[zeus][PATCH 00/11] zeus review request

[zeus][PATCH 00/11] zeus review request

[Anuj Mittal]

A set of CVE fixes for zeus. Please review.

I have rebased these on top of current zeus-next and have run the entire
set through autobuilder using the contrib/rpurdie/zeus helper branch. 

There's one failure while compiling acl (for reproducibility
test) which probably happened because of memory availability and is
unrelated:

| make: *** read jobs pipe: Resource temporarily unavailable.  Stop.

https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/1358/steps/8/logs/step2d

Thanks,

Anuj

The following changes since commit 1c367349b733e931369944c362b357f92621f07b:

  oeqa/runtime_test: Disable test_testimage_virgl_gtk (2020-09-08 14:34:18 +0100)

are available in the Git repository at:

  git://push.openembedded.org/openembedded-core-contrib anujm/zeus

Li Wang (3):
  qemu: CVE-2020-16092
  qemu : fix CVE-2020-15863
  qemu: CVE-2020-14364

Li Zhou (5):
  xserver-xorg: Security Advisory - xserver-xorg - CVE-2020-14347
  bind: Security Advisory - bind - CVE-2020-8622
  bind: Security Advisory - bind - CVE-2020-8623
  bind: Security Advisory - bind - CVE-2020-8624
  go: Security Advisory - go - CVE-2020-24553

Stefan Ghinea (1):
  qemu: CVE-2020-10756

Zhixiong Chi (2):
  go: CVE-2020-16845
  gnutls: CVE-2020-24659

 .../bind/bind/CVE-2020-8622.patch             |  60 +++
 .../bind/bind/CVE-2020-8623.patch             | 402 ++++++++++++++++
 .../bind/bind/CVE-2020-8624.patch             |  33 ++
 .../recipes-connectivity/bind/bind_9.11.19.bb |   3 +
 meta/recipes-devtools/go/go-1.12.inc          |   3 +
 ...i-rename-a-test-file-to-be-less-cute.patch |  28 ++
 .../go/go-1.12/CVE-2020-16845.patch           | 110 +++++
 .../go/go-1.12/CVE-2020-24553.patch           | 429 ++++++++++++++++++
 meta/recipes-devtools/qemu/qemu.inc           |   4 +
 .../qemu/qemu/CVE-2020-10756.patch            |  40 ++
 .../qemu/qemu/CVE-2020-14364.patch            |  93 ++++
 .../qemu/qemu/CVE-2020-15863.patch            |  64 +++
 .../qemu/qemu/CVE-2020-16092.patch            |  49 ++
 .../xserver-xorg/CVE-2020-14347.patch         |  37 ++
 .../xorg-xserver/xserver-xorg_1.20.5.bb       |   1 +
 .../gnutls/gnutls/CVE-2020-24659.patch        | 117 +++++
 meta/recipes-support/gnutls/gnutls_3.6.13.bb  |   1 +
 17 files changed, 1474 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
 create mode 100644 meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch
 create mode 100644 meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
 create mode 100644 meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch

-- 
2.26.2

[zeus][PATCH 01/11] xserver-xorg: Security Advisory - xserver-xorg - CVE-2020-14347

[Anuj Mittal]

From: Li Zhou <li.zhou@windriver.com>

Backport patch from <https://gitlab.freedesktop.org/xorg/xserver/-/
commit/aac28e162e5108510065ad4c323affd6deffd816> to solve
CVE-2020-14347.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../xserver-xorg/CVE-2020-14347.patch         | 37 +++++++++++++++++++
 .../xorg-xserver/xserver-xorg_1.20.5.bb       |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
new file mode 100644
index 0000000000..20a604869b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
@@ -0,0 +1,37 @@
+From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
+From: Matthieu Herrb <matthieu@herrb.eu>
+Date: Sat, 25 Jul 2020 19:33:50 +0200
+Subject: [PATCH] fix for ZDI-11426
+
+Avoid leaking un-initalized memory to clients by zeroing the
+whole pixmap on initial allocation.
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-14347
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ dix/pixmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dix/pixmap.c b/dix/pixmap.c
+index 1186d7dbb..5a0146bbb 100644
+--- a/dix/pixmap.c
++++ b/dix/pixmap.c
+@@ -116,7 +116,7 @@ AllocatePixmap(ScreenPtr pScreen, int pixDataSize)
+     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
+         return NullPixmap;
+ 
+-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
++    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
+     if (!pPixmap)
+         return NullPixmap;
+ 
+-- 
+2.17.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
index 3de6d22e57..f0f15a2584 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.5.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
             file://0001-test-xtest-Initialize-array-with-braces.patch \
             file://0001-compiler.h-Do-not-include-sys-io.h-on-ARM-with-glibc.patch \
             file://sdksyms-no-build-path.patch \
+            file://CVE-2020-14347.patch \
             "
 SRC_URI[md5sum] = "c9fc7e21e11286dbedd22c00df652130"
 SRC_URI[sha256sum] = "a81d8243f37e75a03d4f8c55f96d0bc25802be6ec45c3bfa5cb614c6d01bac9d"
-- 
2.26.2

[zeus][PATCH 02/11] qemu: CVE-2020-16092

[Anuj Mittal]

From: Li Wang <li.wang@windriver.com>

Backport CVE patch from the upstream:
https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2020-16092.patch            | 49 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5cdba1f02c..e686b24e80 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,6 +39,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
 	   file://CVE-2020-11869.patch \
            file://CVE-2020-13765.patch \
            file://CVE-2020-10702.patch \
+           file://CVE-2020-16092.patch \
 	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
new file mode 100644
index 0000000000..8ce01e26ad
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-16092.patch
@@ -0,0 +1,49 @@
+From 035e69b063835a5fd23cacabd63690a3d84532a8 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Sat, 1 Aug 2020 18:42:38 +0200
+Subject: [PATCH] hw/net/net_tx_pkt: fix assertion failure in
+ net_tx_pkt_add_raw_fragment()
+
+An assertion failure issue was found in the code that processes network
+packets
+while adding data fragments into the packet context. It could be abused
+by a
+malicious guest to abort the QEMU process on the host. This patch
+replaces the
+affected assert() with a conditional statement, returning false if the
+current
+data fragment exceeds max_raw_frags.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-16092
+[https://git.qemu.org/?p=qemu.git;a=commit;h=035e69b063835a5fd23cacabd63690a3d84532a8]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/net_tx_pkt.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
+index 162f802..54d4c3b 100644
+--- a/hw/net/net_tx_pkt.c
++++ b/hw/net/net_tx_pkt.c
+@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
+     hwaddr mapped_len = 0;
+     struct iovec *ventry;
+     assert(pkt);
+-    assert(pkt->max_raw_frags > pkt->raw_frags);
++
++    if (pkt->raw_frags >= pkt->max_raw_frags) {
++        return false;
++    }
+ 
+     if (!len) {
+         return true;
+-- 
+2.17.1
+
-- 
2.26.2

[zeus][PATCH 03/11] go: CVE-2020-16845

[Anuj Mittal]

From: Zhixiong Chi <zhixiong.chi@windriver.com>

Backport CVE patch from the upstream:
https://github.com/golang/go.git
commit 027d7241ce050d197e7fabea3d541ffbe3487258

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/go/go-1.12.inc          |   1 +
 .../go/go-1.12/CVE-2020-16845.patch           | 110 ++++++++++++++++++
 2 files changed, 111 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch

diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc
index c3c2d0cfee..fd2d641554 100644
--- a/meta/recipes-devtools/go/go-1.12.inc
+++ b/meta/recipes-devtools/go/go-1.12.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
     file://0001-release-branch.go1.12-security-net-textproto-don-t-n.patch \
     file://0010-fix-CVE-2019-17596.patch \
     file://CVE-2020-15586.patch \
+    file://CVE-2020-16845.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
 
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
new file mode 100644
index 0000000000..80f467522f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-16845.patch
@@ -0,0 +1,110 @@
+From 027d7241ce050d197e7fabea3d541ffbe3487258 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Tue, 4 Aug 2020 11:45:32 -0400
+Subject: [PATCH] encoding/binary: read at most MaxVarintLen64 bytes in
+ ReadUvarint
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This CL ensures that ReadUvarint consumes only a limited
+amount of input (instead of an unbounded amount).
+
+On some inputs, ReadUvarint could read an arbitrary number
+of bytes before deciding to return an overflow error.
+After this CL, ReadUvarint returns that same overflow
+error sooner, after reading at most MaxVarintLen64 bytes.
+
+Fix authored by Robert Griesemer and Filippo Valsorda.
+
+Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
+and Preston Van Loon for reporting this.
+
+Fixes #40618
+Fixes CVE-2020-16845
+
+Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
+Reviewed-by: Filippo Valsorda <valsorda@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/247120
+Run-TryBot: Katie Hockman <katie@golang.org>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Reviewed-by: Alexander Rakoczy <alex@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go.git]
+CVE: CVE-2020-16845
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ src/encoding/binary/varint.go      |  5 +++--
+ src/encoding/binary/varint_test.go | 18 ++++++++++++------
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/src/encoding/binary/varint.go b/src/encoding/binary/varint.go
+index bcb8ac9a45..38af61075c 100644
+--- a/src/encoding/binary/varint.go
++++ b/src/encoding/binary/varint.go
+@@ -106,13 +106,13 @@ var overflow = errors.New("binary: varint overflows a 64-bit integer")
+ func ReadUvarint(r io.ByteReader) (uint64, error) {
+ 	var x uint64
+ 	var s uint
+-	for i := 0; ; i++ {
++	for i := 0; i < MaxVarintLen64; i++ {
+ 		b, err := r.ReadByte()
+ 		if err != nil {
+ 			return x, err
+ 		}
+ 		if b < 0x80 {
+-			if i > 9 || i == 9 && b > 1 {
++			if i == 9 && b > 1 {
+ 				return x, overflow
+ 			}
+ 			return x | uint64(b)<<s, nil
+@@ -120,6 +120,7 @@ func ReadUvarint(r io.ByteReader) (uint64, error) {
+ 		x |= uint64(b&0x7f) << s
+ 		s += 7
+ 	}
++	return x, overflow
+ }
+ 
+ // ReadVarint reads an encoded signed integer from r and returns it as an int64.
+diff --git a/src/encoding/binary/varint_test.go b/src/encoding/binary/varint_test.go
+index ca411ecbd6..6ef4c99505 100644
+--- a/src/encoding/binary/varint_test.go
++++ b/src/encoding/binary/varint_test.go
+@@ -121,21 +121,27 @@ func TestBufferTooSmall(t *testing.T) {
+ 	}
+ }
+ 
+-func testOverflow(t *testing.T, buf []byte, n0 int, err0 error) {
++func testOverflow(t *testing.T, buf []byte, x0 uint64, n0 int, err0 error) {
+ 	x, n := Uvarint(buf)
+ 	if x != 0 || n != n0 {
+ 		t.Errorf("Uvarint(%v): got x = %d, n = %d; want 0, %d", buf, x, n, n0)
+ 	}
+ 
+-	x, err := ReadUvarint(bytes.NewReader(buf))
+-	if x != 0 || err != err0 {
+-		t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want 0, %s", buf, x, err, err0)
++	r := bytes.NewReader(buf)
++	len := r.Len()
++	x, err := ReadUvarint(r)
++	if x != x0 || err != err0 {
++		t.Errorf("ReadUvarint(%v): got x = %d, err = %s; want %d, %s", buf, x, err, x0, err0)
++	}
++	if read := len - r.Len(); read > MaxVarintLen64 {
++		t.Errorf("ReadUvarint(%v): read more than MaxVarintLen64 bytes, got %d", buf, read)
+ 	}
+ }
+ 
+ func TestOverflow(t *testing.T) {
+-	testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, -10, overflow)
+-	testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, -13, overflow)
++	testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x2}, 0, -10, overflow)
++	testOverflow(t, []byte{0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x1, 0, 0}, 0, -13, overflow)
++	testOverflow(t, []byte{0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF}, 1<<64-1, 0, overflow) // 11 bytes, should overflow
+ }
+ 
+ func TestNonCanonicalZero(t *testing.T) {
+-- 
+2.17.0
+
-- 
2.26.2

[zeus][PATCH 04/11] qemu: CVE-2020-10756

[Anuj Mittal]

From: Stefan Ghinea <stefan.ghinea@windriver.com>

An out-of-bounds read vulnerability was found in the SLiRP networking
implementation of the QEMU emulator. This flaw occurs in the
icmp6_send_echoreply() routine while replying to an ICMP echo request,
also known as ping. This flaw allows a malicious guest to leak the
contents of the host memory, resulting in possible information disclosure.
This flaw affects versions of libslirp before 4.3.1.

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-10756
https://bugzilla.redhat.com/show_bug.cgi?id=1835986

Upstream patches:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0

Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2020-10756.patch            | 40 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index e686b24e80..702a817988 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -40,6 +40,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2020-13765.patch \
            file://CVE-2020-10702.patch \
            file://CVE-2020-16092.patch \
+           file://CVE-2020-10756.patch \
 	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
new file mode 100644
index 0000000000..306aef061b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-10756.patch
@@ -0,0 +1,40 @@
+From c7ede54cbd2e2b25385325600958ba0124e31cc0 Mon Sep 17 00:00:00 2001
+From: Ralf Haferkamp <rhafer@suse.com>
+Date: Fri, 3 Jul 2020 14:51:16 +0200
+Subject: [PATCH] Drop bogus IPv6 messages
+
+Drop IPv6 message shorter than what's mentioned in the payload
+length header (+ the size of the IPv6 header). They're invalid an could
+lead to data leakage in icmp6_send_echoreply().
+
+CVE: CVE-2020-10756
+Upstream-Status: Backport
+https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
+
+[SG: Based on libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0 and adjusted context]
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ slirp/src/ip6_input.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
+index d9d2b7e9..0f2b1785 100644
+--- a/slirp/src/ip6_input.c
++++ b/slirp/src/ip6_input.c
+@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
+         goto bad;
+     }
+ 
++    // Check if the message size is big enough to hold what's
++    // set in the payload length header. If not this is an invalid
++    // packet
++    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
++        goto bad;
++    }
++
+     /* check ip_ttl for a correct ICMP reply */
+     if (ip6->ip_hl == 0) {
+         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
+-- 
+2.17.1
+
-- 
2.26.2

[zeus][PATCH 05/11] qemu : fix CVE-2020-15863

[Anuj Mittal]

From: Li Wang <Li.Wang@windriver.com>

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Li Wang <Li.Wang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2020-15863.patch            | 64 +++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 702a817988..012be74855 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -41,6 +41,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2020-10702.patch \
            file://CVE-2020-16092.patch \
            file://CVE-2020-10756.patch \
+           file://CVE-2020-15863.patch \
 	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
new file mode 100644
index 0000000000..9927584d11
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
@@ -0,0 +1,64 @@
+From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
+From: Mauro Matteo Cascella <mcascell@redhat.com>
+Date: Fri, 10 Jul 2020 11:19:41 +0200
+Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
+
+A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
+occurs while sending an Ethernet frame due to missing break statements
+and improper checking of the buffer size.
+
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+CVE: CVE-2020-15863
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555]
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/net/xgmac.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
+index f49df95..f496f7e 100644
+--- a/hw/net/xgmac.c
++++ b/hw/net/xgmac.c
+@@ -217,21 +217,31 @@ static void xgmac_enet_send(XgmacState *s)
+         }
+         len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
+ 
++        /*
++         * FIXME: these cases of malformed tx descriptors (bad sizes)
++         * should probably be reported back to the guest somehow
++         * rather than simply silently stopping processing, but we
++         * don't know what the hardware does in this situation.
++         * This will only happen for buggy guests anyway.
++         */
+         if ((bd.buffer1_size & 0xfff) > 2048) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 1 len on send > 2048 (0x%x)\n",
+                          __func__, bd.buffer1_size & 0xfff);
++            break;
+         }
+         if ((bd.buffer2_size & 0xfff) != 0) {
+             DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
+                         "xgmac buffer 2 len on send != 0 (0x%x)\n",
+                         __func__, bd.buffer2_size & 0xfff);
++            break;
+         }
+-        if (len >= sizeof(frame)) {
++        if (frame_size + len >= sizeof(frame)) {
+             DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
+-                        "buffer\n" , __func__, len, sizeof(frame));
++                        "buffer\n" , __func__, frame_size + len, sizeof(frame));
+             DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
+                         __func__, bd.buffer1_size, bd.buffer2_size);
++            break;
+         }
+ 
+         cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
+-- 
+1.9.1
+
-- 
2.26.2

[zeus][PATCH 06/11] bind: Security Advisory - bind - CVE-2020-8622

[Anuj Mittal]

From: Li Zhou <li.zhou@windriver.com>

Backport patch from <https://gitlab.isc.org/isc-projects/bind9/
commit/6ed167ad0a647dff20c8cb08c944a7967df2d415> to solve CVE-2020-8622.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../bind/bind/CVE-2020-8622.patch             | 60 +++++++++++++++++++
 .../recipes-connectivity/bind/bind_9.11.19.bb |  1 +
 2 files changed, 61 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch
new file mode 100644
index 0000000000..dec5672657
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8622.patch
@@ -0,0 +1,60 @@
+From ca543240380475d888d660ea3296fc880ce52f35 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 15 Jul 2020 16:07:51 +1000
+Subject: [PATCH] bind: Always keep a copy of the message
+
+this allows it to be available even when dns_message_parse()
+returns a error.
+
+Upstream-Status: Backport
+CVE: CVE-2020-8622
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ lib/dns/message.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index ac637a2..39ed80f 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -1679,6 +1679,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+ 	msg->header_ok = 0;
+ 	msg->question_ok = 0;
+ 
++	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
++		isc_buffer_usedregion(&origsource, &msg->saved);
++	} else {
++		msg->saved.length = isc_buffer_usedlength(&origsource);
++		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
++		if (msg->saved.base == NULL) {
++			return (ISC_R_NOMEMORY);
++		}
++		memmove(msg->saved.base, isc_buffer_base(&origsource),
++			msg->saved.length);
++		msg->free_saved = 1;
++	}
++
+ 	isc_buffer_remainingregion(source, &r);
+ 	if (r.length < DNS_MESSAGE_HEADERLEN)
+ 		return (ISC_R_UNEXPECTEDEND);
+@@ -1754,17 +1767,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+ 	}
+ 
+  truncated:
+-	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
+-		isc_buffer_usedregion(&origsource, &msg->saved);
+-	else {
+-		msg->saved.length = isc_buffer_usedlength(&origsource);
+-		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+-		if (msg->saved.base == NULL)
+-			return (ISC_R_NOMEMORY);
+-		memmove(msg->saved.base, isc_buffer_base(&origsource),
+-			msg->saved.length);
+-		msg->free_saved = 1;
+-	}
+ 
+ 	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+ 		return (DNS_R_RECOVERABLE);
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index a77be8678f..0bfd5799b3 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.19.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -18,6 +18,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-configure.in-remove-useless-L-use_openssl-lib.patch \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
+           file://CVE-2020-8622.patch \
            "
 
 SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
-- 
2.26.2

[zeus][PATCH 07/11] bind: Security Advisory - bind - CVE-2020-8623

[Anuj Mittal]

From: Li Zhou <li.zhou@windriver.com>

Backport patch from <https://gitlab.isc.org/isc-projects/bind9/
commit/8d807cc21655eaa6e6a08afafeec3682c0f3f2ab> to solve CVE-2020-8623.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../bind/bind/CVE-2020-8623.patch             | 402 ++++++++++++++++++
 .../recipes-connectivity/bind/bind_9.11.19.bb |   1 +
 2 files changed, 403 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch
new file mode 100644
index 0000000000..8e5412a89e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8623.patch
@@ -0,0 +1,402 @@
+From 8d807cc21655eaa6e6a08afafeec3682c0f3f2ab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
+Date: Tue, 21 Jul 2020 14:42:47 +0200
+Subject: [PATCH] Fix crash in pk11_numbits() when native-pkcs11 is used
+
+When pk11_numbits() is passed a user provided input that contains all
+zeroes (via crafted DNS message), it would crash with assertion
+failure.  Fix that by properly handling such input.
+
+Upstream-Status: Backport
+CVE: CVE-2020-8623
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ lib/dns/pkcs11dh_link.c         | 15 ++++++-
+ lib/dns/pkcs11dsa_link.c        |  8 +++-
+ lib/dns/pkcs11rsa_link.c        | 79 +++++++++++++++++++++++++--------
+ lib/isc/include/pk11/internal.h |  3 +-
+ lib/isc/pk11.c                  | 61 ++++++++++++++++---------
+ 5 files changed, 121 insertions(+), 45 deletions(-)
+
+diff --git a/lib/dns/pkcs11dh_link.c b/lib/dns/pkcs11dh_link.c
+index e2b60ea7c5..4cd8e32d60 100644
+--- a/lib/dns/pkcs11dh_link.c
++++ b/lib/dns/pkcs11dh_link.c
+@@ -748,6 +748,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
+ 	CK_ATTRIBUTE *attr;
+ 	int special = 0;
++	unsigned int bits;
+ 	isc_result_t result;
+ 
+ 	isc_buffer_remainingregion(data, &r);
+@@ -852,7 +853,11 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	pub = r.base;
+ 	isc_region_consume(&r, publen);
+ 
+-	key->key_size = pk11_numbits(prime, plen_);
++	result = pk11_numbits(prime, plen_, &bits);
++	if (result != ISC_R_SUCCESS) {
++		goto cleanup;
++	}
++	key->key_size = bits;
+ 
+ 	dh->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+ 	if (dh->repr == NULL)
+@@ -1012,6 +1017,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	dst_private_t priv;
+ 	isc_result_t ret;
+ 	int i;
++	unsigned int bits;
+ 	pk11_object_t *dh = NULL;
+ 	CK_ATTRIBUTE *attr;
+ 	isc_mem_t *mctx;
+@@ -1082,7 +1088,12 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 
+ 	attr = pk11_attribute_bytype(dh, CKA_PRIME);
+ 	INSIST(attr != NULL);
+-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
++
++	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	key->key_size = bits;
+ 
+ 	return (ISC_R_SUCCESS);
+ 
+diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
+index 12d707a112..24d4c149ff 100644
+--- a/lib/dns/pkcs11dsa_link.c
++++ b/lib/dns/pkcs11dsa_link.c
+@@ -983,6 +983,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	dst_private_t priv;
+ 	isc_result_t ret;
+ 	int i;
++	unsigned int bits;
+ 	pk11_object_t *dsa = NULL;
+ 	CK_ATTRIBUTE *attr;
+ 	isc_mem_t *mctx = key->mctx;
+@@ -1072,7 +1073,12 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 
+ 	attr = pk11_attribute_bytype(dsa, CKA_PRIME);
+ 	INSIST(attr != NULL);
+-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
++
++	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	key->key_size = bits;
+ 
+ 	return (ISC_R_SUCCESS);
+ 
+diff --git a/lib/dns/pkcs11rsa_link.c b/lib/dns/pkcs11rsa_link.c
+index 096c1a8e91..1d10d26564 100644
+--- a/lib/dns/pkcs11rsa_link.c
++++ b/lib/dns/pkcs11rsa_link.c
+@@ -332,6 +332,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
+ 		key->key_alg == DST_ALG_RSASHA256 ||
+ 		key->key_alg == DST_ALG_RSASHA512);
+ #endif
++	REQUIRE(maxbits <= RSA_MAX_PUBEXP_BITS);
+ 
+ 	/*
+ 	 * Reject incorrect RSA key lengths.
+@@ -376,6 +377,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
+ 	for (attr = pk11_attribute_first(rsa);
+ 	     attr != NULL;
+ 	     attr = pk11_attribute_next(rsa, attr))
++	{
+ 		switch (attr->type) {
+ 		case CKA_MODULUS:
+ 			INSIST(keyTemplate[5].type == attr->type);
+@@ -396,12 +398,16 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
+ 			memmove(keyTemplate[6].pValue, attr->pValue,
+ 				attr->ulValueLen);
+ 			keyTemplate[6].ulValueLen = attr->ulValueLen;
+-			if (pk11_numbits(attr->pValue,
+-					 attr->ulValueLen) > maxbits &&
+-			    maxbits != 0)
++			unsigned int bits;
++			ret = pk11_numbits(attr->pValue, attr->ulValueLen,
++					   &bits);
++			if (ret != ISC_R_SUCCESS ||
++			    (bits > maxbits && maxbits != 0)) {
+ 				DST_RET(DST_R_VERIFYFAILURE);
++			}
+ 			break;
+ 		}
++	}
+ 	pk11_ctx->object = CK_INVALID_HANDLE;
+ 	pk11_ctx->ontoken = false;
+ 	PK11_RET(pkcs_C_CreateObject,
+@@ -1072,6 +1078,7 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 			keyTemplate[5].ulValueLen = attr->ulValueLen;
+ 			break;
+ 		case CKA_PUBLIC_EXPONENT:
++			unsigned int bits;
+ 			INSIST(keyTemplate[6].type == attr->type);
+ 			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+ 							    attr->ulValueLen);
+@@ -1080,10 +1087,12 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+ 			memmove(keyTemplate[6].pValue, attr->pValue,
+ 				attr->ulValueLen);
+ 			keyTemplate[6].ulValueLen = attr->ulValueLen;
+-			if (pk11_numbits(attr->pValue,
+-					 attr->ulValueLen)
+-				> RSA_MAX_PUBEXP_BITS)
++			ret = pk11_numbits(attr->pValue, attr->ulValueLen,
++					   &bits);
++			if (ret != ISC_R_SUCCESS || bits > RSA_MAX_PUBEXP_BITS)
++			{
+ 				DST_RET(DST_R_VERIFYFAILURE);
++			}
+ 			break;
+ 		}
+ 	pk11_ctx->object = CK_INVALID_HANDLE;
+@@ -1461,6 +1470,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	CK_BYTE *exponent = NULL, *modulus = NULL;
+ 	CK_ATTRIBUTE *attr;
+ 	unsigned int length;
++	unsigned int bits;
++	isc_result_t ret = ISC_R_SUCCESS;
+ 
+ 	isc_buffer_remainingregion(data, &r);
+ 	if (r.length == 0)
+@@ -1478,9 +1489,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 
+ 	if (e_bytes == 0) {
+ 		if (r.length < 2) {
+-			isc_safe_memwipe(rsa, sizeof(*rsa));
+-			isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+-			return (DST_R_INVALIDPUBLICKEY);
++			DST_RET(DST_R_INVALIDPUBLICKEY);
+ 		}
+ 		e_bytes = (*r.base) << 8;
+ 		isc_region_consume(&r, 1);
+@@ -1489,16 +1498,18 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	}
+ 
+ 	if (r.length < e_bytes) {
+-		isc_safe_memwipe(rsa, sizeof(*rsa));
+-		isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+-		return (DST_R_INVALIDPUBLICKEY);
++		DST_RET(DST_R_INVALIDPUBLICKEY);
+ 	}
+ 	exponent = r.base;
+ 	isc_region_consume(&r, e_bytes);
+ 	modulus = r.base;
+ 	mod_bytes = r.length;
+ 
+-	key->key_size = pk11_numbits(modulus, mod_bytes);
++	ret = pk11_numbits(modulus, mod_bytes, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	key->key_size = bits;
+ 
+ 	isc_buffer_forward(data, length);
+ 
+@@ -1548,9 +1559,12 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 			    rsa->repr,
+ 			    rsa->attrcnt * sizeof(*attr));
+ 	}
++	ret = ISC_R_NOMEMORY;
++
++    err:
+ 	isc_safe_memwipe(rsa, sizeof(*rsa));
+ 	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
+-	return (ISC_R_NOMEMORY);
++	return (ret);
+ }
+ 
+ static isc_result_t
+@@ -1729,6 +1743,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
+ 	pk11_object_t *pubrsa;
+ 	pk11_context_t *pk11_ctx = NULL;
+ 	isc_result_t ret;
++	unsigned int bits;
+ 
+ 	if (label == NULL)
+ 		return (DST_R_NOENGINE);
+@@ -1815,7 +1830,11 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
+ 
+ 	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ 	INSIST(attr != NULL);
+-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
++	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	key->key_size = bits;
+ 
+ 	return (ISC_R_SUCCESS);
+ 
+@@ -1901,6 +1920,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 	CK_ATTRIBUTE *attr;
+ 	isc_mem_t *mctx = key->mctx;
+ 	const char *engine = NULL, *label = NULL;
++	unsigned int bits;
+ 
+ 	/* read private key file */
+ 	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+@@ -2044,12 +2064,22 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+ 
+ 	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ 	INSIST(attr != NULL);
+-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
++	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	key->key_size = bits;
+ 
+ 	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+ 	INSIST(attr != NULL);
+-	if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
++
++	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	if (bits > RSA_MAX_PUBEXP_BITS) {
+ 		DST_RET(ISC_R_RANGE);
++	}
+ 
+ 	dst__privstruct_free(&priv, mctx);
+ 	isc_safe_memwipe(&priv, sizeof(priv));
+@@ -2084,6 +2114,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 	pk11_context_t *pk11_ctx = NULL;
+ 	isc_result_t ret;
+ 	unsigned int i;
++	unsigned int bits;
+ 
+ 	UNUSED(pin);
+ 
+@@ -2178,12 +2209,22 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+ 
+ 	attr = pk11_attribute_bytype(rsa, CKA_PUBLIC_EXPONENT);
+ 	INSIST(attr != NULL);
+-	if (pk11_numbits(attr->pValue, attr->ulValueLen) > RSA_MAX_PUBEXP_BITS)
++
++	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	if (bits > RSA_MAX_PUBEXP_BITS) {
+ 		DST_RET(ISC_R_RANGE);
++	}
+ 
+ 	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
+ 	INSIST(attr != NULL);
+-	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
++	ret = pk11_numbits(attr->pValue, attr->ulValueLen, &bits);
++	if (ret != ISC_R_SUCCESS) {
++		goto err;
++	}
++	key->key_size = bits;
+ 
+ 	pk11_return_session(pk11_ctx);
+ 	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
+diff --git a/lib/isc/include/pk11/internal.h b/lib/isc/include/pk11/internal.h
+index aa8907ab08..7cc8ec812b 100644
+--- a/lib/isc/include/pk11/internal.h
++++ b/lib/isc/include/pk11/internal.h
+@@ -25,7 +25,8 @@ void pk11_mem_put(void *ptr, size_t size);
+ 
+ CK_SLOT_ID pk11_get_best_token(pk11_optype_t optype);
+ 
+-unsigned int pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt);
++isc_result_t
++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits);
+ 
+ CK_ATTRIBUTE *pk11_attribute_first(const pk11_object_t *obj);
+ 
+diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
+index 012afd968a..4e4052044b 100644
+--- a/lib/isc/pk11.c
++++ b/lib/isc/pk11.c
+@@ -962,13 +962,15 @@ pk11_get_best_token(pk11_optype_t optype) {
+ 	return (token->slotid);
+ }
+ 
+-unsigned int
+-pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
++isc_result_t
++pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt, unsigned int *bits) {
+ 	unsigned int bitcnt, i;
+ 	CK_BYTE top;
+ 
+-	if (bytecnt == 0)
+-		return (0);
++	if (bytecnt == 0) {
++		*bits = 0;
++		return (ISC_R_SUCCESS);
++	}
+ 	bitcnt = bytecnt * 8;
+ 	for (i = 0; i < bytecnt; i++) {
+ 		top = data[i];
+@@ -976,26 +978,41 @@ pk11_numbits(CK_BYTE_PTR data, unsigned int bytecnt) {
+ 			bitcnt -= 8;
+ 			continue;
+ 		}
+-		if (top & 0x80)
+-			return (bitcnt);
+-		if (top & 0x40)
+-			return (bitcnt - 1);
+-		if (top & 0x20)
+-			return (bitcnt - 2);
+-		if (top & 0x10)
+-			return (bitcnt - 3);
+-		if (top & 0x08)
+-			return (bitcnt - 4);
+-		if (top & 0x04)
+-			return (bitcnt - 5);
+-		if (top & 0x02)
+-			return (bitcnt - 6);
+-		if (top & 0x01)
+-			return (bitcnt - 7);
++		if (top & 0x80) {
++			*bits = bitcnt;
++			return (ISC_R_SUCCESS);
++		}
++		if (top & 0x40) {
++			*bits = bitcnt - 1;
++			return (ISC_R_SUCCESS);
++		}
++		if (top & 0x20) {
++			*bits = bitcnt - 2;
++			return (ISC_R_SUCCESS);
++		}
++		if (top & 0x10) {
++			*bits = bitcnt - 3;
++			return (ISC_R_SUCCESS);
++		}
++		if (top & 0x08) {
++			*bits = bitcnt - 4;
++			return (ISC_R_SUCCESS);
++		}
++		if (top & 0x04) {
++			*bits = bitcnt - 5;
++			return (ISC_R_SUCCESS);
++		}
++		if (top & 0x02) {
++			*bits = bitcnt - 6;
++			return (ISC_R_SUCCESS);
++		}
++		if (top & 0x01) {
++			*bits = bitcnt - 7;
++			return (ISC_R_SUCCESS);
++		}
+ 		break;
+ 	}
+-	INSIST(0);
+-	ISC_UNREACHABLE();
++	return (ISC_R_RANGE);
+ }
+ 
+ CK_ATTRIBUTE *
+-- 
+2.17.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index 0bfd5799b3..aed1a73317 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.19.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \
            file://0001-avoid-start-failure-with-bind-user.patch \
            file://CVE-2020-8622.patch \
+           file://CVE-2020-8623.patch \
            "
 
 SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
-- 
2.26.2

[zeus][PATCH 08/11] bind: Security Advisory - bind - CVE-2020-8624

[Anuj Mittal]

From: Li Zhou <li.zhou@windriver.com>

Backport patch from <https://gitlab.isc.org/isc-projects/bind9/
commit/e4cccf9668c7adee4724a7649ec64685f82c8677> to solve CVE-2020-8624.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../bind/bind/CVE-2020-8624.patch             | 33 +++++++++++++++++++
 .../recipes-connectivity/bind/bind_9.11.19.bb |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
new file mode 100644
index 0000000000..9cffe358bf
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2020-8624.patch
@@ -0,0 +1,33 @@
+From a73c3d30de7fe98af9e4dc0e490f732a48412380 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 29 Jul 2020 23:36:03 +1000
+Subject: [PATCH] bind: Update-policy 'subdomain' was incorrectly treated as
+ 'zonesub'
+
+resulting in names outside the specified subdomain having the wrong
+restrictions for the given key.
+
+Upstream-Status: Backport
+CVE: CVE-2020-8624
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ bin/named/zoneconf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index e237bdb..4898447 100644
+--- a/bin/named/zoneconf.c
++++ b/bin/named/zoneconf.c
+@@ -237,7 +237,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
+ 
+ 		str = cfg_obj_asstring(matchtype);
+ 		CHECK(dns_ssu_mtypefromstring(str, &mtype));
+-		if (mtype == dns_ssumatchtype_subdomain) {
++		if (mtype == dns_ssumatchtype_subdomain &&
++		    strcasecmp(str, "zonesub") == 0) {
+ 			usezone = true;
+ 		}
+ 
+-- 
+1.9.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.11.19.bb b/meta/recipes-connectivity/bind/bind_9.11.19.bb
index aed1a73317..d4467b0b48 100644
--- a/meta/recipes-connectivity/bind/bind_9.11.19.bb
+++ b/meta/recipes-connectivity/bind/bind_9.11.19.bb
@@ -20,6 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            file://CVE-2020-8622.patch \
            file://CVE-2020-8623.patch \
+           file://CVE-2020-8624.patch \
            "
 
 SRC_URI[sha256sum] = "0dee554a4caa368948b32da9a0c97b516c19103bc13ff5b3762c5d8552f52329"
-- 
2.26.2

[zeus][PATCH 09/11] qemu: CVE-2020-14364

[Anuj Mittal]

From: Li Wang <li.wang@windriver.com>

Backport patch from:
https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2020-14364.patch            | 93 +++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 012be74855..ec32c90ad5 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -42,6 +42,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://CVE-2020-16092.patch \
            file://CVE-2020-10756.patch \
            file://CVE-2020-15863.patch \
+           file://CVE-2020-14364.patch \
 	   "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
new file mode 100644
index 0000000000..a109ac08d6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-14364.patch
@@ -0,0 +1,93 @@
+From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+
+Upstream-Status: Backport
+CVE: CVE-2020-14364
+[https://git.qemu.org/?p=qemu.git;a=patch;h=b946434f2659a182afc17e155be6791ebfb302eb]
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128..5234dcc 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+     int request, value, index;
++    unsigned int setup_len;
+ 
+     if (p->iov.size != 8) {
+         p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+     s->setup_index = 0;
+     p->actual_length = 0;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+     int i, request, value, index;
++    unsigned int setup_len;
+ 
+     for (i = 0; i < 8; i++) {
+         s->setup_buf[i] = p->parameter >> (i*8);
+     }
+ 
+     s->setup_state = SETUP_STATE_PARAM;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+     s->setup_index = 0;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+ 
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     if (p->pid == USB_TOKEN_OUT) {
+         usb_packet_copy(p, s->data_buf, s->setup_len);
+-- 
+2.17.1
+
-- 
2.26.2

[zeus][PATCH 10/11] go: Security Advisory - go - CVE-2020-24553

[Anuj Mittal]

From: Li Zhou <li.zhou@windriver.com>

Backport the patch from <https://github.com/golang/go/commit/
eb07103a083237414145a45f029c873d57037e06> to solve CVE-2020-24553.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 meta/recipes-devtools/go/go-1.12.inc          |   2 +
 ...i-rename-a-test-file-to-be-less-cute.patch |  28 ++
 .../go/go-1.12/CVE-2020-24553.patch           | 429 ++++++++++++++++++
 3 files changed, 459 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch
 create mode 100644 meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch

diff --git a/meta/recipes-devtools/go/go-1.12.inc b/meta/recipes-devtools/go/go-1.12.inc
index fd2d641554..2a0680aeaa 100644
--- a/meta/recipes-devtools/go/go-1.12.inc
+++ b/meta/recipes-devtools/go/go-1.12.inc
@@ -20,6 +20,8 @@ SRC_URI += "\
     file://0010-fix-CVE-2019-17596.patch \
     file://CVE-2020-15586.patch \
     file://CVE-2020-16845.patch \
+    file://0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch \
+    file://CVE-2020-24553.patch \
 "
 SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
 
diff --git a/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch
new file mode 100644
index 0000000000..7c07961c03
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/0001-net-http-cgi-rename-a-test-file-to-be-less-cute.patch
@@ -0,0 +1,28 @@
+From 8390c478600b852392cb116741b3cb239c94d123 Mon Sep 17 00:00:00 2001
+From: Brad Fitzpatrick <bradfitz@golang.org>
+Date: Wed, 15 Jan 2020 18:08:10 +0000
+Subject: [PATCH] net/http/cgi: rename a test file to be less cute
+
+My fault (from CL 4245070), sorry.
+
+Change-Id: Ib95d3170dc326e74aa74c22421c4e44a8b00f577
+Reviewed-on: https://go-review.googlesource.com/c/go/+/214920
+Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
+TryBot-Result: Gobot Gobot <gobot@golang.org>
+Reviewed-by: Emmanuel Odeke <emm.odeke@gmail.com>
+
+Upstream-Status: Backport
+[lz: Add this patch for merging the patch for CVE-2020-24553]
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/net/http/cgi/{matryoshka_test.go => integration_test.go} | 0
+ 1 file changed, 0 insertions(+), 0 deletions(-)
+ rename src/net/http/cgi/{matryoshka_test.go => integration_test.go} (100%)
+
+diff --git a/src/net/http/cgi/matryoshka_test.go b/src/net/http/cgi/integration_test.go
+similarity index 100%
+rename from src/net/http/cgi/matryoshka_test.go
+rename to src/net/http/cgi/integration_test.go
+-- 
+2.17.1
+
diff --git a/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch
new file mode 100644
index 0000000000..18a218bc9a
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.12/CVE-2020-24553.patch
@@ -0,0 +1,429 @@
+From eb07103a083237414145a45f029c873d57037e06 Mon Sep 17 00:00:00 2001
+From: Roberto Clapis <roberto@golang.org>
+Date: Wed, 26 Aug 2020 08:53:03 +0200
+Subject: [PATCH] [release-branch.go1.15-security] net/http/cgi,net/http/fcgi:
+ add Content-Type detection
+
+This CL ensures that responses served via CGI and FastCGI
+have a Content-Type header based on the content of the
+response if not explicitly set by handlers.
+
+If the implementers of the handler did not explicitly
+specify a Content-Type both CGI implementations would default
+to "text/html", potentially causing cross-site scripting.
+
+Thanks to RedTeam Pentesting GmbH for reporting this.
+
+Fixes CVE-2020-24553
+
+Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
+Reviewed-by: Russ Cox <rsc@google.com>
+(cherry picked from commit 23d675d07fdc56aafd67c0a0b63d5b7e14708ff0)
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/835311
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-24553
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/net/http/cgi/child.go            | 36 ++++++++++-----
+ src/net/http/cgi/child_test.go       | 69 ++++++++++++++++++++++++++++
+ src/net/http/cgi/integration_test.go | 53 ++++++++++++++++++++-
+ src/net/http/fcgi/child.go           | 39 ++++++++++++----
+ src/net/http/fcgi/fcgi_test.go       | 52 +++++++++++++++++++++
+ 5 files changed, 227 insertions(+), 22 deletions(-)
+
+diff --git a/src/net/http/cgi/child.go b/src/net/http/cgi/child.go
+index 9474175f17..61de6165f6 100644
+--- a/src/net/http/cgi/child.go
++++ b/src/net/http/cgi/child.go
+@@ -163,10 +163,12 @@ func Serve(handler http.Handler) error {
+ }
+ 
+ type response struct {
+-	req        *http.Request
+-	header     http.Header
+-	bufw       *bufio.Writer
+-	headerSent bool
++	req            *http.Request
++	header         http.Header
++	code           int
++	wroteHeader    bool
++	wroteCGIHeader bool
++	bufw           *bufio.Writer
+ }
+ 
+ func (r *response) Flush() {
+@@ -178,26 +180,38 @@ func (r *response) Header() http.Header {
+ }
+ 
+ func (r *response) Write(p []byte) (n int, err error) {
+-	if !r.headerSent {
++	if !r.wroteHeader {
+ 		r.WriteHeader(http.StatusOK)
+ 	}
++	if !r.wroteCGIHeader {
++		r.writeCGIHeader(p)
++	}
+ 	return r.bufw.Write(p)
+ }
+ 
+ func (r *response) WriteHeader(code int) {
+-	if r.headerSent {
++	if r.wroteHeader {
+ 		// Note: explicitly using Stderr, as Stdout is our HTTP output.
+ 		fmt.Fprintf(os.Stderr, "CGI attempted to write header twice on request for %s", r.req.URL)
+ 		return
+ 	}
+-	r.headerSent = true
+-	fmt.Fprintf(r.bufw, "Status: %d %s\r\n", code, http.StatusText(code))
++	r.wroteHeader = true
++	r.code = code
++}
+ 
+-	// Set a default Content-Type
++// writeCGIHeader finalizes the header sent to the client and writes it to the output.
++// p is not written by writeHeader, but is the first chunk of the body
++// that will be written. It is sniffed for a Content-Type if none is
++// set explicitly.
++func (r *response) writeCGIHeader(p []byte) {
++	if r.wroteCGIHeader {
++		return
++	}
++	r.wroteCGIHeader = true
++	fmt.Fprintf(r.bufw, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
+ 	if _, hasType := r.header["Content-Type"]; !hasType {
+-		r.header.Add("Content-Type", "text/html; charset=utf-8")
++		r.header.Set("Content-Type", http.DetectContentType(p))
+ 	}
+-
+ 	r.header.Write(r.bufw)
+ 	r.bufw.WriteString("\r\n")
+ 	r.bufw.Flush()
+diff --git a/src/net/http/cgi/child_test.go b/src/net/http/cgi/child_test.go
+index 14e0af475f..f6ecb6eb80 100644
+--- a/src/net/http/cgi/child_test.go
++++ b/src/net/http/cgi/child_test.go
+@@ -7,6 +7,11 @@
+ package cgi
+ 
+ import (
++	"bufio"
++	"bytes"
++	"net/http"
++	"net/http/httptest"
++	"strings"
+ 	"testing"
+ )
+ 
+@@ -148,3 +153,67 @@ func TestRequestWithoutRemotePort(t *testing.T) {
+ 		t.Errorf("RemoteAddr: got %q; want %q", g, e)
+ 	}
+ }
++
++type countingWriter int
++
++func (c *countingWriter) Write(p []byte) (int, error) {
++	*c += countingWriter(len(p))
++	return len(p), nil
++}
++func (c *countingWriter) WriteString(p string) (int, error) {
++	*c += countingWriter(len(p))
++	return len(p), nil
++}
++
++func TestResponse(t *testing.T) {
++	var tests = []struct {
++		name   string
++		body   string
++		wantCT string
++	}{
++		{
++			name:   "no body",
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "html",
++			body:   "<html><head><title>test page</title></head><body>This is a body</body></html>",
++			wantCT: "text/html; charset=utf-8",
++		},
++		{
++			name:   "text",
++			body:   strings.Repeat("gopher", 86),
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "jpg",
++			body:   "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
++			wantCT: "image/jpeg",
++		},
++	}
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			var buf bytes.Buffer
++			resp := response{
++				req:    httptest.NewRequest("GET", "/", nil),
++				header: http.Header{},
++				bufw:   bufio.NewWriter(&buf),
++			}
++			n, err := resp.Write([]byte(tt.body))
++			if err != nil {
++				t.Errorf("Write: unexpected %v", err)
++			}
++			if want := len(tt.body); n != want {
++				t.Errorf("reported short Write: got %v want %v", n, want)
++			}
++			resp.writeCGIHeader(nil)
++			resp.Flush()
++			if got := resp.Header().Get("Content-Type"); got != tt.wantCT {
++				t.Errorf("wrong content-type: got %q, want %q", got, tt.wantCT)
++			}
++			if !bytes.HasSuffix(buf.Bytes(), []byte(tt.body)) {
++				t.Errorf("body was not correctly written")
++			}
++		})
++	}
++}
+diff --git a/src/net/http/cgi/integration_test.go b/src/net/http/cgi/integration_test.go
+index 32d59c09a3..295c3b82d4 100644
+--- a/src/net/http/cgi/integration_test.go
++++ b/src/net/http/cgi/integration_test.go
+@@ -16,7 +16,9 @@ import (
+ 	"io"
+ 	"net/http"
+ 	"net/http/httptest"
++	"net/url"
+ 	"os"
++	"strings"
+ 	"testing"
+ 	"time"
+ )
+@@ -52,7 +54,7 @@ func TestHostingOurselves(t *testing.T) {
+ 	}
+ 	replay := runCgiTest(t, h, "GET /test.go?foo=bar&a=b HTTP/1.0\nHost: example.com\n\n", expectedMap)
+ 
+-	if expected, got := "text/html; charset=utf-8", replay.Header().Get("Content-Type"); got != expected {
++	if expected, got := "text/plain; charset=utf-8", replay.Header().Get("Content-Type"); got != expected {
+ 		t.Errorf("got a Content-Type of %q; expected %q", got, expected)
+ 	}
+ 	if expected, got := "X-Test-Value", replay.Header().Get("X-Test-Header"); got != expected {
+@@ -152,6 +154,51 @@ func TestChildOnlyHeaders(t *testing.T) {
+ 	}
+ }
+ 
++func TestChildContentType(t *testing.T) {
++	testenv.MustHaveExec(t)
++
++	h := &Handler{
++		Path: os.Args[0],
++		Root: "/test.go",
++		Args: []string{"-test.run=TestBeChildCGIProcess"},
++	}
++	var tests = []struct {
++		name   string
++		body   string
++		wantCT string
++	}{
++		{
++			name:   "no body",
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "html",
++			body:   "<html><head><title>test page</title></head><body>This is a body</body></html>",
++			wantCT: "text/html; charset=utf-8",
++		},
++		{
++			name:   "text",
++			body:   strings.Repeat("gopher", 86),
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "jpg",
++			body:   "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
++			wantCT: "image/jpeg",
++		},
++	}
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			expectedMap := map[string]string{"_body": tt.body}
++			req := fmt.Sprintf("GET /test.go?exact-body=%s HTTP/1.0\nHost: example.com\n\n", url.QueryEscape(tt.body))
++			replay := runCgiTest(t, h, req, expectedMap)
++			if got := replay.Header().Get("Content-Type"); got != tt.wantCT {
++				t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT)
++			}
++		})
++	}
++}
++
+ // golang.org/issue/7198
+ func Test500WithNoHeaders(t *testing.T)     { want500Test(t, "/immediate-disconnect") }
+ func Test500WithNoContentType(t *testing.T) { want500Test(t, "/no-content-type") }
+@@ -203,6 +250,10 @@ func TestBeChildCGIProcess(t *testing.T) {
+ 		if req.FormValue("no-body") == "1" {
+ 			return
+ 		}
++		if eb, ok := req.Form["exact-body"]; ok {
++			io.WriteString(rw, eb[0])
++			return
++		}
+ 		if req.FormValue("write-forever") == "1" {
+ 			io.Copy(rw, neverEnding('a'))
+ 			for {
+diff --git a/src/net/http/fcgi/child.go b/src/net/http/fcgi/child.go
+index 30a6b2ce2d..a31273b3ec 100644
+--- a/src/net/http/fcgi/child.go
++++ b/src/net/http/fcgi/child.go
+@@ -74,10 +74,12 @@ func (r *request) parseParams() {
+ 
+ // response implements http.ResponseWriter.
+ type response struct {
+-	req         *request
+-	header      http.Header
+-	w           *bufWriter
+-	wroteHeader bool
++	req            *request
++	header         http.Header
++	code           int
++	wroteHeader    bool
++	wroteCGIHeader bool
++	w              *bufWriter
+ }
+ 
+ func newResponse(c *child, req *request) *response {
+@@ -92,11 +94,14 @@ func (r *response) Header() http.Header {
+ 	return r.header
+ }
+ 
+-func (r *response) Write(data []byte) (int, error) {
++func (r *response) Write(p []byte) (n int, err error) {
+ 	if !r.wroteHeader {
+ 		r.WriteHeader(http.StatusOK)
+ 	}
+-	return r.w.Write(data)
++	if !r.wroteCGIHeader {
++		r.writeCGIHeader(p)
++	}
++	return r.w.Write(p)
+ }
+ 
+ func (r *response) WriteHeader(code int) {
+@@ -104,22 +109,34 @@ func (r *response) WriteHeader(code int) {
+ 		return
+ 	}
+ 	r.wroteHeader = true
++	r.code = code
+ 	if code == http.StatusNotModified {
+ 		// Must not have body.
+ 		r.header.Del("Content-Type")
+ 		r.header.Del("Content-Length")
+ 		r.header.Del("Transfer-Encoding")
+-	} else if r.header.Get("Content-Type") == "" {
+-		r.header.Set("Content-Type", "text/html; charset=utf-8")
+ 	}
+-
+ 	if r.header.Get("Date") == "" {
+ 		r.header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
+ 	}
++}
+ 
+-	fmt.Fprintf(r.w, "Status: %d %s\r\n", code, http.StatusText(code))
++// writeCGIHeader finalizes the header sent to the client and writes it to the output.
++// p is not written by writeHeader, but is the first chunk of the body
++// that will be written. It is sniffed for a Content-Type if none is
++// set explicitly.
++func (r *response) writeCGIHeader(p []byte) {
++	if r.wroteCGIHeader {
++		return
++	}
++	r.wroteCGIHeader = true
++	fmt.Fprintf(r.w, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
++	if _, hasType := r.header["Content-Type"]; r.code != http.StatusNotModified && !hasType {
++		r.header.Set("Content-Type", http.DetectContentType(p))
++	}
+ 	r.header.Write(r.w)
+ 	r.w.WriteString("\r\n")
++	r.w.Flush()
+ }
+ 
+ func (r *response) Flush() {
+@@ -290,6 +307,8 @@ func (c *child) serveRequest(req *request, body io.ReadCloser) {
+ 		httpReq = httpReq.WithContext(envVarCtx)
+ 		c.handler.ServeHTTP(r, httpReq)
+ 	}
++	// Make sure we serve something even if nothing was written to r
++	r.Write(nil)
+ 	r.Close()
+ 	c.mu.Lock()
+ 	delete(c.requests, req.reqId)
+diff --git a/src/net/http/fcgi/fcgi_test.go b/src/net/http/fcgi/fcgi_test.go
+index e9d2b34023..4a27a12c35 100644
+--- a/src/net/http/fcgi/fcgi_test.go
++++ b/src/net/http/fcgi/fcgi_test.go
+@@ -10,6 +10,7 @@ import (
+ 	"io"
+ 	"io/ioutil"
+ 	"net/http"
++	"strings"
+ 	"testing"
+ )
+ 
+@@ -344,3 +345,54 @@ func TestChildServeReadsEnvVars(t *testing.T) {
+ 		<-done
+ 	}
+ }
++
++func TestResponseWriterSniffsContentType(t *testing.T) {
++	var tests = []struct {
++		name   string
++		body   string
++		wantCT string
++	}{
++		{
++			name:   "no body",
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "html",
++			body:   "<html><head><title>test page</title></head><body>This is a body</body></html>",
++			wantCT: "text/html; charset=utf-8",
++		},
++		{
++			name:   "text",
++			body:   strings.Repeat("gopher", 86),
++			wantCT: "text/plain; charset=utf-8",
++		},
++		{
++			name:   "jpg",
++			body:   "\xFF\xD8\xFF" + strings.Repeat("B", 1024),
++			wantCT: "image/jpeg",
++		},
++	}
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			input := make([]byte, len(streamFullRequestStdin))
++			copy(input, streamFullRequestStdin)
++			rc := nopWriteCloser{bytes.NewBuffer(input)}
++			done := make(chan bool)
++			var resp *response
++			c := newChild(rc, http.HandlerFunc(func(
++				w http.ResponseWriter,
++				r *http.Request,
++			) {
++				io.WriteString(w, tt.body)
++				resp = w.(*response)
++				done <- true
++			}))
++			defer c.cleanUp()
++			go c.serve()
++			<-done
++			if got := resp.Header().Get("Content-Type"); got != tt.wantCT {
++				t.Errorf("got a Content-Type of %q; expected it to start with %q", got, tt.wantCT)
++			}
++		})
++	}
++}
+-- 
+2.17.1
+
-- 
2.26.2

[zeus][PATCH 11/11] gnutls: CVE-2020-24659

[Anuj Mittal]

From: Zhixiong Chi <zhixiong.chi@windriver.com>

Backport the CVE patch from the usptream:
https://gitlab.com/gnutls/gnutls.git
commit 29ee67c205855e848a0a26e6d0e4f65b6b943e0a

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
 .../gnutls/gnutls/CVE-2020-24659.patch        | 117 ++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.6.13.bb  |   1 +
 2 files changed, 118 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
new file mode 100644
index 0000000000..1702325e66
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2020-24659.patch
@@ -0,0 +1,117 @@
+From 29ee67c205855e848a0a26e6d0e4f65b6b943e0a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sat, 22 Aug 2020 17:19:39 +0200
+Subject: [PATCH] handshake: reject no_renegotiation alert if handshake is
+ incomplete
+
+If the initial handshake is incomplete and the server sends a
+no_renegotiation alert, the client should treat it as a fatal error
+even if its level is warning.  Otherwise the same handshake
+state (e.g., DHE parameters) are reused in the next gnutls_handshake
+call, if it is called in the loop idiom:
+
+  do {
+          ret = gnutls_handshake(session);
+  } while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+CVE: CVE-2020-24659
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ lib/gnutls_int.h                              |   1 +
+ lib/handshake.c                               |  48 +++++++++++++-----
+ 2 files changed, 36 insertions(+), 13 deletions(-)
+
+diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
+index bb6c19713..31cec5c0c 100644
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -1370,6 +1370,7 @@ typedef struct {
+ #define HSK_RECORD_SIZE_LIMIT_RECEIVED (1<<26) /* server: record_size_limit extension was seen but not accepted yet */
+ #define HSK_OCSP_REQUESTED (1<<27) /* server: client requested OCSP stapling */
+ #define HSK_CLIENT_OCSP_REQUESTED (1<<28) /* client: server requested OCSP stapling */
++#define HSK_SERVER_HELLO_RECEIVED (1<<29) /* client: Server Hello message has been received */
+ 
+ 	/* The hsk_flags are for use within the ongoing handshake;
+ 	 * they are reset to zero prior to handshake start by gnutls_handshake. */
+diff --git a/lib/handshake.c b/lib/handshake.c
+index b40f84b3d..ce2d160e2 100644
+--- a/lib/handshake.c
++++ b/lib/handshake.c
+@@ -2051,6 +2051,8 @@ read_server_hello(gnutls_session_t session,
+ 	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+ 
++	session->internals.hsk_flags |= HSK_SERVER_HELLO_RECEIVED;
++
+ 	return 0;
+ }
+ 
+@@ -2575,16 +2577,42 @@ int gnutls_rehandshake(gnutls_session_t session)
+ 	return 0;
+ }
+ 
++/* This function checks whether the error code should be treated fatal
++ * or not, and also does the necessary state transition.  In
++ * particular, in the case of a rehandshake abort it resets the
++ * handshake's internal state.
++ */
+ inline static int
+ _gnutls_abort_handshake(gnutls_session_t session, int ret)
+ {
+-	if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
+-	     (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION))
+-	    || ret == GNUTLS_E_GOT_APPLICATION_DATA)
+-		return 0;
++	switch (ret) {
++	case GNUTLS_E_WARNING_ALERT_RECEIVED:
++		if (gnutls_alert_get(session) == GNUTLS_A_NO_RENEGOTIATION) {
++			/* The server always toleretes a "no_renegotiation" alert. */
++			if (session->security_parameters.entity == GNUTLS_SERVER) {
++				STATE = STATE0;
++				return ret;
++			}
++
++			/* The client should tolerete a "no_renegotiation" alert only if:
++			 * - the initial handshake has completed, or
++			 * - a Server Hello is not yet received
++			 */
++			if (session->internals.initial_negotiation_completed ||
++			    !(session->internals.hsk_flags & HSK_SERVER_HELLO_RECEIVED)) {
++				STATE = STATE0;
++				return ret;
++			}
+ 
+-	/* this doesn't matter */
+-	return GNUTLS_E_INTERNAL_ERROR;
++			return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET);
++		}
++		return ret;
++	case GNUTLS_E_GOT_APPLICATION_DATA:
++		STATE = STATE0;
++		return ret;
++	default:
++		return ret;
++	}
+ }
+ 
+ 
+@@ -2747,13 +2774,7 @@ int gnutls_handshake(gnutls_session_t session)
+ 	}
+ 
+ 	if (ret < 0) {
+-		/* In the case of a rehandshake abort
+-		 * we should reset the handshake's internal state.
+-		 */
+-		if (_gnutls_abort_handshake(session, ret) == 0)
+-			STATE = STATE0;
+-
+-		return ret;
++		return _gnutls_abort_handshake(session, ret);
+ 	}
+ 
+ 	/* clear handshake buffer */
+-- 
+2.17.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.13.bb b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
index ab537981ac..2ed012f9d6 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.13.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.13.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2020-13777-a.patch \
            file://CVE-2020-13777-b.patch \
            file://CVE-2020-13777-c.patch \
+           file://CVE-2020-24659.patch \
 "
 
 SRC_URI[md5sum] = "bb1fe696a11543433785b4fc70ca225f"
-- 
2.26.2

Re: [OE-core] [zeus][PATCH 00/11] zeus review request

[Richard Purdie]

On Wed, 2020-09-09 at 16:11 +0800, Anuj Mittal wrote:
> A set of CVE fixes for zeus. Please review.
> 
> I have rebased these on top of current zeus-next and have run the
> entire
> set through autobuilder using the contrib/rpurdie/zeus helper
> branch. 
> 
> There's one failure while compiling acl (for reproducibility
> test) which probably happened because of memory availability and is
> unrelated:
> 
> > make: *** read jobs pipe: Resource temporarily unavailable.  Stop.
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/1358/steps/8/logs/step2d

Thanks Anuj!

One of the selftest failures wasn't this but was failures in bitbake-
selftest due to fetcher url stability issues. I've backported the
bitbake change which fixes that to 1.44.

The issue above isn't resource but is related to the attr fix I made in
thud-next. Its caused by issues with newer versions of make and the
rather weird makefile attr/acl has. The fix is to do what I did for
attr, disable parallel make during install. Newer verisons of acl/attr
don't have the problem so this is zeus specific.

Cheers,

Richard