[zeus 0/6] Patch review

[zeus 0/6] Patch review

[akuster]

Please have reviews back by Saturday

The following changes since commit 9e60d30669a2ad0598e9abf0cd15ee06b523986b:

  sanlock: Replace cp -a with cp -R --no-dereference (2020-03-15 13:30:34 -0700)

are available in the Git repository at:

  git://git.openembedded.org/meta-openembedded-contrib stable/zeus-nut
  http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/zeus-nut

Armin Kuster (1):
  tremor: update SRC_URI as project moved to gitlab

Haiqing Bai (2):
  gd: fix CVE-2017-6363
  python-urllib3/python3-urllib3: fix CVE-2020-7212

Wang Mingyu (2):
  libssh2: CVE-2019-17498.patch
  opensc: CVE-2019-19479 CVE-2019-19480

Wenlin Kang (1):
  ipmitool: fix CVE-2020-5208

 .../tremor/tremor_20180319.bb                 |   2 +-
 ...-Fix-buffer-overflow-vulnerabilities.patch | 133 ++++++++++++++++
 ...uffer-overflow-in-ipmi_spd_print_fru.patch |  53 +++++++
 ...er-overflow-in-ipmi_get_session_info.patch |  53 +++++++
 .../0004-channel-Fix-buffer-overflow.patch    |  69 +++++++++
 ...er-overflows-in-get_lan_param_select.patch |  94 ++++++++++++
 ...u-sdr-Fix-id_string-buffer-overflows.patch | 142 ++++++++++++++++++
 .../ipmitool/ipmitool_1.8.18.bb               |   6 +
 .../recipes-support/gd/gd/CVE-2017-6363.patch |  35 +++++
 meta-oe/recipes-support/gd/gd_2.2.5.bb        |   1 +
 .../libssh2/libssh2/CVE-2019-17498.patch      | 131 ++++++++++++++++
 .../recipes-support/libssh2/libssh2_1.8.2.bb  |   1 +
 .../opensc/opensc/CVE-2019-19479.patch        |  30 ++++
 .../opensc/opensc/CVE-2019-19480.patch        |  34 +++++
 .../recipes-support/opensc/opensc_0.19.0.bb   |   2 +
 .../python/python-urllib3/CVE-2020-7212.patch |  54 +++++++
 .../python/python-urllib3_1.25.6.bb           |   2 +
 .../python3-urllib3/CVE-2020-7212.patch       |  54 +++++++
 .../python/python3-urllib3_1.25.6.bb          |   2 +
 19 files changed, 897 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch
 create mode 100644 meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
 create mode 100644 meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
 create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2019-19479.patch
 create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2019-19480.patch
 create mode 100644 meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch

-- 
2.17.1

[zeus 1/6] gd: fix CVE-2017-6363

[akuster]

From: Haiqing Bai <Haiqing.Bai@windriver.com>

Backport the CVE patch from the upstream to fix the heap-based buffer
over-read in tiffWriter.

Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../recipes-support/gd/gd/CVE-2017-6363.patch | 35 +++++++++++++++++++
 meta-oe/recipes-support/gd/gd_2.2.5.bb        |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch

diff --git a/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
new file mode 100644
index 0000000000..25b5880ff9
--- /dev/null
+++ b/meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
@@ -0,0 +1,35 @@
+From 8f7b60ea7db87de5df76169e3f3918e401ef8bf7 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Wed, 31 Jan 2018 14:50:16 -0500
+Subject: [PATCH] gd/gd2: make sure transparent palette index is within bounds
+ #383
+
+The gd image formats allow for a palette of 256 colors,
+so if the transparent index is out of range, disable it.
+
+Upstream-Status: Backport
+[https://github.com/libgd/libgd.git commit:0be86e1926939a98afbd2f3a23c673dfc4df2a7c]
+CVE-2017-6363
+
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/gd_gd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/gd_gd.c b/src/gd_gd.c
+index f8d39cb..5a86fc3 100644
+--- a/src/gd_gd.c
++++ b/src/gd_gd.c
+@@ -54,7 +54,8 @@ _gdGetColors (gdIOCtx * in, gdImagePtr im, int gd2xFlag)
+ 		if (!gdGetWord (&im->transparent, in)) {
+ 			goto fail1;
+ 		}
+-		if (im->transparent == 257) {
++		/* Make sure transparent index is within bounds of the palette. */
++		if (im->transparent >= 256 || im->transparent < 0) {
+ 			im->transparent = (-1);
+ 		}
+ 	}
+-- 
+1.9.1
+
diff --git a/meta-oe/recipes-support/gd/gd_2.2.5.bb b/meta-oe/recipes-support/gd/gd_2.2.5.bb
index 35f9bb2516..dda2e67d6d 100644
--- a/meta-oe/recipes-support/gd/gd_2.2.5.bb
+++ b/meta-oe/recipes-support/gd/gd_2.2.5.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/libgd/libgd.git;branch=GD-2.2 \
            file://0001-annotate.c-gdft.c-Replace-strncpy-with-memccpy-to-fi.patch \
            file://CVE-2018-1000222.patch \
            file://CVE-2019-6978.patch \
+           file://CVE-2017-6363.patch \
           "
 
 SRCREV = "8255231b68889597d04d451a72438ab92a405aba"
-- 
2.17.1

[zeus 2/6] python-urllib3/python3-urllib3: fix CVE-2020-7212

[akuster]

From: Haiqing Bai <Haiqing.Bai@windriver.com>

Optimize _encode_invalid_chars for a denial of service (CPU consumption)

Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../python/python-urllib3/CVE-2020-7212.patch | 54 +++++++++++++++++++
 .../python/python-urllib3_1.25.6.bb           |  2 +
 .../python3-urllib3/CVE-2020-7212.patch       | 54 +++++++++++++++++++
 .../python/python3-urllib3_1.25.6.bb          |  2 +
 4 files changed, 112 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
 create mode 100644 meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch

diff --git a/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
new file mode 100644
index 0000000000..a2bb0fb5be
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,54 @@
+From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 21 Jan 2020 22:32:56 +0400
+Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+Upstream-Status: Backport
+[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/urllib3/util/url.py | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 9675f74..e353937 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+ 
+     component = six.ensure_text(component)
+ 
++    # Normalize existing percent-encoded bytes.
+     # Try to see if the component we're encoding is already percent-encoded
+     # so we can skip all '%' characters but still encode all others.
+-    percent_encodings = PERCENT_RE.findall(component)
+-
+-    # Normalize existing percent-encoded bytes.
+-    for enc in percent_encodings:
+-        if not enc.isupper():
+-            component = component.replace(enc, enc.upper())
++    component, percent_encodings = PERCENT_RE.subn(
++        lambda match: match.group(0).upper(), component
++    )
+ 
+     uri_bytes = component.encode("utf-8", "surrogatepass")
+-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
+-
++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
+     encoded_component = bytearray()
+ 
+     for i in range(0, len(uri_bytes)):
+@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+         if (is_percent_encoded and byte == b"%") or (
+             byte_ord < 128 and byte.decode() in allowed_chars
+         ):
+-            encoded_component.extend(byte)
++            encoded_component += byte
+             continue
+         encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
+ 
+-- 
+2.23.0
+
diff --git a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
index 6c81f1db9b..9f2d2c8496 100644
--- a/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
+++ b/meta-python/recipes-devtools/python/python-urllib3_1.25.6.bb
@@ -1,2 +1,4 @@
 inherit pypi setuptools
 require python-urllib3.inc
+
+SRC_URI += "file://CVE-2020-7212.patch"
diff --git a/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
new file mode 100644
index 0000000000..a2bb0fb5be
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
@@ -0,0 +1,54 @@
+From aff951b7a41eb5b958b32c49eaa00da02adc9c2d Mon Sep 17 00:00:00 2001
+From: Quentin Pradet <quentin.pradet@gmail.com>
+Date: Tue, 21 Jan 2020 22:32:56 +0400
+Subject: [PATCH] Optimize _encode_invalid_chars (#1787)
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+Upstream-Status: Backport
+[from git://github.com/urllib3/urllib3.git commit:a2697e7c6b]
+Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
+---
+ src/urllib3/util/url.py | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/urllib3/util/url.py b/src/urllib3/util/url.py
+index 9675f74..e353937 100644
+--- a/src/urllib3/util/url.py
++++ b/src/urllib3/util/url.py
+@@ -216,18 +216,15 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+ 
+     component = six.ensure_text(component)
+ 
++    # Normalize existing percent-encoded bytes.
+     # Try to see if the component we're encoding is already percent-encoded
+     # so we can skip all '%' characters but still encode all others.
+-    percent_encodings = PERCENT_RE.findall(component)
+-
+-    # Normalize existing percent-encoded bytes.
+-    for enc in percent_encodings:
+-        if not enc.isupper():
+-            component = component.replace(enc, enc.upper())
++    component, percent_encodings = PERCENT_RE.subn(
++        lambda match: match.group(0).upper(), component
++    )
+ 
+     uri_bytes = component.encode("utf-8", "surrogatepass")
+-    is_percent_encoded = len(percent_encodings) == uri_bytes.count(b"%")
+-
++    is_percent_encoded = percent_encodings == uri_bytes.count(b"%")
+     encoded_component = bytearray()
+ 
+     for i in range(0, len(uri_bytes)):
+@@ -237,7 +234,7 @@ def _encode_invalid_chars(component, allowed_chars, encoding="utf-8"):
+         if (is_percent_encoded and byte == b"%") or (
+             byte_ord < 128 and byte.decode() in allowed_chars
+         ):
+-            encoded_component.extend(byte)
++            encoded_component += byte
+             continue
+         encoded_component.extend(b"%" + (hex(byte_ord)[2:].encode().zfill(2).upper()))
+ 
+-- 
+2.23.0
+
diff --git a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
index 19eb7025b2..e3583a057d 100644
--- a/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
+++ b/meta-python/recipes-devtools/python/python3-urllib3_1.25.6.bb
@@ -1,2 +1,4 @@
 inherit pypi setuptools3
 require python-urllib3.inc
+
+SRC_URI += "file://CVE-2020-7212.patch"
-- 
2.17.1

[zeus 3/6] libssh2: CVE-2019-17498.patch

[akuster]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

Security Advisory

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17498

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../libssh2/libssh2/CVE-2019-17498.patch      | 131 ++++++++++++++++++
 .../recipes-support/libssh2/libssh2_1.8.2.bb  |   1 +
 2 files changed, 132 insertions(+)
 create mode 100644 meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch

diff --git a/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
new file mode 100644
index 0000000000..f60764c92d
--- /dev/null
+++ b/meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
@@ -0,0 +1,131 @@
+From dedcbd106f8e52d5586b0205bc7677e4c9868f9c Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 30 Aug 2019 09:57:38 -0700
+Subject: [PATCH] packet.c: improve message parsing (#402)
+
+* packet.c: improve parsing of packets
+
+file: packet.c
+
+notes:
+Use _libssh2_get_string API in SSH_MSG_DEBUG/SSH_MSG_DISCONNECT. Additional uint32 bounds check in SSH_MSG_GLOBAL_REQUEST.
+
+Upstream-Status: Accepted
+CVE: CVE-2019-17498
+
+Reference to upstream patch:
+https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
+
+---
+ src/packet.c | 68 ++++++++++++++++++++++------------------------------
+ 1 file changed, 29 insertions(+), 39 deletions(-)
+
+diff --git a/src/packet.c b/src/packet.c
+index 38ab6294..2e01bfc5 100644
+--- a/src/packet.c
++++ b/src/packet.c
+@@ -416,8 +416,8 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                     size_t datalen, int macstate)
+ {
+     int rc = 0;
+-    char *message = NULL;
+-    char *language = NULL;
++    unsigned char *message = NULL;
++    unsigned char *language = NULL;
+     size_t message_len = 0;
+     size_t language_len = 0;
+     LIBSSH2_CHANNEL *channelp = NULL;
+@@ -469,33 +469,23 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+ 
+         case SSH_MSG_DISCONNECT:
+             if(datalen >= 5) {
+-                size_t reason = _libssh2_ntohu32(data + 1);
++                uint32_t reason = 0;
++                struct string_buf buf;
++                buf.data = (unsigned char *)data;
++                buf.dataptr = buf.data;
++                buf.len = datalen;
++                buf.dataptr++; /* advance past type */
+ 
+-                if(datalen >= 9) {
+-                    message_len = _libssh2_ntohu32(data + 5);
++                _libssh2_get_u32(&buf, &reason);
++                _libssh2_get_string(&buf, &message, &message_len);
++                _libssh2_get_string(&buf, &language, &language_len);
+ 
+-                    if(message_len < datalen-13) {
+-                        /* 9 = packet_type(1) + reason(4) + message_len(4) */
+-                        message = (char *) data + 9;
+-
+-                        language_len =
+-                            _libssh2_ntohu32(data + 9 + message_len);
+-                        language = (char *) data + 9 + message_len + 4;
+-
+-                        if(language_len > (datalen-13-message_len)) {
+-                            /* bad input, clear info */
+-                            language = message = NULL;
+-                            language_len = message_len = 0;
+-                        }
+-                    }
+-                    else
+-                        /* bad size, clear it */
+-                        message_len = 0;
+-                }
+                 if(session->ssh_msg_disconnect) {
+-                    LIBSSH2_DISCONNECT(session, reason, message,
+-                                       message_len, language, language_len);
++                    LIBSSH2_DISCONNECT(session, reason, (const char *)message,
++                                       message_len, (const char *)language,
++                                       language_len);
+                 }
++
+                 _libssh2_debug(session, LIBSSH2_TRACE_TRANS,
+                                "Disconnect(%d): %s(%s)", reason,
+                                message, language);
+@@ -534,23 +526,24 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 int always_display = data[1];
+ 
+                 if(datalen >= 6) {
+-                    message_len = _libssh2_ntohu32(data + 2);
+-
+-                    if(message_len <= (datalen - 10)) {
+-                        /* 6 = packet_type(1) + display(1) + message_len(4) */
+-                        message = (char *) data + 6;
+-                        language_len = _libssh2_ntohu32(data + 6 +
+-                                                        message_len);
+-
+-                        if(language_len <= (datalen - 10 - message_len))
+-                            language = (char *) data + 10 + message_len;
+-                    }
++                    struct string_buf buf;
++                    buf.data = (unsigned char *)data;
++                    buf.dataptr = buf.data;
++                    buf.len = datalen;
++                    buf.dataptr += 2; /* advance past type & always display */
++
++                    _libssh2_get_string(&buf, &message, &message_len);
++                    _libssh2_get_string(&buf, &language, &language_len);
+                 }
+ 
+                 if(session->ssh_msg_debug) {
+-                    LIBSSH2_DEBUG(session, always_display, message,
+-                                  message_len, language, language_len);
++                    LIBSSH2_DEBUG(session, always_display,
++                                  (const char *)message,
++                                  message_len, (const char *)language,
++                                  language_len);
+                 }
+             }
++
+             /*
+              * _libssh2_debug will actually truncate this for us so
+              * that it's not an inordinate about of data
+@@ -576,7 +566,7 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
+                 uint32_t len = 0;
+                 unsigned char want_reply = 0;
+                 len = _libssh2_ntohu32(data + 1);
+-                if(datalen >= (6 + len)) {
++                if((len <= (UINT_MAX - 6)) && (datalen >= (6 + len))) {
+                     want_reply = data[5 + len];
+                     _libssh2_debug(session,
+                                    LIBSSH2_TRACE_CONN,
diff --git a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
index fe853cde4f..a17ae5b7c3 100644
--- a/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
+++ b/meta-oe/recipes-support/libssh2/libssh2_1.8.2.bb
@@ -17,6 +17,7 @@ inherit autotools pkgconfig
 EXTRA_OECONF += "\
                  --with-libz \
                  --with-libz-prefix=${STAGING_LIBDIR} \
+                 file://CVE-2019-17498.patch \
                 "
 
 # only one of openssl and gcrypt could be set
-- 
2.17.1

[zeus 4/6] opensc: CVE-2019-19479 CVE-2019-19480

[akuster]

From: Wang Mingyu <wangmy@cn.fujitsu.com>

Security Advisory

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19480

Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../opensc/opensc/CVE-2019-19479.patch        | 30 ++++++++++++++++
 .../opensc/opensc/CVE-2019-19480.patch        | 34 +++++++++++++++++++
 .../recipes-support/opensc/opensc_0.19.0.bb   |  2 ++
 3 files changed, 66 insertions(+)
 create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2019-19479.patch
 create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2019-19480.patch

diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2019-19479.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2019-19479.patch
new file mode 100644
index 0000000000..73222ee1a4
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2019-19479.patch
@@ -0,0 +1,30 @@
+From c3f23b836e5a1766c36617fe1da30d22f7b63de2 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Sun, 3 Nov 2019 04:45:28 +0100
+Subject: [PATCH] fixed  UNKNOWN READ
+
+Upstream-Status: Accepted <or Backport>
+CVE: CVE-2019-19479 
+   
+Reported by OSS-Fuzz
+https://oss-fuzz.com/testcase-detail/5681169970757632
+
+Reference to upstream patch:
+https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2
+---
+ src/libopensc/card-setcos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/card-setcos.c b/src/libopensc/card-setcos.c
+index 4cf328ad6a..1b4e8f3e23 100644
+--- a/src/libopensc/card-setcos.c
++++ b/src/libopensc/card-setcos.c
+@@ -868,7 +868,7 @@ static void parse_sec_attr_44(sc_file_t *file, const u8 *buf, size_t len)
+ 			}
+ 
+ 			/* Encryption key present ? */
+-			iPinCount = iACLen - 1;		
++			iPinCount = iACLen > 0 ? iACLen - 1 : 0;
+ 
+ 			if (buf[iOffset] & 0x20) {
+ 				int iSC;
diff --git a/meta-oe/recipes-support/opensc/opensc/CVE-2019-19480.patch b/meta-oe/recipes-support/opensc/opensc/CVE-2019-19480.patch
new file mode 100644
index 0000000000..12c1f0b4af
--- /dev/null
+++ b/meta-oe/recipes-support/opensc/opensc/CVE-2019-19480.patch
@@ -0,0 +1,34 @@
+From 6ce6152284c47ba9b1d4fe8ff9d2e6a3f5ee02c7 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 23 Oct 2019 09:22:44 +0200
+Subject: [PATCH] pkcs15-prkey: Simplify cleaning memory after failure
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18478
+
+Upstream-Status: Accepted
+CVE: CVE-2019-19480
+
+Reference to upstream patch:
+https://github.com/OpenSC/OpenSC/commit/6ce6152284c47ba9b1d4fe8ff9d2e6a3f5ee02c7
+---
+ src/libopensc/pkcs15-prkey.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/libopensc/pkcs15-prkey.c b/src/libopensc/pkcs15-prkey.c
+index d3eee983..4b249582 100644
+--- a/src/libopensc/pkcs15-prkey.c
++++ b/src/libopensc/pkcs15-prkey.c
+@@ -258,6 +258,10 @@ int sc_pkcs15_decode_prkdf_entry(struct sc_pkcs15_card *p15card,
+ 	memset(gostr3410_params, 0, sizeof(gostr3410_params));
+ 
+ 	r = sc_asn1_decode_choice(ctx, asn1_prkey, *buf, *buflen, buf, buflen);
++	if (r < 0) {
++	        /* This might have allocated something. If so, clear it now */
++	        free(info.subject.value);
++        }
+ 	if (r == SC_ERROR_ASN1_END_OF_CONTENTS)
+ 		return r;
+ 	LOG_TEST_RET(ctx, r, "PrKey DF ASN.1 decoding failed");
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-support/opensc/opensc_0.19.0.bb b/meta-oe/recipes-support/opensc/opensc_0.19.0.bb
index bc1722e394..d26825a06d 100644
--- a/meta-oe/recipes-support/opensc/opensc_0.19.0.bb
+++ b/meta-oe/recipes-support/opensc/opensc_0.19.0.bb
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
 SRCREV = "f1691fc91fc113191c3a8aaf5facd6983334ec47"
 SRC_URI = "git://github.com/OpenSC/OpenSC \
            file://0001-Remove-redundant-logging.patch \
+           file://CVE-2019-19479.patch \
+           file://CVE-2019-19480.patch \
           "
 DEPENDS = "openct pcsc-lite virtual/libiconv openssl"
 
-- 
2.17.1

[zeus 5/6] ipmitool: fix CVE-2020-5208

[akuster]

From: Wenlin Kang <wenlin.kang@windriver.com>

Fix CVE-2020-5208

Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...-Fix-buffer-overflow-vulnerabilities.patch | 133 ++++++++++++++++
 ...uffer-overflow-in-ipmi_spd_print_fru.patch |  53 +++++++
 ...er-overflow-in-ipmi_get_session_info.patch |  53 +++++++
 .../0004-channel-Fix-buffer-overflow.patch    |  69 +++++++++
 ...er-overflows-in-get_lan_param_select.patch |  94 ++++++++++++
 ...u-sdr-Fix-id_string-buffer-overflows.patch | 142 ++++++++++++++++++
 .../ipmitool/ipmitool_1.8.18.bb               |   6 +
 7 files changed, 550 insertions(+)
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
 create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch

diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
new file mode 100644
index 0000000000..aeb0da80e4
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
@@ -0,0 +1,133 @@
+From 2542bade29c192370ca897eab67c40f27b8912f8 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Wed, 12 Feb 2020 12:32:00 +0800
+Subject: [PATCH 1/6] fru: Fix buffer overflow vulnerabilities
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `read_fru_area_section` function only performs size validation of
+requested read size, and falsely assumes that the IPMI message will not
+respond with more than the requested amount of data; it uses the
+unvalidated response size to copy into `frubuf`. If the response is
+larger than the request, this can result in overflowing the buffer.
+
+The same issue affects the `read_fru_area` function.
+
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2]
+CVE: CVE-2020-5208
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index cf00eff..af99aa9 100644
+--- a/lib/ipmi_fru.c
++++ b/lib/ipmi_fru.c
+@@ -615,7 +615,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 			uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+-	uint32_t off = offset, tmp, finish;
++	uint32_t off = offset;
++	uint32_t tmp;
++	uint32_t finish;
++	uint32_t size_left_in_buffer;
+ 	struct ipmi_rs * rsp;
+ 	struct ipmi_rq req;
+ 	uint8_t msg_data[4];
+@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 
+ 	finish = offset + length;
+ 	if (finish > fru->size) {
++		memset(frubuf + fru->size, 0, length - fru->size);
+ 		finish = fru->size;
+ 		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ 			"Adjusting to %d",
+ 			offset + length, finish - offset);
++		length = finish - offset;
+ 	}
+ 
+ 	memset(&req, 0, sizeof(req));
+@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 		}
+ 	}
+ 
++	size_left_in_buffer = length;
+ 	do {
+ 		tmp = fru->access ? off >> 1 : off;
+ 		msg_data[0] = id;
+@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 		}
+ 
+ 		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++		if(rsp->data_len < 1
++		   || tmp > rsp->data_len - 1
++		   || tmp > size_left_in_buffer)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
++
+ 		memcpy(frubuf, rsp->data + 1, tmp);
+ 		off += tmp;
+ 		frubuf += tmp;
++		size_left_in_buffer -= tmp;
+ 		/* sometimes the size returned in the Info command
+ 		* is too large.  return 0 so higher level function
+ 		* still attempts to parse what was returned */
+@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 			uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+ 	static uint32_t fru_data_rqst_size = 20;
+-	uint32_t off = offset, tmp, finish;
++	uint32_t off = offset;
++	uint32_t tmp, finish;
++	uint32_t size_left_in_buffer;
+ 	struct ipmi_rs * rsp;
+ 	struct ipmi_rq req;
+ 	uint8_t msg_data[4];
+@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 
+ 	finish = offset + length;
+ 	if (finish > fru->size) {
++		memset(frubuf + fru->size, 0, length - fru->size);
+ 		finish = fru->size;
+ 		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ 			"Adjusting to %d",
+ 			offset + length, finish - offset);
++		length = finish - offset;
+ 	}
+ 
+ 	memset(&req, 0, sizeof(req));
+@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 	if (fru->access && fru_data_rqst_size > 16)
+ #endif
+ 		fru_data_rqst_size = 16;
++
++	size_left_in_buffer = length;
+ 	do {
+ 		tmp = fru->access ? off >> 1 : off;
+ 		msg_data[0] = id;
+@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 		}
+ 
+ 		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++		if(rsp->data_len < 1
++		   || tmp > rsp->data_len - 1
++		   || tmp > size_left_in_buffer)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
+ 		memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+ 		off += tmp;
++		size_left_in_buffer -= tmp;
+ 
+ 		/* sometimes the size returned in the Info command
+ 		* is too large.  return 0 so higher level function
+-- 
+2.23.0
+
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
new file mode 100644
index 0000000000..50a5635a0a
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
@@ -0,0 +1,53 @@
+From 16b10ba5d3a368cd0ed90e9789553c306f1136a6 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:44:18 +0000
+Subject: [PATCH 2/6] fru: Fix buffer overflow in ipmi_spd_print_fru
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_spd_print_fru` function has a similar issue as the one fixed
+by the previous commit in `read_fru_area_section`. An initial request is
+made to get the `fru.size`, which is used as the size for the allocation
+of `spd_data`. Inside a loop, further requests are performed to get the
+copy sizes which are not checked before being used as the size for a
+copy into the buffer.
+
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10]
+CVE: CVE-2020-5208
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ lib/dimm_spd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
+index 41e30db..68f3b4f 100644
+--- a/lib/dimm_spd.c
++++ b/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 	struct ipmi_rq req;
+ 	struct fru_info fru;
+ 	uint8_t *spd_data, msg_data[4];
+-	int len, offset;
++	uint32_t len, offset;
+ 
+ 	msg_data[0] = id;
+ 
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 		}
+ 
+ 		len = rsp->data[0];
++		if(rsp->data_len < 1
++		   || len > rsp->data_len - 1
++		   || len > fru.size - offset)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
+ 		memcpy(&spd_data[offset], rsp->data + 1, len);
+ 		offset += len;
+ 	} while (offset < fru.size);
+-- 
+2.23.0
+
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
new file mode 100644
index 0000000000..6b50225332
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
@@ -0,0 +1,53 @@
+From 89621b1ce67065fb9044b73c215862fc8aef523f Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:51:49 +0000
+Subject: [PATCH 3/6] session: Fix buffer overflow in ipmi_get_session_info
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_get_session_info` function does not properly check the
+response `data_len`, which is used as a copy size, allowing stack buffer
+overflow.
+
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22]
+CVE: CVE-2020-5208
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ lib/ipmi_session.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
+index 141f0f4..b9af1fd 100644
+--- a/lib/ipmi_session.c
++++ b/lib/ipmi_session.c
+@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
+ 		}
+ 		else
+ 		{
+-			memcpy(&session_info,  rsp->data, rsp->data_len);
+-			print_session_info(&session_info, rsp->data_len);
++			memcpy(&session_info,  rsp->data,
++			       __min(rsp->data_len, sizeof(session_info)));
++			print_session_info(&session_info,
++			                   __min(rsp->data_len, sizeof(session_info)));
+ 		}
+ 		break;
+ 		
+@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
+ 				break;
+ 			}
+ 
+-			memcpy(&session_info,  rsp->data, rsp->data_len);
+-			print_session_info(&session_info, rsp->data_len);
++			memcpy(&session_info,  rsp->data,
++			       __min(rsp->data_len, sizeof(session_info)));
++			print_session_info(&session_info,
++			                   __min(rsp->data_len, sizeof(session_info)));
+ 			
+ 		} while (i <= session_info.session_slot_count);
+ 		break;
+-- 
+2.23.0
+
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch
new file mode 100644
index 0000000000..480090b923
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch
@@ -0,0 +1,69 @@
+From 2a84669ea0d685b4a2ccb664fa3236ec5f19a80a Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:56:38 +0000
+Subject: [PATCH 4/6] channel: Fix buffer overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_get_channel_cipher_suites` function does not properly check
+the final response’s `data_len`, which can lead to stack buffer overflow
+on the final copy.
+
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4]
+CVE: CVE-2020-5208
+
+[Make some changes to apply it]
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ include/ipmitool/ipmi_channel.h |  2 ++
+ lib/ipmi_channel.c              | 10 ++++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h
+index b138c26..d7cce5e 100644
+--- a/include/ipmitool/ipmi_channel.h
++++ b/include/ipmitool/ipmi_channel.h
+@@ -77,6 +77,8 @@ struct channel_access_t {
+ 	uint8_t user_level_auth;
+ };
+ 
++#define MAX_CIPHER_SUITE_DATA_LEN 0x10
++
+ /*
+  * The Get Authentication Capabilities response structure
+  * From table 22-15 of the IPMI v2.0 spec
+diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
+index fab2e54..76ecdcd 100644
+--- a/lib/ipmi_channel.c
++++ b/lib/ipmi_channel.c
+@@ -378,7 +378,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
+ 		lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ 		return -1;
+ 	}
+-	if (rsp->ccode > 0) {
++	if (rsp->ccode
++	    || rsp->data_len < 1
++	    || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
++	{
+ 		lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ 			val2str(rsp->ccode, completion_code_vals));
+ 		return -1;
+@@ -413,7 +416,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
+ 			lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ 			return -1;
+ 		}
+-		if (rsp->ccode > 0) {
++		if (rsp->ccode
++		    || rsp->data_len < 1
++		    || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
++		{
+ 			lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ 					val2str(rsp->ccode, completion_code_vals));
+ 			return -1;
+-- 
+2.23.0
+
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
new file mode 100644
index 0000000000..1b1dec1c1b
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
@@ -0,0 +1,94 @@
+From f45e6d84b75dcd649e18c9256c136cda354de6fd Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:06:39 +0000
+Subject: [PATCH 5/6] lanp: Fix buffer overflows in get_lan_param_select
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `get_lan_param_select` function is missing a validation check on the
+response’s `data_len`, which it then returns to caller functions, where
+stack buffer overflow can occur.
+
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10]
+CVE: CVE-2020-5208
+
+[Make some changes to apply it]
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ lib/ipmi_lanp.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
+index 65d881b..022c7f1 100644
+--- a/lib/ipmi_lanp.c
++++ b/lib/ipmi_lanp.c
+@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 		/* set new ipaddr */
+ 		memcpy(data+3, temp, 4);
+ 		printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
+@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 		/* set new macaddr */
+ 		memcpy(data+7, temp, 6);
+ 		printf("Setting LAN Alert %d MAC Address to "
+@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "def", 3) == 0 ||
+ 		    strncasecmp(argv[1], "default", 7) == 0) {
+@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "on", 2) == 0 ||
+ 		    strncasecmp(argv[1], "yes", 3) == 0) {
+@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "pet", 3) == 0) {
+ 			printf("Setting LAN Alert %d destination to PET Trap\n", alert);
+@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (str2uchar(argv[1], &data[2]) != 0) {
+ 			lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
+@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (str2uchar(argv[1], &data[3]) != 0) {
+ 			lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
+-- 
+2.23.0
+
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch b/meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch
new file mode 100644
index 0000000000..38ca41b68d
--- /dev/null
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch
@@ -0,0 +1,142 @@
+From 401b7dda5ad1beada4791d54a7e75880f2a4fc24 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:13:45 +0000
+Subject: [PATCH 6/6] fru, sdr: Fix id_string buffer overflows
+
+Final part of the fixes for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+9 variants of stack buffer overflow when parsing `id_string` field of
+SDR records returned from `CMD_GET_SDR` command.
+
+SDR record structs have an `id_code` field, and an `id_string` `char`
+array.
+
+The length of `id_string` is calculated as `(id_code & 0x1f) + 1`,
+which can be larger than expected 16 characters (if `id_code = 0xff`,
+then length will be `(0xff & 0x1f) + 1 = 32`).
+
+In numerous places, this can cause stack buffer overflow when copying
+into fixed buffer of size `17` bytes from this calculated length.
+
+Upstream-Status: Backport[https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637]
+CVE: CVE-2020-5208
+
+Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com>
+---
+ lib/ipmi_fru.c |  2 +-
+ lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++----------------
+ 2 files changed, 25 insertions(+), 17 deletions(-)
+
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index af99aa9..98bc984 100644
+--- a/lib/ipmi_fru.c
++++ b/lib/ipmi_fru.c
+@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru)
+ 		return 0;
+ 
+ 	memset(desc, 0, sizeof(desc));
+-	memcpy(desc, fru->id_string, fru->id_code & 0x01f);
++	memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
+ 	desc[fru->id_code & 0x01f] = 0;
+ 	printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
+ 
+diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c
+index 2a9cbe3..62aac08 100644
+--- a/lib/ipmi_sdr.c
++++ b/lib/ipmi_sdr.c
+@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf,
+ 		return -1;
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
+ 
+ 	if (verbose) {
+ 		printf("Sensor ID              : %s (0x%x)\n",
+@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf,
+ 		return -1;
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
+ 
+ 	if (verbose == 0) {
+ 		if (csv_output)
+@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf,
+ 	char desc[17];
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
+ 
+ 	if (!verbose) {
+ 		if (csv_output)
+@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf,
+ 	char desc[17];
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
+ 
+ 	if (!verbose) {
+ 		if (csv_output)
+@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id,
+ 
+    int rc =0;
+    char desc[17];
++   const char *id_string;
++   uint8_t id_code;
+    memset(desc, ' ', sizeof (desc));
+ 
+    switch ( type) {
+       case SDR_RECORD_TYPE_FULL_SENSOR:
+       record.full = (struct sdr_record_full_sensor *) raw;
+-      snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
+-               (const char *)record.full->id_string);
++      id_code = record.full->id_code;
++      id_string = record.full->id_string;
+       break;
++
+       case SDR_RECORD_TYPE_COMPACT_SENSOR:
+       record.compact = (struct sdr_record_compact_sensor *) raw	;
+-      snprintf(desc, (record.compact->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.compact->id_string);
++      id_code = record.compact->id_code;
++      id_string = record.compact->id_string;
+       break;
++
+       case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
+       record.eventonly  = (struct sdr_record_eventonly_sensor *) raw ;
+-      snprintf(desc, (record.eventonly->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.eventonly->id_string);
+-      break;            
++      id_code = record.eventonly->id_code;
++      id_string = record.eventonly->id_string;
++      break;
++
+       case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
+       record.mcloc  = (struct sdr_record_mc_locator *) raw ;
+-      snprintf(desc, (record.mcloc->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.mcloc->id_string);		
++      id_code = record.mcloc->id_code;
++      id_string = record.mcloc->id_string;
+       break;
++
+       default:
+       rc = -1;
+-      break;
+-   }   
++   }
++   if (!rc) {
++       snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
++   }
+ 
+-      lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
++   lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
+    return rc;
+ }
+ 
+-- 
+2.23.0
+
diff --git a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
index b7f1aa9145..16dbcb291e 100644
--- a/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
+++ b/meta-oe/recipes-kernel/ipmitool/ipmitool_1.8.18.bb
@@ -24,6 +24,12 @@ DEPENDS = "openssl readline ncurses"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/ipmitool/ipmitool-${PV}.tar.bz2 \
            file://0001-Migrate-to-openssl-1.1.patch \
+           file://0001-fru-Fix-buffer-overflow-vulnerabilities.patch \
+           file://0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch \
+           file://0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch \
+           file://0004-channel-Fix-buffer-overflow.patch \
+           file://0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch \
+           file://0006-fru-sdr-Fix-id_string-buffer-overflows.patch \
            "
 SRC_URI[md5sum] = "bab7ea104c7b85529c3ef65c54427aa3"
 SRC_URI[sha256sum] = "0c1ba3b1555edefb7c32ae8cd6a3e04322056bc087918f07189eeedfc8b81e01"
-- 
2.17.1

[zeus 6/6] tremor: update SRC_URI as project moved to gitlab

[akuster]

It appears Xiph.Org is now on gitlab
https://gitlab.xiph.org/xiph

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cc6e59fdff71e47ef5b9b40aab3bcd9438960ea4)
Signed-off-by: Rahul Kumar <rahulk@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb
index beeb23ae2b..d2ad961cc1 100644
--- a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb
+++ b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb
@@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=db1b7a668b2a6f47b2af88fb008ad555 \
                     file://os.h;beginline=3;endline=14;md5=5c0af5e1bedef3ce8178c89f48cd6f1f"
 DEPENDS = "libogg"
 
-SRC_URI = "git://git.xiph.org/tremor.git;protocol=https \
+SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https \
            file://obsolete_automake_macros.patch;striplevel=0 \
            file://tremor-arm-thumb2.patch \
 "
-- 
2.17.1

Re: [oe] [zeus 0/6] Patch review

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 3393 bytes --]

On Thu, Jun 25, 2020 at 8:14 PM akuster <akuster808@gmail.com> wrote:

> Please have reviews back by Saturday
>
> The following changes since commit
> 9e60d30669a2ad0598e9abf0cd15ee06b523986b:
>
>   sanlock: Replace cp -a with cp -R --no-dereference (2020-03-15 13:30:34
> -0700)
>
> are available in the Git repository at:
>
>   git://git.openembedded.org/meta-openembedded-contrib stable/zeus-nut
>
> http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/zeus-nut
>
> Armin Kuster (1):
>   tremor: update SRC_URI as project moved to gitlab
>
> Haiqing Bai (2):
>   gd: fix CVE-2017-6363
>   python-urllib3/python3-urllib3: fix CVE-2020-7212
>
> Wang Mingyu (2):
>   libssh2: CVE-2019-17498.patch
>   opensc: CVE-2019-19479 CVE-2019-19480
>
> Wenlin Kang (1):
>   ipmitool: fix CVE-2020-5208


Lgtm



>
>  .../tremor/tremor_20180319.bb                 |   2 +-
>  ...-Fix-buffer-overflow-vulnerabilities.patch | 133 ++++++++++++++++
>  ...uffer-overflow-in-ipmi_spd_print_fru.patch |  53 +++++++
>  ...er-overflow-in-ipmi_get_session_info.patch |  53 +++++++
>  .../0004-channel-Fix-buffer-overflow.patch    |  69 +++++++++
>  ...er-overflows-in-get_lan_param_select.patch |  94 ++++++++++++
>  ...u-sdr-Fix-id_string-buffer-overflows.patch | 142 ++++++++++++++++++
>  .../ipmitool/ipmitool_1.8.18.bb               |   6 +
>  .../recipes-support/gd/gd/CVE-2017-6363.patch |  35 +++++
>  meta-oe/recipes-support/gd/gd_2.2.5.bb        |   1 +
>  .../libssh2/libssh2/CVE-2019-17498.patch      | 131 ++++++++++++++++
>  .../recipes-support/libssh2/libssh2_1.8.2.bb  |   1 +
>  .../opensc/opensc/CVE-2019-19479.patch        |  30 ++++
>  .../opensc/opensc/CVE-2019-19480.patch        |  34 +++++
>  .../recipes-support/opensc/opensc_0.19.0.bb   |   2 +
>  .../python/python-urllib3/CVE-2020-7212.patch |  54 +++++++
>  .../python/python-urllib3_1.25.6.bb           |   2 +
>  .../python3-urllib3/CVE-2020-7212.patch       |  54 +++++++
>  .../python/python3-urllib3_1.25.6.bb          |   2 +
>  19 files changed, 897 insertions(+), 1 deletion(-)
>  create mode 100644
> meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
>  create mode 100644
> meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
>  create mode 100644
> meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
>  create mode 100644
> meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch
>  create mode 100644
> meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
>  create mode 100644
> meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch
>  create mode 100644 meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
>  create mode 100644
> meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
>  create mode 100644
> meta-oe/recipes-support/opensc/opensc/CVE-2019-19479.patch
>  create mode 100644
> meta-oe/recipes-support/opensc/opensc/CVE-2019-19480.patch
>  create mode 100644
> meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
>  create mode 100644
> meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
>
> --
> 2.17.1
>
> 
>

[-- Attachment #2: Type: text/html, Size: 4932 bytes --]

Re: [oe] [zeus 0/6] Patch review

[Khem Raj]

merged

Thanks Armin

On Thu, Jun 25, 2020 at 9:13 PM Khem Raj <raj.khem@gmail.com> wrote:
>
>
>
> On Thu, Jun 25, 2020 at 8:14 PM akuster <akuster808@gmail.com> wrote:
>>
>> Please have reviews back by Saturday
>>
>> The following changes since commit 9e60d30669a2ad0598e9abf0cd15ee06b523986b:
>>
>>   sanlock: Replace cp -a with cp -R --no-dereference (2020-03-15 13:30:34 -0700)
>>
>> are available in the Git repository at:
>>
>>   git://git.openembedded.org/meta-openembedded-contrib stable/zeus-nut
>>   http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/zeus-nut
>>
>> Armin Kuster (1):
>>   tremor: update SRC_URI as project moved to gitlab
>>
>> Haiqing Bai (2):
>>   gd: fix CVE-2017-6363
>>   python-urllib3/python3-urllib3: fix CVE-2020-7212
>>
>> Wang Mingyu (2):
>>   libssh2: CVE-2019-17498.patch
>>   opensc: CVE-2019-19479 CVE-2019-19480
>>
>> Wenlin Kang (1):
>>   ipmitool: fix CVE-2020-5208
>
>
> Lgtm
>
>
>>
>>
>>  .../tremor/tremor_20180319.bb                 |   2 +-
>>  ...-Fix-buffer-overflow-vulnerabilities.patch | 133 ++++++++++++++++
>>  ...uffer-overflow-in-ipmi_spd_print_fru.patch |  53 +++++++
>>  ...er-overflow-in-ipmi_get_session_info.patch |  53 +++++++
>>  .../0004-channel-Fix-buffer-overflow.patch    |  69 +++++++++
>>  ...er-overflows-in-get_lan_param_select.patch |  94 ++++++++++++
>>  ...u-sdr-Fix-id_string-buffer-overflows.patch | 142 ++++++++++++++++++
>>  .../ipmitool/ipmitool_1.8.18.bb               |   6 +
>>  .../recipes-support/gd/gd/CVE-2017-6363.patch |  35 +++++
>>  meta-oe/recipes-support/gd/gd_2.2.5.bb        |   1 +
>>  .../libssh2/libssh2/CVE-2019-17498.patch      | 131 ++++++++++++++++
>>  .../recipes-support/libssh2/libssh2_1.8.2.bb  |   1 +
>>  .../opensc/opensc/CVE-2019-19479.patch        |  30 ++++
>>  .../opensc/opensc/CVE-2019-19480.patch        |  34 +++++
>>  .../recipes-support/opensc/opensc_0.19.0.bb   |   2 +
>>  .../python/python-urllib3/CVE-2020-7212.patch |  54 +++++++
>>  .../python/python-urllib3_1.25.6.bb           |   2 +
>>  .../python3-urllib3/CVE-2020-7212.patch       |  54 +++++++
>>  .../python/python3-urllib3_1.25.6.bb          |   2 +
>>  19 files changed, 897 insertions(+), 1 deletion(-)
>>  create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0001-fru-Fix-buffer-overflow-vulnerabilities.patch
>>  create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0002-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
>>  create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0003-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
>>  create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0004-channel-Fix-buffer-overflow.patch
>>  create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0005-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
>>  create mode 100644 meta-oe/recipes-kernel/ipmitool/ipmitool/0006-fru-sdr-Fix-id_string-buffer-overflows.patch
>>  create mode 100644 meta-oe/recipes-support/gd/gd/CVE-2017-6363.patch
>>  create mode 100644 meta-oe/recipes-support/libssh2/libssh2/CVE-2019-17498.patch
>>  create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2019-19479.patch
>>  create mode 100644 meta-oe/recipes-support/opensc/opensc/CVE-2019-19480.patch
>>  create mode 100644 meta-python/recipes-devtools/python/python-urllib3/CVE-2020-7212.patch
>>  create mode 100644 meta-python/recipes-devtools/python/python3-urllib3/CVE-2020-7212.patch
>>
>> --
>> 2.17.1
>>
>> 

[zeus 0/6] Patch review

[Armin Kuster]

Please review and provide feedback by Tuesday.

Passed on AB via A-full

The following changes since commit 5ed714139f91eb03871e01b68a4370784071234d:

  license.bbclass: Introduce AVAILABLE_LICENSES that lists all licenses (2020-01-15 11:58:08 +0800)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/zeus-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/zeus-nut

Alex Kiernan (1):
  linuxloader: Correct loader for glibc on armhf

Kalle Lampila (1):
  wic/filemap: If FIGETBSZ iotctl fail, failback to os.stat

Mike Crowe (1):
  multilib.conf: Ensure that RECIPE_SYSROOT is unchanged for native

Richard Purdie (3):
  sstatesig: Test cross/native hashserv method extension
  scripts/oe-build-perf-report: Avoid buildstats warning
  sstatesig: Improve debug output if getpwuid() fails

 meta/classes/linuxloader.bbclass            |  2 +-
 meta/conf/multilib.conf                     |  1 +
 meta/lib/oe/sstatesig.py                    | 17 +++++++--
 meta/lib/oeqa/selftest/cases/sstatetests.py | 40 +++++++++++++++++++++
 scripts/lib/wic/filemap.py                  |  6 ++--
 scripts/oe-build-perf-report                | 20 +++++++----
 6 files changed, 75 insertions(+), 11 deletions(-)

-- 
2.17.1