand->binding_state != FTS_ABANDONED) {
+ if (lease->binding_state == FTS_ACTIVE ||
+ lease->binding_state == FTS_EXPIRED ||
+ lease->binding_state == FTS_RELEASED)
+- return ISC_TRUE;
++ return true;
+
+ if (lease->binding_state != FTS_ABANDONED &&
+ lease->cltt >= cand->cltt)
+- return ISC_TRUE;
++ return true;
+ } else /* (cand->binding_state == FTS_ABANDONED) */ {
+ if (lease->binding_state != FTS_ABANDONED ||
+ lease->cltt >= cand->cltt)
+- return ISC_TRUE;
++ return true;
+ }
+
+- return ISC_FALSE;
++ return false;
+ }
+
+ /* Add the specified lease to the uid hash. */
diff --git a/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb b/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
index 159abbc..ca0daa1 100644
--- a/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
+++ b/meta/recipes-connectivity/dhcp/dhcp_4.4.1.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://0001-define-macro-_PATH_DHCPD_CONF-and-_PATH_DHCLIENT_CON.pat
file://0009-remove-dhclient-script-bash-dependency.patch \
file://0012-dhcp-correct-the-intention-for-xml2-lib-search.patch \
file://0013-fixup_use_libbind.patch \
+ file://0001-dhcpd-fix-Replace-custom-isc_boolean_t-with-C-standa.patch \
"
SRC_URI[md5sum] = "18c7f4dcbb0a63df25098216d47b1ede"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 16/24] binutils: Fix 4 CVEs
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (14 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 15/24] dhcp: fix issue with new bind changes Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 17/24] python: Fix 3 CVEs Armin Kuster
` (7 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Fixes CVE-2018-20623, CVE-2018-20651, CVE-2018-20-671, and
CVE-2018-1000876 for binutils 2.31.1.
Signed-off-by: Dan Tran <dantran@microsoft.com>
[fixed up .inc for thud-next context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.31.inc | 4 +
.../binutils/binutils/CVE-2018-1000876.patch | 180 +++++++++++++++++++++
.../binutils/binutils/CVE-2018-20623.patch | 74 +++++++++
.../binutils/binutils/CVE-2018-20651.patch | 35 ++++
.../binutils/binutils/CVE-2018-20671.patch | 49 ++++++
5 files changed, 342 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.31.inc b/meta/recipes-devtools/binutils/binutils-2.31.inc
index e1a6673..c9a3610 100644
--- a/meta/recipes-devtools/binutils/binutils-2.31.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.31.inc
@@ -48,6 +48,10 @@ SRC_URI = "\
file://CVE-2018-18607.patch \
file://CVE-2019-14444.patch \
file://CVE-2019-12972.patch \
+ file://CVE-2018-20623.patch \
+ file://CVE-2018-20651.patch \
+ file://CVE-2018-20671.patch \
+ file://CVE-2018-1000876.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
new file mode 100644
index 0000000..ff85351
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-1000876.patch
@@ -0,0 +1,180 @@
+From efec0844fcfb5692f5a78f4082994d63e420ecd9 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sun, 16 Dec 2018 23:02:50 +1030
+Subject: [PATCH] PR23994, libbfd integer overflow
+
+ PR 23994
+ * aoutx.h: Include limits.h.
+ (get_reloc_upper_bound): Detect long overflow and return a file
+ too big error if it occurs.
+ * elf.c: Include limits.h.
+ (_bfd_elf_get_symtab_upper_bound): Detect long overflow and return
+ a file too big error if it occurs.
+ (_bfd_elf_get_dynamic_symtab_upper_bound): Likewise.
+ (_bfd_elf_get_dynamic_reloc_upper_bound): Likewise.
+
+CVE: CVE-2018-1000876
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3a551c7a1b80fca579461774860574eabfd7f18f]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ bfd/aoutx.h | 40 +++++++++++++++++++++-------------------
+ bfd/elf.c | 32 ++++++++++++++++++++++++--------
+ 2 files changed, 45 insertions(+), 27 deletions(-)
+
+diff --git a/bfd/aoutx.h b/bfd/aoutx.h
+index 023843b0be..78eaa9c503 100644
+--- a/bfd/aoutx.h
++++ b/bfd/aoutx.h
+@@ -117,6 +117,7 @@ DESCRIPTION
+ #define KEEPIT udata.i
+
+ #include "sysdep.h"
++#include <limits.h>
+ #include "bfd.h"
+ #include "safe-ctype.h"
+ #include "bfdlink.h"
+@@ -2491,6 +2492,8 @@ NAME (aout, canonicalize_reloc) (bfd *abfd,
+ long
+ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+ {
++ bfd_size_type count;
++
+ if (bfd_get_format (abfd) != bfd_object)
+ {
+ bfd_set_error (bfd_error_invalid_operation);
+@@ -2498,26 +2501,25 @@ NAME (aout, get_reloc_upper_bound) (bfd *abfd, sec_ptr asect)
+ }
+
+ if (asect->flags & SEC_CONSTRUCTOR)
+- return sizeof (arelent *) * (asect->reloc_count + 1);
+-
+- if (asect == obj_datasec (abfd))
+- return sizeof (arelent *)
+- * ((exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd))
+- + 1);
+-
+- if (asect == obj_textsec (abfd))
+- return sizeof (arelent *)
+- * ((exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd))
+- + 1);
+-
+- if (asect == obj_bsssec (abfd))
+- return sizeof (arelent *);
+-
+- if (asect == obj_bsssec (abfd))
+- return 0;
++ count = asect->reloc_count;
++ else if (asect == obj_datasec (abfd))
++ count = exec_hdr (abfd)->a_drsize / obj_reloc_entry_size (abfd);
++ else if (asect == obj_textsec (abfd))
++ count = exec_hdr (abfd)->a_trsize / obj_reloc_entry_size (abfd);
++ else if (asect == obj_bsssec (abfd))
++ count = 0;
++ else
++ {
++ bfd_set_error (bfd_error_invalid_operation);
++ return -1;
++ }
+
+- bfd_set_error (bfd_error_invalid_operation);
+- return -1;
++ if (count >= LONG_MAX / sizeof (arelent *))
++ {
++ bfd_set_error (bfd_error_file_too_big);
++ return -1;
++ }
++ return (count + 1) * sizeof (arelent *);
+ }
+ \f
+ long
+diff --git a/bfd/elf.c b/bfd/elf.c
+index 828241d48a..10037176a3 100644
+--- a/bfd/elf.c
++++ b/bfd/elf.c
+@@ -35,6 +35,7 @@ SECTION
+ /* For sparc64-cross-sparc32. */
+ #define _SYSCALL32
+ #include "sysdep.h"
++#include <limits.h>
+ #include "bfd.h"
+ #include "bfdlink.h"
+ #include "libbfd.h"
+@@ -8114,11 +8115,16 @@ error_return:
+ long
+ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ {
+- long symcount;
++ bfd_size_type symcount;
+ long symtab_size;
+ Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->symtab_hdr;
+
+ symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
++ if (symcount >= LONG_MAX / sizeof (asymbol *))
++ {
++ bfd_set_error (bfd_error_file_too_big);
++ return -1;
++ }
+ symtab_size = (symcount + 1) * (sizeof (asymbol *));
+ if (symcount > 0)
+ symtab_size -= sizeof (asymbol *);
+@@ -8129,7 +8135,7 @@ _bfd_elf_get_symtab_upper_bound (bfd *abfd)
+ long
+ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+ {
+- long symcount;
++ bfd_size_type symcount;
+ long symtab_size;
+ Elf_Internal_Shdr *hdr = &elf_tdata (abfd)->dynsymtab_hdr;
+
+@@ -8140,6 +8146,11 @@ _bfd_elf_get_dynamic_symtab_upper_bound (bfd *abfd)
+ }
+
+ symcount = hdr->sh_size / get_elf_backend_data (abfd)->s->sizeof_sym;
++ if (symcount >= LONG_MAX / sizeof (asymbol *))
++ {
++ bfd_set_error (bfd_error_file_too_big);
++ return -1;
++ }
+ symtab_size = (symcount + 1) * (sizeof (asymbol *));
+ if (symcount > 0)
+ symtab_size -= sizeof (asymbol *);
+@@ -8209,7 +8220,7 @@ _bfd_elf_canonicalize_dynamic_symtab (bfd *abfd,
+ long
+ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+ {
+- long ret;
++ bfd_size_type count;
+ asection *s;
+
+ if (elf_dynsymtab (abfd) == 0)
+@@ -8218,15 +8229,20 @@ _bfd_elf_get_dynamic_reloc_upper_bound (bfd *abfd)
+ return -1;
+ }
+
+- ret = sizeof (arelent *);
++ count = 1;
+ for (s = abfd->sections; s != NULL; s = s->next)
+ if (elf_section_data (s)->this_hdr.sh_link == elf_dynsymtab (abfd)
+ && (elf_section_data (s)->this_hdr.sh_type == SHT_REL
+ || elf_section_data (s)->this_hdr.sh_type == SHT_RELA))
+- ret += ((s->size / elf_section_data (s)->this_hdr.sh_entsize)
+- * sizeof (arelent *));
+-
+- return ret;
++ {
++ count += s->size / elf_section_data (s)->this_hdr.sh_entsize;
++ if (count > LONG_MAX / sizeof (arelent *))
++ {
++ bfd_set_error (bfd_error_file_too_big);
++ return -1;
++ }
++ }
++ return count * sizeof (arelent *);
+ }
+
+ /* Canonicalize the dynamic relocation entries. Note that we return the
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
new file mode 100644
index 0000000..b44d448
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20623.patch
@@ -0,0 +1,74 @@
+From 90cce28d4b59f86366d4f562d01a8d439d514234 Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 9 Jan 2019 12:25:16 +0000
+Subject: [PATCH] Fix a heap use after free memory access fault when displaying
+ error messages about malformed archives.
+
+ PR 14049
+ * readelf.c (process_archive): Use arch.file_name in error
+ messages until the qualified name is available.
+
+CVE: CVE-2018-20623
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ binutils/readelf.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index f4df697a7d..280023d8de 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -19061,7 +19061,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+ /* Read the next archive header. */
+ if (fseek (filedata->handle, arch.next_arhdr_offset, SEEK_SET) != 0)
+ {
+- error (_("%s: failed to seek to next archive header\n"), filedata->file_name);
++ error (_("%s: failed to seek to next archive header\n"), arch.file_name);
+ return FALSE;
+ }
+ got = fread (&arch.arhdr, 1, sizeof arch.arhdr, filedata->handle);
+@@ -19069,7 +19069,10 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+ {
+ if (got == 0)
+ break;
+- error (_("%s: failed to read archive header\n"), filedata->file_name);
++ /* PR 24049 - we cannot use filedata->file_name as this will
++ have already been freed. */
++ error (_("%s: failed to read archive header\n"), arch.file_name);
++
+ ret = FALSE;
+ break;
+ }
+@@ -19089,7 +19092,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+ name = get_archive_member_name (&arch, &nested_arch);
+ if (name == NULL)
+ {
+- error (_("%s: bad archive file name\n"), filedata->file_name);
++ error (_("%s: bad archive file name\n"), arch.file_name);
+ ret = FALSE;
+ break;
+ }
+@@ -19098,7 +19101,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+ qualified_name = make_qualified_name (&arch, &nested_arch, name);
+ if (qualified_name == NULL)
+ {
+- error (_("%s: bad archive file name\n"), filedata->file_name);
++ error (_("%s: bad archive file name\n"), arch.file_name);
+ ret = FALSE;
+ break;
+ }
+@@ -19144,7 +19147,7 @@ process_archive (Filedata * filedata, bfd_boolean is_thin_archive)
+ if (nested_arch.file == NULL)
+ {
+ error (_("%s: contains corrupt thin archive: %s\n"),
+- filedata->file_name, name);
++ qualified_name, name);
+ ret = FALSE;
+ break;
+ }
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
new file mode 100644
index 0000000..24fb031
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20651.patch
@@ -0,0 +1,35 @@
+From 6a29d95602b09bb83d2c82b45ed935157fb780aa Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Mon, 31 Dec 2018 15:40:08 +1030
+Subject: [PATCH] PR24041, Invalid Memory Address Dereference in
+ elf_link_add_object_symbols
+
+ PR 24041
+ * elflink.c (elf_link_add_object_symbols): Don't segfault on
+ crafted ET_DYN with no program headers.
+
+CVE: CVE-2018-20651
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 46091b6341..557c550082 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -4178,7 +4178,7 @@ error_free_dyn:
+ all sections contained fully therein. This makes relro
+ shared library sections appear as they will at run-time. */
+ phdr = elf_tdata (abfd)->phdr + elf_elfheader (abfd)->e_phnum;
+- while (--phdr >= elf_tdata (abfd)->phdr)
++ while (phdr-- > elf_tdata (abfd)->phdr)
+ if (phdr->p_type == PT_GNU_RELRO)
+ {
+ for (s = abfd->sections; s != NULL; s = s->next)
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
new file mode 100644
index 0000000..9bd9207
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2018-20671.patch
@@ -0,0 +1,49 @@
+From 8a5f4f2ebe7f35ac5646060fa51e3332f6ef388c Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Fri, 4 Jan 2019 13:44:34 +0000
+Subject: [PATCH] Fix a possible integer overflow problem when examining
+ corrupt binaries using a 32-bit binutil.
+
+ PR 24005
+ * objdump.c (load_specific_debug_section): Check for integer
+ overflow before attempting to allocate contents.
+
+CVE: CVE-2018-20671
+Upstream-Status: Backport
+[https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11fa9f134fd658075c6f74499c780df045d9e9ca]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ binutils/objdump.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index f468fcdb59..89ca688938 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -2503,12 +2503,19 @@ load_specific_debug_section (enum dwarf_section_display_enum debug,
+ section->reloc_info = NULL;
+ section->num_relocs = 0;
+ section->address = bfd_get_section_vma (abfd, sec);
++ section->user_data = sec;
+ section->size = bfd_get_section_size (sec);
+ amt = section->size + 1;
++ if (amt == 0 || amt > bfd_get_file_size (abfd))
++ {
++ section->start = NULL;
++ free_debug_section (debug);
++ printf (_("\nSection '%s' has an invalid size: %#llx.\n"),
++ section->name, (unsigned long long) section->size);
++ return FALSE;
++ }
+ section->start = contents = malloc (amt);
+- section->user_data = sec;
+- if (amt == 0
+- || section->start == NULL
++ if (section->start == NULL
+ || !bfd_get_full_section_contents (abfd, sec, &contents))
+ {
+ free_debug_section (debug);
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 17/24] python: Fix 3 CVEs
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (15 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 16/24] binutils: Fix 4 CVEs Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 18/24] python3: Fix CVEs Armin Kuster
` (6 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Fixes CVE-2018-20852, CVE-2019-9740, and CVE-2019-9747
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../python/python/bpo-30458-cve-2019-9740.patch | 219 +++++++++++++++++++++
.../python/python/bpo-35121-cve-2018-20852.patch | 127 ++++++++++++
meta/recipes-devtools/python/python_2.7.16.bb | 2 +
3 files changed, 348 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/bpo-30458-cve-2019-9740.patch
create mode 100644 meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
diff --git a/meta/recipes-devtools/python/python/bpo-30458-cve-2019-9740.patch b/meta/recipes-devtools/python/python/bpo-30458-cve-2019-9740.patch
new file mode 100644
index 0000000..f4c56bb
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-30458-cve-2019-9740.patch
@@ -0,0 +1,219 @@
+From 39815ee5bb7f2f9ca1f0d5e9f51e27a2877ec35b Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Tue, 21 May 2019 15:12:33 +0200
+Subject: [PATCH] bpo-30458: Disallow control chars in http URLs (GH-12755)
+ (GH-13154) (GH-13315)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Disallow control chars in http URLs in urllib2.urlopen. This
+addresses a potential security problem for applications that do not
+sanity check their URLs where http request headers could be injected.
+
+Disable https related urllib tests on a build without ssl (GH-13032)
+These tests require an SSL enabled build. Skip these tests when
+python is built without SSL to fix test failures.
+
+Use httplib.InvalidURL instead of ValueError as the new error case's
+exception. (GH-13044)
+
+Backport Co-Authored-By: Miro Hrončok <miro@hroncok.cz>
+
+(cherry picked from commit 7e200e0763f5b71c199aaf98bd5588f291585619)
+
+Notes on backport to Python 2.7:
+
+* test_urllib tests urllib.urlopen() which quotes the URL and so is
+ not vulerable to HTTP Header Injection.
+* Add tests to test_urllib2 on urllib2.urlopen().
+* Reject non-ASCII characters: range 0x80-0xff.
+
+CVE: CVE-2019-9740 CVE-2019-9747
+Upstream-Status: Accepted
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/httplib.py | 16 ++++++
+ Lib/test/test_urllib.py | 25 +++++++++
+ Lib/test/test_urllib2.py | 51 ++++++++++++++++++-
+ Lib/test/test_xmlrpc.py | 8 ++-
+ .../2019-04-10-08-53-30.bpo-30458.51E-DA.rst | 1 +
+ 5 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+
+diff --git a/Lib/httplib.py b/Lib/httplib.py
+index 60a8fb4e35..1b41c346e0 100644
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -247,6 +247,16 @@ _MAXHEADERS = 100
+ _is_legal_header_name = re.compile(r'\A[^:\s][^:\r\n]*\Z').match
+ _is_illegal_header_value = re.compile(r'\n(?![ \t])|\r(?![ \t\n])').search
+
++# These characters are not allowed within HTTP URL paths.
++# See https://tools.ietf.org/html/rfc3986#section-3.3 and the
++# https://tools.ietf.org/html/rfc3986#appendix-A pchar definition.
++# Prevents CVE-2019-9740. Includes control characters such as \r\n.
++# Restrict non-ASCII characters above \x7f (0x80-0xff).
++_contains_disallowed_url_pchar_re = re.compile('[\x00-\x20\x7f-\xff]')
++# Arguably only these _should_ allowed:
++# _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
++# We are more lenient for assumed real world compatibility purposes.
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -927,6 +937,12 @@ class HTTPConnection:
+ self._method = method
+ if not url:
+ url = '/'
++ # Prevent CVE-2019-9740.
++ match = _contains_disallowed_url_pchar_re.search(url)
++ if match:
++ raise InvalidURL("URL can't contain control characters. %r "
++ "(found at least %r)"
++ % (url, match.group()))
+ hdr = '%s %s %s' % (method, url, self._http_vsn_str)
+
+ self._output(hdr)
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 1ce9201c06..d7778d4194 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -257,6 +257,31 @@ class urlopen_HttpTests(unittest.TestCase, FakeHTTPMixin):
+ finally:
+ self.unfakehttp()
+
++ def test_url_with_control_char_rejected(self):
++ for char_no in range(0, 0x21) + range(0x7f, 0x100):
++ char = chr(char_no)
++ schemeless_url = "//localhost:7777/test%s/" % char
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # urllib quotes the URL so there is no injection.
++ resp = urllib.urlopen("http:" + schemeless_url)
++ self.assertNotIn(char, resp.geturl())
++ finally:
++ self.unfakehttp()
++
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # urllib quotes the URL so there is no injection.
++ resp = urllib.urlopen("http:" + schemeless_url)
++ self.assertNotIn(' ', resp.geturl())
++ self.assertNotIn('\r', resp.geturl())
++ self.assertNotIn('\n', resp.geturl())
++ finally:
++ self.unfakehttp()
++
+ def test_read_bogus(self):
+ # urlopen() should raise IOError for many error codes.
+ self.fakehttp('''HTTP/1.1 401 Authentication Required
+diff --git a/Lib/test/test_urllib2.py b/Lib/test/test_urllib2.py
+index 6d24d5ddf8..9531818e16 100644
+--- a/Lib/test/test_urllib2.py
++++ b/Lib/test/test_urllib2.py
+@@ -15,6 +15,9 @@ try:
+ except ImportError:
+ ssl = None
+
++from test.test_urllib import FakeHTTPMixin
++
++
+ # XXX
+ # Request
+ # CacheFTPHandler (hard to write)
+@@ -1262,7 +1265,7 @@ class HandlerTests(unittest.TestCase):
+ self.assertEqual(len(http_handler.requests), 1)
+ self.assertFalse(http_handler.requests[0].has_header(auth_header))
+
+-class MiscTests(unittest.TestCase):
++class MiscTests(unittest.TestCase, FakeHTTPMixin):
+
+ def test_build_opener(self):
+ class MyHTTPHandler(urllib2.HTTPHandler): pass
+@@ -1317,6 +1320,52 @@ class MiscTests(unittest.TestCase):
+ "Unsupported digest authentication algorithm 'invalid'"
+ )
+
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_control_char_rejected(self):
++ for char_no in range(0, 0x21) + range(0x7f, 0x100):
++ char = chr(char_no)
++ schemeless_url = "//localhost:7777/test%s/" % char
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ try:
++ # We explicitly test urllib.request.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ escaped_char_repr = repr(char).replace('\\', r'\\')
++ InvalidURL = httplib.InvalidURL
++ with self.assertRaisesRegexp(
++ InvalidURL, "contain control.*" + escaped_char_repr):
++ urllib2.urlopen("http:" + schemeless_url)
++ with self.assertRaisesRegexp(
++ InvalidURL, "contain control.*" + escaped_char_repr):
++ urllib2.urlopen("https:" + schemeless_url)
++ finally:
++ self.unfakehttp()
++
++ @unittest.skipUnless(ssl, "ssl module required")
++ def test_url_with_newline_header_injection_rejected(self):
++ self.fakehttp(b"HTTP/1.1 200 OK\r\n\r\nHello.")
++ host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
++ schemeless_url = "//" + host + ":8080/test/?test=a"
++ try:
++ # We explicitly test urllib2.urlopen() instead of the top
++ # level 'def urlopen()' function defined in this... (quite ugly)
++ # test suite. They use different url opening codepaths. Plain
++ # urlopen uses FancyURLOpener which goes via a codepath that
++ # calls urllib.parse.quote() on the URL which makes all of the
++ # above attempts at injection within the url _path_ safe.
++ InvalidURL = httplib.InvalidURL
++ with self.assertRaisesRegexp(
++ InvalidURL, r"contain control.*\\r.*(found at least . .)"):
++ urllib2.urlopen("http:" + schemeless_url)
++ with self.assertRaisesRegexp(InvalidURL, r"contain control.*\\n"):
++ urllib2.urlopen("https:" + schemeless_url)
++ finally:
++ self.unfakehttp()
++
++
+
+ class RequestTests(unittest.TestCase):
+
+diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
+index 36b3be67fd..90ccb30716 100644
+--- a/Lib/test/test_xmlrpc.py
++++ b/Lib/test/test_xmlrpc.py
+@@ -659,7 +659,13 @@ class SimpleServerTestCase(BaseServerTestCase):
+ def test_partial_post(self):
+ # Check that a partial POST doesn't make the server loop: issue #14001.
+ conn = httplib.HTTPConnection(ADDR, PORT)
+- conn.request('POST', '/RPC2 HTTP/1.0\r\nContent-Length: 100\r\n\r\nbye')
++ conn.send('POST /RPC2 HTTP/1.0\r\n'
++ 'Content-Length: 100\r\n\r\n'
++ 'bye HTTP/1.1\r\n'
++ 'Host: %s:%s\r\n'
++ 'Accept-Encoding: identity\r\n'
++ 'Content-Length: 0\r\n\r\n'
++ % (ADDR, PORT))
+ conn.close()
+
+ class SimpleServerEncodingTestCase(BaseServerTestCase):
+diff --git a/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+new file mode 100644
+index 0000000000..47cb899df1
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-04-10-08-53-30.bpo-30458.51E-DA.rst
+@@ -0,0 +1 @@
++Address CVE-2019-9740 by disallowing URL paths with embedded whitespace or control characters through into the underlying http client request. Such potentially malicious header injection URLs now cause an httplib.InvalidURL exception to be raised.
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch b/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
new file mode 100644
index 0000000..7ce7b1f
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-35121-cve-2018-20852.patch
@@ -0,0 +1,127 @@
+From 1bd50d351e508b8947e5813c5f925eb4b61c8d76 Mon Sep 17 00:00:00 2001
+From: Xtreak <tir.karthi@gmail.com>
+Date: Sat, 15 Jun 2019 20:59:43 +0530
+Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (GH-13426)
+
+This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since 2.7 has `http.cookiejar` in `cookielib`
+
+https://bugs.python.org/issue35121
+
+CVE: CVE-2018-20852
+Upstream-Status: Accepted
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/cookielib.py | 13 ++++++--
+ Lib/test/test_cookielib.py | 30 +++++++++++++++++++
+ .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+
+diff --git a/Lib/cookielib.py b/Lib/cookielib.py
+index 2dd7c48728..0b471a42f2 100644
+--- a/Lib/cookielib.py
++++ b/Lib/cookielib.py
+@@ -1139,6 +1139,11 @@ class DefaultCookiePolicy(CookiePolicy):
+ req_host, erhn = eff_request_host(request)
+ domain = cookie.domain
+
++ if domain and not domain.startswith("."):
++ dotdomain = "." + domain
++ else:
++ dotdomain = domain
++
+ # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+ if (cookie.version == 0 and
+ (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1151,7 +1156,7 @@ class DefaultCookiePolicy(CookiePolicy):
+ _debug(" effective request-host name %s does not domain-match "
+ "RFC 2965 cookie domain %s", erhn, domain)
+ return False
+- if cookie.version == 0 and not ("."+erhn).endswith(domain):
++ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+ _debug(" request-host %s does not match Netscape cookie domain "
+ "%s", req_host, domain)
+ return False
+@@ -1165,7 +1170,11 @@ class DefaultCookiePolicy(CookiePolicy):
+ req_host = "."+req_host
+ if not erhn.startswith("."):
+ erhn = "."+erhn
+- if not (req_host.endswith(domain) or erhn.endswith(domain)):
++ if domain and not domain.startswith("."):
++ dotdomain = "." + domain
++ else:
++ dotdomain = domain
++ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+ #_debug(" request domain %s does not match cookie domain %s",
+ # req_host, domain)
+ return False
+diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
+index f2dd9727d1..7f7ff614d6 100644
+--- a/Lib/test/test_cookielib.py
++++ b/Lib/test/test_cookielib.py
+@@ -368,6 +368,7 @@ class CookieTests(TestCase):
+ ("http://foo.bar.com/", ".foo.bar.com", True),
+ ("http://foo.bar.com/", "foo.bar.com", True),
+ ("http://foo.bar.com/", ".bar.com", True),
++ ("http://foo.bar.com/", "bar.com", True),
+ ("http://foo.bar.com/", "com", True),
+ ("http://foo.com/", "rhubarb.foo.com", False),
+ ("http://foo.com/", ".foo.com", True),
+@@ -378,6 +379,8 @@ class CookieTests(TestCase):
+ ("http://foo/", "foo", True),
+ ("http://foo/", "foo.local", True),
+ ("http://foo/", ".local", True),
++ ("http://barfoo.com", ".foo.com", False),
++ ("http://barfoo.com", "foo.com", False),
+ ]:
+ request = urllib2.Request(url)
+ r = pol.domain_return_ok(domain, request)
+@@ -938,6 +941,33 @@ class CookieTests(TestCase):
+ c.add_cookie_header(req)
+ self.assertFalse(req.has_header("Cookie"))
+
++ c.clear()
++
++ pol.set_blocked_domains([])
++ req = Request("http://acme.com/")
++ res = FakeResponse(headers, "http://acme.com/")
++ cookies = c.make_cookies(res, req)
++ c.extract_cookies(res, req)
++ self.assertEqual(len(c), 1)
++
++ req = Request("http://acme.com/")
++ c.add_cookie_header(req)
++ self.assertTrue(req.has_header("Cookie"))
++
++ req = Request("http://badacme.com/")
++ c.add_cookie_header(req)
++ self.assertFalse(pol.return_ok(cookies[0], req))
++ self.assertFalse(req.has_header("Cookie"))
++
++ p = pol.set_blocked_domains(["acme.com"])
++ req = Request("http://acme.com/")
++ c.add_cookie_header(req)
++ self.assertFalse(req.has_header("Cookie"))
++
++ req = Request("http://badacme.com/")
++ c.add_cookie_header(req)
++ self.assertFalse(req.has_header("Cookie"))
++
+ def test_secure(self):
+ from cookielib import CookieJar, DefaultCookiePolicy
+
+diff --git a/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+new file mode 100644
+index 0000000000..7725180616
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+@@ -0,0 +1,4 @@
++Don't send cookies of domain A without Domain attribute to domain B when
++domain A is a suffix match of domain B while using a cookiejar with
++:class:`cookielib.DefaultCookiePolicy` policy. Patch by Karthikeyan
++Singaravelan.
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index 9c79faf..16b1744 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -35,6 +35,8 @@ SRC_URI += "\
file://bpo-35907-cve-2019-9948-fix.patch \
file://bpo-36216-cve-2019-9636.patch \
file://bpo-36216-cve-2019-9636-fix.patch \
+ file://bpo-35121-cve-2018-20852.patch \
+ file://bpo-30458-cve-2019-9740.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 18/24] python3: Fix CVEs
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (16 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 17/24] python: Fix 3 CVEs Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 19/24] libxslt: Cve fix CVE-2019-11068 Armin Kuster
` (5 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Fixes CVE-2018-14647, CVE-2018-20406, CVE-2018-20852, CVE-2019-9636,
CVE-2019-9740, and CVE-2019-9747.
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../python/python3/CVE-2018-14647.patch | 95 +++++++++
.../python/python3/CVE-2018-20406.patch | 217 +++++++++++++++++++++
.../python/python3/CVE-2018-20852.patch | 129 ++++++++++++
.../python/python3/CVE-2019-9636.patch | 154 +++++++++++++++
meta/recipes-devtools/python/python3_3.5.6.bb | 4 +
5 files changed, 599 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2018-14647.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2018-20406.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2018-20852.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2019-9636.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-14647.patch b/meta/recipes-devtools/python/python3/CVE-2018-14647.patch
new file mode 100644
index 0000000..c1f21f8
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-14647.patch
@@ -0,0 +1,95 @@
+From 610b4b0dbaedd3099ab76acf678e9cc845d99a76 Mon Sep 17 00:00:00 2001
+From: stratakis <cstratak@redhat.com>
+Date: Mon, 25 Feb 2019 22:04:09 +0100
+Subject: [PATCH] [3.5] bpo-34623: Use XML_SetHashSalt in _elementtree (#9933)
+
+* bpo-34623: Use XML_SetHashSalt in _elementtree (GH-9146)
+
+The C accelerated _elementtree module now initializes hash randomization
+salt from _Py_HashSecret instead of libexpat's default CPRNG.
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+https://bugs.python.org/issue34623
+(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+
+CVE: CVE-2018-14647
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/41b48e71ac8a71f56694b548f118bd20ce203410]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Include/pyexpat.h | 4 +++-
+ .../next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++
+ Modules/_elementtree.c | 5 +++++
+ Modules/pyexpat.c | 5 +++++
+ 4 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
+
+diff --git a/Include/pyexpat.h b/Include/pyexpat.h
+index 44259bf6d7..07020b5dc9 100644
+--- a/Include/pyexpat.h
++++ b/Include/pyexpat.h
+@@ -3,7 +3,7 @@
+
+ /* note: you must import expat.h before importing this module! */
+
+-#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
++#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
+ #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
+
+ struct PyExpat_CAPI
+@@ -48,6 +48,8 @@ struct PyExpat_CAPI
+ enum XML_Status (*SetEncoding)(XML_Parser parser, const XML_Char *encoding);
+ int (*DefaultUnknownEncodingHandler)(
+ void *encodingHandlerData, const XML_Char *name, XML_Encoding *info);
++ /* might be none for expat < 2.1.0 */
++ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
+ /* always add new stuff to the end! */
+ };
+
+diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
+new file mode 100644
+index 0000000000..cbaa4b7506
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
+@@ -0,0 +1,2 @@
++CVE-2018-14647: The C accelerated _elementtree module now initializes hash
++randomization salt from _Py_HashSecret instead of libexpat's default CSPRNG.
+diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
+index 5dba9f70a9..90c6daf64a 100644
+--- a/Modules/_elementtree.c
++++ b/Modules/_elementtree.c
+@@ -3282,6 +3282,11 @@ _elementtree_XMLParser___init___impl(XMLParserObject *self, PyObject *html,
+ PyErr_NoMemory();
+ return -1;
+ }
++ /* expat < 2.1.0 has no XML_SetHashSalt() */
++ if (EXPAT(SetHashSalt) != NULL) {
++ EXPAT(SetHashSalt)(self->parser,
++ (unsigned long)_Py_HashSecret.expat.hashsalt);
++ }
+
+ if (target) {
+ Py_INCREF(target);
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index adc9b6cde8..948ab1b703 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -1882,6 +1882,11 @@ MODULE_INITFUNC(void)
+ capi.SetStartDoctypeDeclHandler = XML_SetStartDoctypeDeclHandler;
+ capi.SetEncoding = XML_SetEncoding;
+ capi.DefaultUnknownEncodingHandler = PyUnknownEncodingHandler;
++#if XML_COMBINED_VERSION >= 20100
++ capi.SetHashSalt = XML_SetHashSalt;
++#else
++ capi.SetHashSalt = NULL;
++#endif
+
+ /* export using capsule */
+ capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20406.patch b/meta/recipes-devtools/python/python3/CVE-2018-20406.patch
new file mode 100644
index 0000000..b69e0c4
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-20406.patch
@@ -0,0 +1,217 @@
+From 3c7fd2b2729e3ebcf7877e7a32b3bbabf907a38d Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@redhat.com>
+Date: Tue, 26 Feb 2019 01:42:39 +0100
+Subject: [PATCH] closes bpo-34656: Avoid relying on signed overflow in _pickle
+ memos. (GH-9261) (#11869)
+
+(cherry picked from commit a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd)
+
+CVE: CVE-2018-20406
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/ef33dd6036aafbd3f06c1d56e2b1a81dae3da63c]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Modules/_pickle.c | 63 ++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 31 deletions(-)
+
+diff --git a/Modules/_pickle.c b/Modules/_pickle.c
+index 0f62b1c019..fcb9e87899 100644
+--- a/Modules/_pickle.c
++++ b/Modules/_pickle.c
+@@ -527,9 +527,9 @@ typedef struct {
+ } PyMemoEntry;
+
+ typedef struct {
+- Py_ssize_t mt_mask;
+- Py_ssize_t mt_used;
+- Py_ssize_t mt_allocated;
++ size_t mt_mask;
++ size_t mt_used;
++ size_t mt_allocated;
+ PyMemoEntry *mt_table;
+ } PyMemoTable;
+
+@@ -573,8 +573,8 @@ typedef struct UnpicklerObject {
+ /* The unpickler memo is just an array of PyObject *s. Using a dict
+ is unnecessary, since the keys are contiguous ints. */
+ PyObject **memo;
+- Py_ssize_t memo_size; /* Capacity of the memo array */
+- Py_ssize_t memo_len; /* Number of objects in the memo */
++ size_t memo_size; /* Capacity of the memo array */
++ size_t memo_len; /* Number of objects in the memo */
+
+ PyObject *pers_func; /* persistent_load() method, can be NULL. */
+
+@@ -658,7 +658,6 @@ PyMemoTable_New(void)
+ static PyMemoTable *
+ PyMemoTable_Copy(PyMemoTable *self)
+ {
+- Py_ssize_t i;
+ PyMemoTable *new = PyMemoTable_New();
+ if (new == NULL)
+ return NULL;
+@@ -675,7 +674,7 @@ PyMemoTable_Copy(PyMemoTable *self)
+ PyErr_NoMemory();
+ return NULL;
+ }
+- for (i = 0; i < self->mt_allocated; i++) {
++ for (size_t i = 0; i < self->mt_allocated; i++) {
+ Py_XINCREF(self->mt_table[i].me_key);
+ }
+ memcpy(new->mt_table, self->mt_table,
+@@ -721,7 +720,7 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
+ {
+ size_t i;
+ size_t perturb;
+- size_t mask = (size_t)self->mt_mask;
++ size_t mask = self->mt_mask;
+ PyMemoEntry *table = self->mt_table;
+ PyMemoEntry *entry;
+ Py_hash_t hash = (Py_hash_t)key >> 3;
+@@ -743,22 +742,24 @@ _PyMemoTable_Lookup(PyMemoTable *self, PyObject *key)
+
+ /* Returns -1 on failure, 0 on success. */
+ static int
+-_PyMemoTable_ResizeTable(PyMemoTable *self, Py_ssize_t min_size)
++_PyMemoTable_ResizeTable(PyMemoTable *self, size_t min_size)
+ {
+ PyMemoEntry *oldtable = NULL;
+ PyMemoEntry *oldentry, *newentry;
+- Py_ssize_t new_size = MT_MINSIZE;
+- Py_ssize_t to_process;
++ size_t new_size = MT_MINSIZE;
++ size_t to_process;
+
+ assert(min_size > 0);
+
+- /* Find the smallest valid table size >= min_size. */
+- while (new_size < min_size && new_size > 0)
+- new_size <<= 1;
+- if (new_size <= 0) {
++ if (min_size > PY_SSIZE_T_MAX) {
+ PyErr_NoMemory();
+ return -1;
+ }
++
++ /* Find the smallest valid table size >= min_size. */
++ while (new_size < min_size) {
++ new_size <<= 1;
++ }
+ /* new_size needs to be a power of two. */
+ assert((new_size & (new_size - 1)) == 0);
+
+@@ -808,6 +809,7 @@ static int
+ PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
+ {
+ PyMemoEntry *entry;
++ size_t desired_size;
+
+ assert(key != NULL);
+
+@@ -831,10 +833,12 @@ PyMemoTable_Set(PyMemoTable *self, PyObject *key, Py_ssize_t value)
+ * Very large memo tables (over 50K items) use doubling instead.
+ * This may help applications with severe memory constraints.
+ */
+- if (!(self->mt_used * 3 >= (self->mt_mask + 1) * 2))
++ if (SIZE_MAX / 3 >= self->mt_used && self->mt_used * 3 < self->mt_allocated * 2) {
+ return 0;
+- return _PyMemoTable_ResizeTable(self,
+- (self->mt_used > 50000 ? 2 : 4) * self->mt_used);
++ }
++ // self->mt_used is always < PY_SSIZE_T_MAX, so this can't overflow.
++ desired_size = (self->mt_used > 50000 ? 2 : 4) * self->mt_used;
++ return _PyMemoTable_ResizeTable(self, desired_size);
+ }
+
+ #undef MT_MINSIZE
+@@ -1273,9 +1277,9 @@ _Unpickler_Readline(UnpicklerObject *self, char **result)
+ /* Returns -1 (with an exception set) on failure, 0 on success. The memo array
+ will be modified in place. */
+ static int
+-_Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
++_Unpickler_ResizeMemoList(UnpicklerObject *self, size_t new_size)
+ {
+- Py_ssize_t i;
++ size_t i;
+
+ assert(new_size > self->memo_size);
+
+@@ -1292,9 +1296,9 @@ _Unpickler_ResizeMemoList(UnpicklerObject *self, Py_ssize_t new_size)
+
+ /* Returns NULL if idx is out of bounds. */
+ static PyObject *
+-_Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
++_Unpickler_MemoGet(UnpicklerObject *self, size_t idx)
+ {
+- if (idx < 0 || idx >= self->memo_size)
++ if (idx >= self->memo_size)
+ return NULL;
+
+ return self->memo[idx];
+@@ -1303,7 +1307,7 @@ _Unpickler_MemoGet(UnpicklerObject *self, Py_ssize_t idx)
+ /* Returns -1 (with an exception set) on failure, 0 on success.
+ This takes its own reference to `value`. */
+ static int
+-_Unpickler_MemoPut(UnpicklerObject *self, Py_ssize_t idx, PyObject *value)
++_Unpickler_MemoPut(UnpicklerObject *self, size_t idx, PyObject *value)
+ {
+ PyObject *old_item;
+
+@@ -4194,14 +4198,13 @@ static PyObject *
+ _pickle_PicklerMemoProxy_copy_impl(PicklerMemoProxyObject *self)
+ /*[clinic end generated code: output=bb83a919d29225ef input=b73043485ac30b36]*/
+ {
+- Py_ssize_t i;
+ PyMemoTable *memo;
+ PyObject *new_memo = PyDict_New();
+ if (new_memo == NULL)
+ return NULL;
+
+ memo = self->pickler->memo;
+- for (i = 0; i < memo->mt_allocated; ++i) {
++ for (size_t i = 0; i < memo->mt_allocated; ++i) {
+ PyMemoEntry entry = memo->mt_table[i];
+ if (entry.me_key != NULL) {
+ int status;
+@@ -6620,7 +6623,7 @@ static PyObject *
+ _pickle_UnpicklerMemoProxy_copy_impl(UnpicklerMemoProxyObject *self)
+ /*[clinic end generated code: output=e12af7e9bc1e4c77 input=97769247ce032c1d]*/
+ {
+- Py_ssize_t i;
++ size_t i;
+ PyObject *new_memo = PyDict_New();
+ if (new_memo == NULL)
+ return NULL;
+@@ -6771,8 +6774,7 @@ static int
+ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
+ {
+ PyObject **new_memo;
+- Py_ssize_t new_memo_size = 0;
+- Py_ssize_t i;
++ size_t new_memo_size = 0;
+
+ if (obj == NULL) {
+ PyErr_SetString(PyExc_TypeError,
+@@ -6789,7 +6791,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
+ if (new_memo == NULL)
+ return -1;
+
+- for (i = 0; i < new_memo_size; i++) {
++ for (size_t i = 0; i < new_memo_size; i++) {
+ Py_XINCREF(unpickler->memo[i]);
+ new_memo[i] = unpickler->memo[i];
+ }
+@@ -6837,8 +6839,7 @@ Unpickler_set_memo(UnpicklerObject *self, PyObject *obj)
+
+ error:
+ if (new_memo_size) {
+- i = new_memo_size;
+- while (--i >= 0) {
++ for (size_t i = new_memo_size - 1; i != SIZE_MAX; i--) {
+ Py_XDECREF(new_memo[i]);
+ }
+ PyMem_FREE(new_memo);
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/python/python3/CVE-2018-20852.patch b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
new file mode 100644
index 0000000..82a114f
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2018-20852.patch
@@ -0,0 +1,129 @@
+From 31c16d62fc762ab87e66e7f47e36dbfcfc8b5224 Mon Sep 17 00:00:00 2001
+From: Xtreak <tir.karthi@gmail.com>
+Date: Sun, 17 Mar 2019 05:33:39 +0530
+Subject: [PATCH] [3.5] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (#12281)
+
+Don't send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with `http.cookiejar.DefaultCookiePolicy` policy. Patch by Karthikeyan Singaravelan.
+(cherry picked from commit ca7fe5063593958e5efdf90f068582837f07bd14)
+
+Co-authored-by: Xtreak <tir.karthi@gmail.com>
+
+CVE: CVE-2018-20852
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/4749f1b69000259e23b4cc6f63c542a9bdc62f1b]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Lib/http/cookiejar.py | 13 ++++++--
+ Lib/test/test_http_cookiejar.py | 30 +++++++++++++++++++
+ .../2018-10-31-15-39-17.bpo-35121.EgHv9k.rst | 4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+
+diff --git a/Lib/http/cookiejar.py b/Lib/http/cookiejar.py
+index 6d4572af03..1cc9378ae4 100644
+--- a/Lib/http/cookiejar.py
++++ b/Lib/http/cookiejar.py
+@@ -1148,6 +1148,11 @@ class DefaultCookiePolicy(CookiePolicy):
+ req_host, erhn = eff_request_host(request)
+ domain = cookie.domain
+
++ if domain and not domain.startswith("."):
++ dotdomain = "." + domain
++ else:
++ dotdomain = domain
++
+ # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+ if (cookie.version == 0 and
+ (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1160,7 +1165,7 @@ class DefaultCookiePolicy(CookiePolicy):
+ _debug(" effective request-host name %s does not domain-match "
+ "RFC 2965 cookie domain %s", erhn, domain)
+ return False
+- if cookie.version == 0 and not ("."+erhn).endswith(domain):
++ if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+ _debug(" request-host %s does not match Netscape cookie domain "
+ "%s", req_host, domain)
+ return False
+@@ -1174,7 +1179,11 @@ class DefaultCookiePolicy(CookiePolicy):
+ req_host = "."+req_host
+ if not erhn.startswith("."):
+ erhn = "."+erhn
+- if not (req_host.endswith(domain) or erhn.endswith(domain)):
++ if domain and not domain.startswith("."):
++ dotdomain = "." + domain
++ else:
++ dotdomain = domain
++ if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+ #_debug(" request domain %s does not match cookie domain %s",
+ # req_host, domain)
+ return False
+diff --git a/Lib/test/test_http_cookiejar.py b/Lib/test/test_http_cookiejar.py
+index 49c01ae489..e67e6ae780 100644
+--- a/Lib/test/test_http_cookiejar.py
++++ b/Lib/test/test_http_cookiejar.py
+@@ -417,6 +417,7 @@ class CookieTests(unittest.TestCase):
+ ("http://foo.bar.com/", ".foo.bar.com", True),
+ ("http://foo.bar.com/", "foo.bar.com", True),
+ ("http://foo.bar.com/", ".bar.com", True),
++ ("http://foo.bar.com/", "bar.com", True),
+ ("http://foo.bar.com/", "com", True),
+ ("http://foo.com/", "rhubarb.foo.com", False),
+ ("http://foo.com/", ".foo.com", True),
+@@ -427,6 +428,8 @@ class CookieTests(unittest.TestCase):
+ ("http://foo/", "foo", True),
+ ("http://foo/", "foo.local", True),
+ ("http://foo/", ".local", True),
++ ("http://barfoo.com", ".foo.com", False),
++ ("http://barfoo.com", "foo.com", False),
+ ]:
+ request = urllib.request.Request(url)
+ r = pol.domain_return_ok(domain, request)
+@@ -961,6 +964,33 @@ class CookieTests(unittest.TestCase):
+ c.add_cookie_header(req)
+ self.assertFalse(req.has_header("Cookie"))
+
++ c.clear()
++
++ pol.set_blocked_domains([])
++ req = urllib.request.Request("http://acme.com/")
++ res = FakeResponse(headers, "http://acme.com/")
++ cookies = c.make_cookies(res, req)
++ c.extract_cookies(res, req)
++ self.assertEqual(len(c), 1)
++
++ req = urllib.request.Request("http://acme.com/")
++ c.add_cookie_header(req)
++ self.assertTrue(req.has_header("Cookie"))
++
++ req = urllib.request.Request("http://badacme.com/")
++ c.add_cookie_header(req)
++ self.assertFalse(pol.return_ok(cookies[0], req))
++ self.assertFalse(req.has_header("Cookie"))
++
++ p = pol.set_blocked_domains(["acme.com"])
++ req = urllib.request.Request("http://acme.com/")
++ c.add_cookie_header(req)
++ self.assertFalse(req.has_header("Cookie"))
++
++ req = urllib.request.Request("http://badacme.com/")
++ c.add_cookie_header(req)
++ self.assertFalse(req.has_header("Cookie"))
++
+ def test_secure(self):
+ for ns in True, False:
+ for whitespace in " ", "":
+diff --git a/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+new file mode 100644
+index 0000000000..d2eb8f1f35
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-10-31-15-39-17.bpo-35121.EgHv9k.rst
+@@ -0,0 +1,4 @@
++Don't send cookies of domain A without Domain attribute to domain B
++when domain A is a suffix match of domain B while using a cookiejar
++with :class:`http.cookiejar.DefaultCookiePolicy` policy. Patch by
++Karthikeyan Singaravelan.
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/python/python3/CVE-2019-9636.patch b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
new file mode 100644
index 0000000..ce8eb66
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2019-9636.patch
@@ -0,0 +1,154 @@
+From b0305339567b64e07df87620e97e4cb99332aef6 Mon Sep 17 00:00:00 2001
+From: Steve Dower <steve.dower@microsoft.com>
+Date: Sun, 10 Mar 2019 21:59:24 -0700
+Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
+ to separators (GH-12201) (#12223)
+
+CVE: CVE-2019-9636
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/c0d95113b070799679bcb9dc49d4960d82e8bb08]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ Doc/library/urllib.parse.rst | 18 +++++++++++++++
+ Lib/test/test_urlparse.py | 23 +++++++++++++++++++
+ Lib/urllib/parse.py | 17 ++++++++++++++
+ .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
+ 4 files changed, 61 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+
+diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst
+index 6f722a8897..a4c6b6726e 100644
+--- a/Doc/library/urllib.parse.rst
++++ b/Doc/library/urllib.parse.rst
+@@ -120,6 +120,11 @@ or on combining URL components into a URL string.
+ Unmatched square brackets in the :attr:`netloc` attribute will raise a
+ :exc:`ValueError`.
+
++ Characters in the :attr:`netloc` attribute that decompose under NFKC
++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
++ decomposed before parsing, no error will be raised.
++
+ .. versionchanged:: 3.2
+ Added IPv6 URL parsing capabilities.
+
+@@ -128,6 +133,10 @@ or on combining URL components into a URL string.
+ false), in accordance with :rfc:`3986`. Previously, a whitelist of
+ schemes that support fragments existed.
+
++ .. versionchanged:: 3.5.7
++ Characters that affect netloc parsing under NFKC normalization will
++ now raise :exc:`ValueError`.
++
+
+ .. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace')
+
+@@ -236,6 +245,15 @@ or on combining URL components into a URL string.
+ Unmatched square brackets in the :attr:`netloc` attribute will raise a
+ :exc:`ValueError`.
+
++ Characters in the :attr:`netloc` attribute that decompose under NFKC
++ normalization (as used by the IDNA encoding) into any of ``/``, ``?``,
++ ``#``, ``@``, or ``:`` will raise a :exc:`ValueError`. If the URL is
++ decomposed before parsing, no error will be raised.
++
++ .. versionchanged:: 3.5.7
++ Characters that affect netloc parsing under NFKC normalization will
++ now raise :exc:`ValueError`.
++
+
+ .. function:: urlunsplit(parts)
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index e2cf1b7e0f..d0420b0e74 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1,3 +1,5 @@
++import sys
++import unicodedata
+ import unittest
+ import urllib.parse
+
+@@ -970,6 +972,27 @@ class UrlParseTestCase(unittest.TestCase):
+ expected.append(name)
+ self.assertCountEqual(urllib.parse.__all__, expected)
+
++ def test_urlsplit_normalization(self):
++ # Certain characters should never occur in the netloc,
++ # including under normalization.
++ # Ensure that ALL of them are detected and cause an error
++ illegal_chars = '/:#?@'
++ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
++ denorm_chars = [
++ c for c in map(chr, range(128, sys.maxunicode))
++ if (hex_chars & set(unicodedata.decomposition(c).split()))
++ and c not in illegal_chars
++ ]
++ # Sanity check that we found at least one such character
++ self.assertIn('\u2100', denorm_chars)
++ self.assertIn('\uFF03', denorm_chars)
++
++ for scheme in ["http", "https", "ftp"]:
++ for c in denorm_chars:
++ url = "{}://netloc{}false.netloc/path".format(scheme, c)
++ with self.subTest(url=url, char='{:04X}'.format(ord(c))):
++ with self.assertRaises(ValueError):
++ urllib.parse.urlsplit(url)
+
+ class Utility_Tests(unittest.TestCase):
+ """Testcase to test the various utility functions in the urllib."""
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 62e8ddf04b..7ba2b445f5 100644
+--- a/Lib/urllib/parse.py
++++ b/Lib/urllib/parse.py
+@@ -327,6 +327,21 @@ def _splitnetloc(url, start=0):
+ delim = min(delim, wdelim) # use earliest delim position
+ return url[start:delim], url[delim:] # return (domain, rest)
+
++def _checknetloc(netloc):
++ if not netloc or not any(ord(c) > 127 for c in netloc):
++ return
++ # looking for characters like \u2100 that expand to 'a/c'
++ # IDNA uses NFKC equivalence, so normalize for this check
++ import unicodedata
++ netloc2 = unicodedata.normalize('NFKC', netloc)
++ if netloc == netloc2:
++ return
++ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
++ for c in '/?#@:':
++ if c in netloc2:
++ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
++ "characters under NFKC normalization")
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+ """Parse a URL into 5 components:
+ <scheme>://<netloc>/<path>?<query>#<fragment>
+@@ -356,6 +371,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+ url, fragment = url.split('#', 1)
+ if '?' in url:
+ url, query = url.split('?', 1)
++ _checknetloc(netloc)
+ v = SplitResult(scheme, netloc, url, query, fragment)
+ _parse_cache[key] = v
+ return _coerce_result(v)
+@@ -379,6 +395,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+ url, fragment = url.split('#', 1)
+ if '?' in url:
+ url, query = url.split('?', 1)
++ _checknetloc(netloc)
+ v = SplitResult(scheme, netloc, url, query, fragment)
+ _parse_cache[key] = v
+ return _coerce_result(v)
+diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+new file mode 100644
+index 0000000000..5546394157
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+@@ -0,0 +1,3 @@
++Changes urlsplit() to raise ValueError when the URL contains characters that
++decompose under IDNA encoding (NFKC-normalization) into characters that
++affect how the URL is parsed.
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/python/python3_3.5.6.bb b/meta/recipes-devtools/python/python3_3.5.6.bb
index 7e74c55..b2f8a3d 100644
--- a/meta/recipes-devtools/python/python3_3.5.6.bb
+++ b/meta/recipes-devtools/python/python3_3.5.6.bb
@@ -44,6 +44,10 @@ SRC_URI += "\
file://0005-bpo-30714-ALPN-changes-for-OpenSSL-1.1.0f-2305.patch \
file://run-ptest \
file://CVE-2019-9740.patch \
+ file://CVE-2018-14647.patch \
+ file://CVE-2018-20406.patch \
+ file://CVE-2018-20852.patch \
+ file://CVE-2019-9636.patch \
"
inherit multilib_header python3native update-alternatives qemu ptest
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 19/24] libxslt: Cve fix CVE-2019-11068
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (17 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 18/24] python3: Fix CVEs Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 20/24] libxslt: fix CVE-2019-13117 CVE-2019-13118 Armin Kuster
` (4 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Muminul Islam <misla011@fiu.edu>
Signed-off-by: Muminul Islam <muislam@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libxslt/libxslt/CVE-2019-11068.patch | 128 +++++++++++++++++++++
meta/recipes-support/libxslt/libxslt_1.1.32.bb | 1 +
2 files changed, 129 insertions(+)
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
new file mode 100644
index 0000000..83ca8a3
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2019-11068.patch
@@ -0,0 +1,128 @@
+From aed812d8dbbb6d1337312652aa72aa7f44d2b07d Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sun, 24 Mar 2019 09:51:39 +0100
+Subject: [PATCH] Fix security framework bypass
+
+xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
+don't check for this condition and allow access. With a specially
+crafted URL, xsltCheckRead could be tricked into returning an error
+because of a supposedly invalid URL that would still be loaded
+succesfully later on.
+
+Fixes #12.
+
+Thanks to Felix Wilhelm for the report.
+
+Signed-off-by: Muminul Islam <muminul.islam@microsoft.com>
+
+CVE: CVE-2019-11068
+
+Upstream-Status: Backport
+
+https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
+---
+ libxslt/documents.c | 18 ++++++++++--------
+ libxslt/imports.c | 9 +++++----
+ libxslt/transform.c | 9 +++++----
+ libxslt/xslt.c | 9 +++++----
+ 4 files changed, 25 insertions(+), 20 deletions(-)
+
+diff --git a/libxslt/documents.c b/libxslt/documents.c
+index 3f3a7312..4aad11bb 100644
+--- a/libxslt/documents.c
++++ b/libxslt/documents.c
+@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(ctxt->sec, ctxt, URI);
+- if (res == 0) {
+- xsltTransformError(ctxt, NULL, NULL,
+- "xsltLoadDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(ctxt, NULL, NULL,
++ "xsltLoadDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, URI);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltLoadStyleDocument: read rights for %s denied\n",
+- URI);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltLoadStyleDocument: read rights for %s denied\n",
++ URI);
+ return(NULL);
+ }
+ }
+diff --git a/libxslt/imports.c b/libxslt/imports.c
+index 7262aab9..b62e0877 100644
+--- a/libxslt/imports.c
++++ b/libxslt/imports.c
+@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
+ int secres;
+
+ secres = xsltCheckRead(sec, NULL, URI);
+- if (secres == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsl:import: read rights for %s denied\n",
+- URI);
++ if (secres <= 0) {
++ if (secres == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsl:import: read rights for %s denied\n",
++ URI);
+ goto error;
+ }
+ }
+diff --git a/libxslt/transform.c b/libxslt/transform.c
+index 560f43ca..46eef553 100644
+--- a/libxslt/transform.c
++++ b/libxslt/transform.c
+@@ -3485,10 +3485,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
+ */
+ if (ctxt->sec != NULL) {
+ ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
+- if (ret == 0) {
+- xsltTransformError(ctxt, NULL, inst,
+- "xsltDocumentElem: write rights for %s denied\n",
+- filename);
++ if (ret <= 0) {
++ if (ret == 0)
++ xsltTransformError(ctxt, NULL, inst,
++ "xsltDocumentElem: write rights for %s denied\n",
++ filename);
+ xmlFree(URL);
+ xmlFree(filename);
+ return;
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 54a39de9..359913e4 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
+ int res;
+
+ res = xsltCheckRead(sec, NULL, filename);
+- if (res == 0) {
+- xsltTransformError(NULL, NULL, NULL,
+- "xsltParseStylesheetFile: read rights for %s denied\n",
+- filename);
++ if (res <= 0) {
++ if (res == 0)
++ xsltTransformError(NULL, NULL, NULL,
++ "xsltParseStylesheetFile: read rights for %s denied\n",
++ filename);
+ return(NULL);
+ }
+ }
+--
+2.23.0
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
index f0fa5e7..df3f97a 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
@@ -10,6 +10,7 @@ DEPENDS = "libxml2"
SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
file://fix-rvts-handling.patch \
+ file://CVE-2019-11068.patch \
"
SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 20/24] libxslt: fix CVE-2019-13117 CVE-2019-13118
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (18 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 19/24] libxslt: Cve fix CVE-2019-11068 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 21/24] patch: fix CVE-2019-13638 Armin Kuster
` (3 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
(From OE-Core rev: 7dc3048fec88dd62ef49ef16517b7382ab7cf2a5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Fixup for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libxslt/files/CVE-2019-13117.patch | 33 ++++++++++
.../libxslt/files/CVE-2019-13118.patch | 76 ++++++++++++++++++++++
meta/recipes-support/libxslt/libxslt_1.1.32.bb | 4 +-
3 files changed, 112 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13117.patch
create mode 100644 meta/recipes-support/libxslt/files/CVE-2019-13118.patch
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13117.patch b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
new file mode 100644
index 0000000..ef3f270
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13117.patch
@@ -0,0 +1,33 @@
+From c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Sat, 27 Apr 2019 11:19:48 +0200
+Subject: [PATCH] Fix uninitialized read of xsl:number token
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13117
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ libxslt/numbers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 89e1f668..75c31eba 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -382,7 +382,10 @@ xsltNumberFormatTokenize(const xmlChar *format,
+ tokens->tokens[tokens->nTokens].token = val - 1;
+ ix += len;
+ val = xmlStringCurrentChar(NULL, format+ix, &len);
+- }
++ } else {
++ tokens->tokens[tokens->nTokens].token = (xmlChar)'0';
++ tokens->tokens[tokens->nTokens].width = 1;
++ }
+ } else if ( (val == (xmlChar)'A') ||
+ (val == (xmlChar)'a') ||
+ (val == (xmlChar)'I') ||
+--
+2.21.0
+
diff --git a/meta/recipes-support/libxslt/files/CVE-2019-13118.patch b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
new file mode 100644
index 0000000..595e6c2
--- /dev/null
+++ b/meta/recipes-support/libxslt/files/CVE-2019-13118.patch
@@ -0,0 +1,76 @@
+From 6ce8de69330783977dd14f6569419489875fb71b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Jun 2019 13:14:45 +0200
+Subject: [PATCH] Fix uninitialized read with UTF-8 grouping chars
+
+The character type in xsltFormatNumberConversion was too narrow and
+an invalid character/length combination could be passed to
+xsltNumberFormatDecimal, resulting in an uninitialized read.
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2019-13118
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+
+---
+ libxslt/numbers.c | 5 +++--
+ tests/docs/bug-222.xml | 1 +
+ tests/general/bug-222.out | 2 ++
+ tests/general/bug-222.xsl | 6 ++++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+ create mode 100644 tests/docs/bug-222.xml
+ create mode 100644 tests/general/bug-222.out
+ create mode 100644 tests/general/bug-222.xsl
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index f1ed8846..20b99d5a 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -1298,13 +1298,14 @@ OUTPUT_NUMBER:
+ number = floor((scale * number + 0.5)) / scale;
+ if ((self->grouping != NULL) &&
+ (self->grouping[0] != 0)) {
++ int gchar;
+
+ len = xmlStrlen(self->grouping);
+- pchar = xsltGetUTF8Char(self->grouping, &len);
++ gchar = xsltGetUTF8Char(self->grouping, &len);
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+ format_info.group,
+- pchar, len);
++ gchar, len);
+ } else
+ xsltNumberFormatDecimal(buffer, floor(number), self->zeroDigit[0],
+ format_info.integer_digits,
+diff --git a/tests/docs/bug-222.xml b/tests/docs/bug-222.xml
+new file mode 100644
+index 00000000..69d62f2c
+--- /dev/null
++++ b/tests/docs/bug-222.xml
+@@ -0,0 +1 @@
++<doc/>
+diff --git a/tests/general/bug-222.out b/tests/general/bug-222.out
+new file mode 100644
+index 00000000..e3139698
+--- /dev/null
++++ b/tests/general/bug-222.out
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++1⠢0
+diff --git a/tests/general/bug-222.xsl b/tests/general/bug-222.xsl
+new file mode 100644
+index 00000000..e32dc473
+--- /dev/null
++++ b/tests/general/bug-222.xsl
+@@ -0,0 +1,6 @@
++<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
++ <xsl:decimal-format name="f" grouping-separator="⠢"/>
++ <xsl:template match="/">
++ <xsl:value-of select="format-number(10,'#⠢0','f')"/>
++ </xsl:template>
++</xsl:stylesheet>
+--
+2.21.0
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.32.bb b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
index df3f97a..e2a515f 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.32.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.32.bb
@@ -11,7 +11,9 @@ DEPENDS = "libxml2"
SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
file://fix-rvts-handling.patch \
file://CVE-2019-11068.patch \
- "
+ file://CVE-2019-13117.patch \
+ file://CVE-2019-13118.patch \
+"
SRC_URI[md5sum] = "1fc72f98e98bf4443f1651165f3aa146"
SRC_URI[sha256sum] = "526ecd0abaf4a7789041622c3950c0e7f2c4c8835471515fd77eec684a355460"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 21/24] patch: fix CVE-2019-13638
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (19 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 20/24] libxslt: fix CVE-2019-13117 CVE-2019-13118 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 22/24] patch: backport fixes Armin Kuster
` (2 subsequent siblings)
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Trevor Gamblin <trevor.gamblin@windriver.com>
(From OE-Core rev: b59b1222b3f73f982286222a583de09c661dc781)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 555b0642579c00c41bc3daab9cef08452f9834d5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...ke-ed-directly-instead-of-using-the-shell.patch | 44 ++++++++++++++++++++++
meta/recipes-devtools/patch/patch_2.7.6.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
diff --git a/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
new file mode 100644
index 0000000..f60dfe8
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Invoke-ed-directly-instead-of-using-the-shell.patch
@@ -0,0 +1,44 @@
+From 3fcd042d26d70856e826a42b5f93dc4854d80bf0 Mon Sep 17 00:00:00 2001
+From: Andreas Gruenbacher <agruen@gnu.org>
+Date: Fri, 6 Apr 2018 19:36:15 +0200
+Subject: [PATCH] Invoke ed directly instead of using the shell
+
+* src/pch.c (do_ed_script): Invoke ed directly instead of using a shell
+command to avoid quoting vulnerabilities.
+
+CVE: CVE-2019-13638
+Upstream-Status: Backport[https://git.savannah.gnu.org/cgit/patch.git/patch/?id=3fcd042d26d70856e826a42b5f93dc4854d80bf0]
+Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
+
+---
+ src/pch.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+
+diff --git a/src/pch.c b/src/pch.c
+index 4fd5a05..16e001a 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2459,9 +2459,6 @@ do_ed_script (char const *inname, char const *outname,
+ *outname_needs_removal = true;
+ copy_file (inname, outname, 0, exclusive, instat.st_mode, true);
+ }
+- sprintf (buf, "%s %s%s", editor_program,
+- verbosity == VERBOSE ? "" : "- ",
+- outname);
+ fflush (stdout);
+
+ pid = fork();
+@@ -2470,7 +2467,8 @@ do_ed_script (char const *inname, char const *outname,
+ else if (pid == 0)
+ {
+ dup2 (tmpfd, 0);
+- execl ("/bin/sh", "sh", "-c", buf, (char *) 0);
++ assert (outname[0] != '!' && outname[0] != '-');
++ execlp (editor_program, editor_program, "-", outname, (char *) NULL);
+ _exit (2);
+ }
+ else
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8cf20a3..8908910 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0004-Fix-arbitrary-command-execution-in-ed-style-patches-.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
file://CVE-2019-13636.patch \
+ file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 22/24] patch: backport fixes
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (20 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 21/24] patch: fix CVE-2019-13638 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 23/24] pango: fix CVE-2019-1010238 Armin Kuster
2019-09-24 3:13 ` [Thud][ 24/24] linux-yocto/4.14: update to v4.14.143 Armin Kuster
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
The original fix for CVE-2018-1000156 was incomplete. Backport more
fixes done later for a complete fix.
Also see:
https://savannah.gnu.org/bugs/index.php?53820
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 12f9689cba740da6b8c7d9292c74c3992c2e18f2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...k-temporary-file-on-failed-ed-style-patch.patch | 93 ++++++++++++++++++++++
...ak-temporary-file-on-failed-multi-file-ed.patch | 80 +++++++++++++++++++
meta/recipes-devtools/patch/patch_2.7.6.bb | 2 +
3 files changed, 175 insertions(+)
create mode 100644 meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
create mode 100644 meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
new file mode 100644
index 0000000..9891526
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch
@@ -0,0 +1,93 @@
+From 7f770b9c20da1a192dad8cb572a6391f2773285a Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 3 May 2018 14:31:55 +0200
+Subject: [PATCH 1/2] Don't leak temporary file on failed ed-style patch
+
+Now that we write ed-style patches to a temporary file before we
+apply them, we need to ensure that the temporary file is removed
+before we leave, even on fatal error.
+
+* src/pch.c (do_ed_script): Use global TMPEDNAME instead of local
+ tmpname. Don't unlink the file directly, instead tag it for removal
+ at exit time.
+* src/patch.c (cleanup): Unlink TMPEDNAME at exit.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=19599883ffb6a450d2884f081f8ecf68edbed7ee]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/common.h | 2 ++
+ src/pch.c | 12 +++++-------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/common.h b/src/common.h
+index ec50b40..22238b5 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -94,10 +94,12 @@ XTERN char const *origsuff;
+ XTERN char const * TMPINNAME;
+ XTERN char const * TMPOUTNAME;
+ XTERN char const * TMPPATNAME;
++XTERN char const * TMPEDNAME;
+
+ XTERN bool TMPINNAME_needs_removal;
+ XTERN bool TMPOUTNAME_needs_removal;
+ XTERN bool TMPPATNAME_needs_removal;
++XTERN bool TMPEDNAME_needs_removal;
+
+ #ifdef DEBUGGING
+ XTERN int debug;
+diff --git a/src/pch.c b/src/pch.c
+index 16e001a..c1a62cf 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -2392,7 +2392,6 @@ do_ed_script (char const *inname, char const *outname,
+ file_offset beginning_of_this_line;
+ size_t chars_read;
+ FILE *tmpfp = 0;
+- char const *tmpname;
+ int tmpfd;
+ pid_t pid;
+
+@@ -2404,12 +2403,13 @@ do_ed_script (char const *inname, char const *outname,
+ invalid commands and treats the next line as a new command, which
+ can lead to arbitrary command execution. */
+
+- tmpfd = make_tempfile (&tmpname, 'e', NULL, O_RDWR | O_BINARY, 0);
++ tmpfd = make_tempfile (&TMPEDNAME, 'e', NULL, O_RDWR | O_BINARY, 0);
+ if (tmpfd == -1)
+- pfatal ("Can't create temporary file %s", quotearg (tmpname));
++ pfatal ("Can't create temporary file %s", quotearg (TMPEDNAME));
++ TMPEDNAME_needs_removal = true;
+ tmpfp = fdopen (tmpfd, "w+b");
+ if (! tmpfp)
+- pfatal ("Can't open stream for file %s", quotearg (tmpname));
++ pfatal ("Can't open stream for file %s", quotearg (TMPEDNAME));
+ }
+
+ for (;;) {
+@@ -2449,8 +2449,7 @@ do_ed_script (char const *inname, char const *outname,
+ write_fatal ();
+
+ if (lseek (tmpfd, 0, SEEK_SET) == -1)
+- pfatal ("Can't rewind to the beginning of file %s", quotearg (tmpname));
+-
++ pfatal ("Can't rewind to the beginning of file %s", quotearg (TMPEDNAME));
+ if (! dry_run && ! skip_rest_of_patch) {
+ int exclusive = *outname_needs_removal ? 0 : O_EXCL;
+ *outname_needs_removal = true;
+@@ -2482,7 +2481,6 @@ do_ed_script (char const *inname, char const *outname,
+ }
+
+ fclose (tmpfp);
+- safe_unlink (tmpname);
+
+ if (ofp)
+ {
+--
+2.17.0
+
diff --git a/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
new file mode 100644
index 0000000..d6a219a
--- /dev/null
+++ b/meta/recipes-devtools/patch/patch/0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch
@@ -0,0 +1,80 @@
+From 369dcccdfa6336e5a873d6d63705cfbe04c55727 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 7 May 2018 15:14:45 +0200
+Subject: Don't leak temporary file on failed multi-file ed-style patch
+
+The previous fix worked fine with single-file ed-style patches, but
+would still leak temporary files in the case of multi-file ed-style
+patch. Fix that case as well, and extend the test case to check for
+it.
+
+* src/patch.c (main): Unlink TMPEDNAME if needed before moving to
+ the next file in a patch.
+
+This closes bug #53820:
+https://savannah.gnu.org/bugs/index.php?53820
+
+Fixes: 123eaff0d5d1 ("Fix arbitrary command execution in ed-style patches (CVE-2018-1000156)")
+Fixes: 19599883ffb6 ("Don't leak temporary file on failed ed-style patch")
+
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/patch.git/commit/?id=369dcccdfa6336e5a873d6d63705cfbe04c55727]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ src/patch.c | 1 +
+ tests/ed-style | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+)
+
+diff --git a/src/patch.c b/src/patch.c
+index 9146597..81c7a02 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -236,6 +236,7 @@ main (int argc, char **argv)
+ }
+ remove_if_needed (TMPOUTNAME, &TMPOUTNAME_needs_removal);
+ }
++ remove_if_needed (TMPEDNAME, &TMPEDNAME_needs_removal);
+
+ if (! skip_rest_of_patch && ! file_type)
+ {
+diff --git a/tests/ed-style b/tests/ed-style
+index 6b6ef9d..504e6e5 100644
+--- a/tests/ed-style
++++ b/tests/ed-style
+@@ -38,3 +38,34 @@ EOF
+ check 'cat foo' <<EOF
+ foo
+ EOF
++
++# Test the case where one ed-style patch modifies several files
++
++cat > ed3.diff <<EOF
++--- foo
+++++ foo
++1c
++bar
++.
++--- baz
+++++ baz
++0a
++baz
++.
++EOF
++
++# Apparently we can't create a file with such a patch, while it works fine
++# when the file name is provided on the command line
++cat > baz <<EOF
++EOF
++
++check 'patch -e -i ed3.diff' <<EOF
++EOF
++
++check 'cat foo' <<EOF
++bar
++EOF
++
++check 'cat baz' <<EOF
++baz
++EOF
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-devtools/patch/patch_2.7.6.bb b/meta/recipes-devtools/patch/patch_2.7.6.bb
index 8908910..5d7f55f 100644
--- a/meta/recipes-devtools/patch/patch_2.7.6.bb
+++ b/meta/recipes-devtools/patch/patch_2.7.6.bb
@@ -8,6 +8,8 @@ SRC_URI += "file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0001-Fix-swapping-fake-lines-in-pch_swap.patch \
file://CVE-2019-13636.patch \
file://0001-Invoke-ed-directly-instead-of-using-the-shell.patch \
+ file://0001-Don-t-leak-temporary-file-on-failed-ed-style-patch.patch \
+ file://0001-Don-t-leak-temporary-file-on-failed-multi-file-ed.patch \
"
SRC_URI[md5sum] = "4c68cee989d83c87b00a3860bcd05600"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 23/24] pango: fix CVE-2019-1010238
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (21 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 22/24] patch: backport fixes Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
2019-09-24 3:13 ` [Thud][ 24/24] linux-yocto/4.14: update to v4.14.143 Armin Kuster
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 65631a048f57965745dc8cc23cb80c4c3a71ba94)
[Fix up for thud context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../pango/pango/CVE-2019-1010238.patch | 38 ++++++++++++++++++++++
meta/recipes-graphics/pango/pango_1.42.4.bb | 4 ++-
2 files changed, 41 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
diff --git a/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch b/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
new file mode 100644
index 0000000..5b0c342
--- /dev/null
+++ b/meta/recipes-graphics/pango/pango/CVE-2019-1010238.patch
@@ -0,0 +1,38 @@
+From 490f8979a260c16b1df055eab386345da18a2d54 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Wed, 10 Jul 2019 20:26:23 -0400
+Subject: [PATCH] bidi: Be safer against bad input
+
+Don't run off the end of an array that we
+allocated to certain length.
+
+Closes: https://gitlab.gnome.org/GNOME/pango/issues/342
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/pango/commit/490f8979a260c16b1df055eab386345da18a2d54]
+CVE: CVE-2019-1010238
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ pango/pango-bidi-type.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/pango/pango-bidi-type.c b/pango/pango-bidi-type.c
+index 3e46b66c..5c02dbbb 100644
+--- a/pango/pango-bidi-type.c
++++ b/pango/pango-bidi-type.c
+@@ -181,8 +181,11 @@ pango_log2vis_get_embedding_levels (const gchar *text,
+ for (i = 0, p = text; p < text + length; p = g_utf8_next_char(p), i++)
+ {
+ gunichar ch = g_utf8_get_char (p);
+- FriBidiCharType char_type;
+- char_type = fribidi_get_bidi_type (ch);
++ FriBidiCharType char_type = fribidi_get_bidi_type (ch);
++
++ if (i == n_chars)
++ break;
++
+ bidi_types[i] = char_type;
+ ored_types |= char_type;
+ if (FRIBIDI_IS_STRONG (char_type))
+--
+2.21.0
+
diff --git a/meta/recipes-graphics/pango/pango_1.42.4.bb b/meta/recipes-graphics/pango/pango_1.42.4.bb
index 22fe3af..f6a3a5a 100644
--- a/meta/recipes-graphics/pango/pango_1.42.4.bb
+++ b/meta/recipes-graphics/pango/pango_1.42.4.bb
@@ -15,7 +15,9 @@ inherit gnomebase gtk-doc ptest-gnome upstream-version-is-even gobject-introspec
SRC_URI += "file://run-ptest \
file://0001-Enforce-recreation-of-docs-pango.types-it-is-build-c.patch \
-"
+ file://CVE-2019-1010238.patch \
+ "
+
SRC_URI[archive.md5sum] = "deb171a31a3ad76342d5195a1b5bbc7c"
SRC_URI[archive.sha256sum] = "1d2b74cd63e8bd41961f2f8d952355aa0f9be6002b52c8aa7699d9f5da597c9d"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [Thud][ 24/24] linux-yocto/4.14: update to v4.14.143
2019-09-24 3:12 [Thud][ 00/24] Thud patch review Armin Kuster
` (22 preceding siblings ...)
2019-09-24 3:13 ` [Thud][ 23/24] pango: fix CVE-2019-1010238 Armin Kuster
@ 2019-09-24 3:13 ` Armin Kuster
23 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-09-24 3:13 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating to the latest 4.14 -stable. Lightly build and boot tested
on qemu*
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb | 6 +++---
meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb | 6 +++---
meta/recipes-kernel/linux/linux-yocto_4.14.bb | 20 ++++++++++----------
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
index 4189fc8..0ed2900 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "82ac7b2b8048b537481bf16b8acda1cc9bfe9565"
-SRCREV_meta ?= "6a3254e7b370cbb86c1f73379dcf38885c1c69e0"
+SRCREV_machine ?= "72075349c6af55a7a6d024f0aa241711653fcb97"
+SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.79"
+LINUX_VERSION ?= "4.14.143"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
index 71f5c47..cb46307 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
@@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "4.14.79"
+LINUX_VERSION ?= "4.14.143"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
@@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "6ce17eae5d962b30846a5258956246438d68d60a"
-SRCREV_meta ?= "6a3254e7b370cbb86c1f73379dcf38885c1c69e0"
+SRCREV_machine ?= "3d884bc92763f474cc0728d1feb0becad8ed37d5"
+SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/meta/recipes-kernel/linux/linux-yocto_4.14.bb
index 65b2444..4a92d27 100644
--- a/meta/recipes-kernel/linux/linux-yocto_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_4.14.bb
@@ -11,20 +11,20 @@ KBRANCH_qemux86 ?= "v4.14/standard/base"
KBRANCH_qemux86-64 ?= "v4.14/standard/base"
KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "8752b8421efe8b5a478f17fbffacf4af974ec703"
-SRCREV_machine_qemuarm64 ?= "ac66474ba7f7e93d16ae3ea005f214113bb127c5"
-SRCREV_machine_qemumips ?= "ab031b267e2a79fcd48da5d10d503f4d065f4821"
-SRCREV_machine_qemuppc ?= "f47c3945e8dd230ea37771bcacc836245fc79d22"
-SRCREV_machine_qemux86 ?= "f1d93b219bde37a8a286cd18d6af2dcf0d02c1a8"
-SRCREV_machine_qemux86-64 ?= "f1d93b219bde37a8a286cd18d6af2dcf0d02c1a8"
-SRCREV_machine_qemumips64 ?= "8063a7258fc670a361fed85b858fabb237485f1c"
-SRCREV_machine ?= "f1d93b219bde37a8a286cd18d6af2dcf0d02c1a8"
-SRCREV_meta ?= "6a3254e7b370cbb86c1f73379dcf38885c1c69e0"
+SRCREV_machine_qemuarm ?= "bd85f4880bb890bf9c45ee6c2fd95f077d2bf67e"
+SRCREV_machine_qemuarm64 ?= "445a4787bd489eb6b3d5c172b9842dbe5a34d734"
+SRCREV_machine_qemumips ?= "3d07ac9aa6ca729674dfb763563202f18f9eedde"
+SRCREV_machine_qemuppc ?= "81ba8dbab3b1bfc371e539956be905809db0e41a"
+SRCREV_machine_qemux86 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_machine_qemux86-64 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_machine_qemumips64 ?= "3c4acadcbe2ee11043f7d0fce43a5181511d0935"
+SRCREV_machine ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
+SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.79"
+LINUX_VERSION ?= "4.14.143"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread