[hardknott 0/9] Patch review Sept 15th

[hardknott 0/9] Patch review Sept 15th

[Armin Kuster]

Please have comments back by Friday

The following changes since commit 7bd7e1da9034e72ca4262dba55f70b2b23499aae:

  dlt-daemon: update from 2.18.6 to 2.18.7 (2021-09-04 10:39:29 -0700)

are available in the Git repository at:

  git://git.openembedded.org/meta-openembedded-contrib stable/hardknott-nut
  http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/hardknott-nut

Changqing Li (1):
  c-ares: fix CVE-2021-3672

Joe Slater (1):
  redis: fix CVE-2021-32761

Khem Raj (1):
  vboxguestdrivers: Remove __divmoddi4 patch

Kristian Klausen (1):
  cryptsetup: Add runtime dependency on lvm2-udevrules for udev

Peter Kjellerstedt (1):
  cryptsetup: Only recommend kernel modules when building for target

Yi Zhao (1):
  krb5: fix CVE-2021-36222

wangmy (1):
  cjson: upgrade 1.7.14 -> 1.7.15

zangrc (1):
  cryptsetup: upgrade 2.3.5 -> 2.3.6

zhengruoqin (1):
  wireshark: upgrade 3.4.7 -> 3.4.8

 ...{wireshark_3.4.7.bb => wireshark_3.4.8.bb} |   2 +-
 .../krb5/krb5/CVE-2021-36222.patch            | 121 +++++++++
 .../recipes-connectivity/krb5/krb5_1.17.2.bb  |   1 +
 ...ryptsetup_2.3.5.bb => cryptsetup_2.3.6.bb} |  31 ++-
 .../{cjson_1.7.14.bb => cjson_1.7.15.bb}      |   2 +-
 .../redis/redis/CVE-2021-32761.patch          | 257 ++++++++++++++++++
 meta-oe/recipes-extended/redis/redis_6.2.2.bb |   1 +
 .../c-ares/c-ares/0001-CVE-2021-3672.patch    |  91 +++++++
 .../c-ares/c-ares/0002-CVE-2021-3672.patch    | 104 +++++++
 .../recipes-support/c-ares/c-ares_1.16.1.bb   |   2 +
 .../vboxguestdrivers/add__divmoddi4.patch     |  36 ---
 .../vboxguestdrivers_6.1.26.bb                |   1 -
 12 files changed, 595 insertions(+), 54 deletions(-)
 rename meta-networking/recipes-support/wireshark/{wireshark_3.4.7.bb => wireshark_3.4.8.bb} (97%)
 create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
 rename meta-oe/recipes-crypto/cryptsetup/{cryptsetup_2.3.5.bb => cryptsetup_2.3.6.bb} (88%)
 rename meta-oe/recipes-devtools/cjson/{cjson_1.7.14.bb => cjson_1.7.15.bb} (90%)
 create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2021-32761.patch
 create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
 create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
 delete mode 100644 meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch

-- 
2.25.1

[hardknott 1/9] wireshark: upgrade 3.4.7 -> 3.4.8

[Armin Kuster]

From: zhengruoqin <zhengrq.fnst@fujitsu.com>

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 340ec8b25eafe644ab760fd784ccef217b7ee864)
[bug fix only update]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../wireshark/{wireshark_3.4.7.bb => wireshark_3.4.8.bb}        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-networking/recipes-support/wireshark/{wireshark_3.4.7.bb => wireshark_3.4.8.bb} (97%)

diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.4.7.bb b/meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb
similarity index 97%
rename from meta-networking/recipes-support/wireshark/wireshark_3.4.7.bb
rename to meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb
index 2e0fdae63b..73ccfc5f30 100644
--- a/meta-networking/recipes-support/wireshark/wireshark_3.4.7.bb
+++ b/meta-networking/recipes-support/wireshark/wireshark_3.4.8.bb
@@ -19,7 +19,7 @@ SRC_URI += " \
 
 UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src"
 
-SRC_URI[sha256sum] = "6c4cee51ef997cb9d9aaee84113525a5629157d3c743d7c4e320000de804a09d"
+SRC_URI[sha256sum] = "58a7fa8dfe2010a8c8b7dcf66438c653e6493d47eb936ba48ef49d4aa4dbd725"
 
 PE = "1"
 
-- 
2.25.1

[hardknott 2/9] cjson: upgrade 1.7.14 -> 1.7.15

[Armin Kuster]

From: wangmy <wangmy@fujitsu.com>

Fixes:
Fix potential core dumped for strrchr, see https://github.com/DaveGamble/cJSON/pull/546
Fix null pointer crash in cJSON_CreateXxArray, see https://github.com/DaveGamble/cJSON/pull/538
Fix several null pointer problems on allocation failure, see https://github.com/DaveGamble/cJSON/pull/526
Fix a possible dereference of null pointer, see https://github.com/DaveGamble/cJSON/pull/519
Fix windows build failure about defining nan, see https://github.com/DaveGamble/cJSON/pull/518

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit fa00ac02df4e3caabe8ba81d1700cec835bcb139)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../recipes-devtools/cjson/{cjson_1.7.14.bb => cjson_1.7.15.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta-oe/recipes-devtools/cjson/{cjson_1.7.14.bb => cjson_1.7.15.bb} (90%)

diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.14.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.15.bb
similarity index 90%
rename from meta-oe/recipes-devtools/cjson/cjson_1.7.14.bb
rename to meta-oe/recipes-devtools/cjson/cjson_1.7.15.bb
index 0e33275e23..1a4e53d508 100644
--- a/meta-oe/recipes-devtools/cjson/cjson_1.7.14.bb
+++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.15.bb
@@ -6,7 +6,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0"
 
 SRC_URI = "git://github.com/DaveGamble/cJSON.git"
-SRCREV = "d2735278ed1c2e4556f53a7a782063b31331dbf7"
+SRCREV = "d348621ca93571343a56862df7de4ff3bc9b5667"
 
 S = "${WORKDIR}/git"
 
-- 
2.25.1

[hardknott 3/9] krb5: fix CVE-2021-36222

[Armin Kuster]

From: Yi Zhao <yi.zhao@windriver.com>

CVE-2021-36222:
ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC)
in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2
allows remote attackers to cause a NULL pointer dereference and daemon
crash. This occurs because a return value is not properly managed in a
certain situation.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-36222

Patches from:
https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 620badcbf8a59fbd2cdda6ab01c4ffba1c3ee327)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../krb5/krb5/CVE-2021-36222.patch            | 121 ++++++++++++++++++
 .../recipes-connectivity/krb5/krb5_1.17.2.bb  |   1 +
 2 files changed, 122 insertions(+)
 create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch

diff --git a/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
new file mode 100644
index 0000000000..fee6e64c15
--- /dev/null
+++ b/meta-oe/recipes-connectivity/krb5/krb5/CVE-2021-36222.patch
@@ -0,0 +1,121 @@
+From fc98f520caefff2e5ee9a0026fdf5109944b3562 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 7 Jul 2021 11:47:44 +1200
+Subject: [PATCH] Fix KDC null deref on bad encrypted challenge
+
+The function ec_verify() in src/kdc/kdc_preauth_ec.c contains a check
+to avoid further processing if the armor key is NULL.  However, this
+check is bypassed by a call to k5memdup0() which overwrites retval
+with 0 if the allocation succeeds.  If the armor key is NULL, a call
+to krb5_c_fx_cf2_simple() will then dereference it, resulting in a
+crash.  Add a check before the k5memdup0() call to avoid overwriting
+retval.
+
+CVE-2021-36222:
+
+In MIT krb5 releases 1.16 and later, an unauthenticated attacker can
+cause a null dereference in the KDC by sending a request containing a
+PA-ENCRYPTED-CHALLENGE padata element without using FAST.
+
+[ghudson@mit.edu: trimmed patch; added test case; edited commit
+message]
+
+ticket: 9007 (new)
+tags: pullup
+target_version: 1.19-next
+target_version: 1.18-next
+
+CVE: CVE-2021-36222
+
+Upstream-Status: Backport
+[https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/kdc/kdc_preauth_ec.c      |  3 ++-
+ src/tests/Makefile.in         |  1 +
+ src/tests/t_cve-2021-36222.py | 46 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 src/tests/t_cve-2021-36222.py
+
+diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c
+index 7e636b3f9..43a9902cc 100644
+--- a/src/kdc/kdc_preauth_ec.c
++++ b/src/kdc/kdc_preauth_ec.c
+@@ -87,7 +87,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
+     }
+ 
+     /* Check for a configured FAST ec auth indicator. */
+-    realmstr = k5memdup0(realm.data, realm.length, &retval);
++    if (retval == 0)
++        realmstr = k5memdup0(realm.data, realm.length, &retval);
+     if (realmstr != NULL)
+         retval = profile_get_string(context->profile, KRB5_CONF_REALMS,
+                                     realmstr,
+diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
+index fc6fcc0c3..1a1938306 100644
+--- a/src/tests/Makefile.in
++++ b/src/tests/Makefile.in
+@@ -166,6 +166,7 @@ check-pytests: unlockiter s4u2self
+ 	$(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
+ 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
+ 	$(RUNPYTEST) $(srcdir)/t_cve-2013-1417.py $(PYTESTFLAGS)
++	$(RUNPYTEST) $(srcdir)/t_cve-2021-36222.py $(PYTESTFLAGS)
+ 	$(RM) au.log
+ 	$(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
+ 	$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
+diff --git a/src/tests/t_cve-2021-36222.py b/src/tests/t_cve-2021-36222.py
+new file mode 100644
+index 000000000..57e04993b
+--- /dev/null
++++ b/src/tests/t_cve-2021-36222.py
+@@ -0,0 +1,46 @@
++import socket
++from k5test import *
++
++realm = K5Realm()
++
++# CVE-2021-36222 KDC null dereference on encrypted challenge preauth
++# without FAST
++
++s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
++a = (hostname, realm.portbase)
++
++m = ('6A81A0' '30819D'          # [APPLICATION 10] SEQUENCE
++     'A103' '0201' '05'         #  [1] pvno = 5
++     'A203' '0201' '0A'         #  [2] msg-type = 10
++     'A30E' '300C'              #  [3] padata = SEQUENCE OF
++     '300A'                     #   SEQUENCE
++     'A104' '0202' '008A'       #    [1] padata-type = PA-ENCRYPTED-CHALLENGE
++     'A202' '0400'              #    [2] padata-value = ""
++     'A48180' '307E'            #  [4] req-body = SEQUENCE
++     'A007' '0305' '0000000000' #   [0] kdc-options = 0
++     'A120' '301E'              #   [1] cname = SEQUENCE
++     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
++     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
++     '1B06' '6B7262746774'      #     krbtgt
++     '1B0B' '4B5242544553542E434F4D'
++                                #     KRBTEST.COM
++     'A20D' '1B0B' '4B5242544553542E434F4D'
++                                #   [2] realm = KRBTEST.COM
++     'A320' '301E'              #   [3] sname = SEQUENCE
++     'A003' '0201' '01'         #    [0] name-type = NT-PRINCIPAL
++     'A117' '3015'              #    [1] name-string = SEQUENCE-OF
++     '1B06' '6B7262746774'      #     krbtgt
++     '1B0B' '4B5242544553542E434F4D'
++                                #     KRBTEST.COM
++     'A511' '180F' '31393934303631303036303331375A'
++                                #   [5] till = 19940610060317Z
++     'A703' '0201' '00'         #   [7] nonce = 0
++     'A808' '3006'              #   [8] etype = SEQUENCE OF
++     '020112' '020111')         #    aes256-cts aes128-cts
++
++s.sendto(bytes.fromhex(m), a)
++
++# Make sure kinit still works.
++realm.kinit(realm.user_princ, password('user'))
++
++success('CVE-2021-36222 regression test')
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
index 29bcb48b15..e6d9e3d627 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.17.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}.tar.gz \
            file://etc/default/krb5-admin-server \
            file://krb5-kdc.service \
            file://krb5-admin-server.service \
+           file://CVE-2021-36222.patch;striplevel=2 \
 "
 SRC_URI[md5sum] = "aa4337fffa3b61f22dbd0167f708818f"
 SRC_URI[sha256sum] = "1a4bba94df92f6d39a197a10687653e8bfbc9a2076e129f6eb92766974f86134"
-- 
2.25.1

[hardknott 4/9] cryptsetup: upgrade 2.3.5 -> 2.3.6

[Armin Kuster]

From: zangrc <zangrc.fnst@fujitsu.com>

Signed-off-by: Zang Ruochen <zangrc.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 056d0892f0e2d1eb30029dbe9810b0800e87e634)
[Bugz fix only update]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../cryptsetup/{cryptsetup_2.3.5.bb => cryptsetup_2.3.6.bb}   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta-oe/recipes-crypto/cryptsetup/{cryptsetup_2.3.5.bb => cryptsetup_2.3.6.bb} (96%)

diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.5.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
similarity index 96%
rename from meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.5.bb
rename to meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
index 0da9a26e83..562ac83fb1 100644
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.5.bb
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
@@ -21,8 +21,8 @@ RDEPENDS_${PN} = " \
 "
 
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz"
-SRC_URI[md5sum] = "408620e0df577ec04108ec0bc2b91dee"
-SRC_URI[sha256sum] = "ced9946f444d132536daf92fc8aca4277638a3c2d96e20540b2bae4d36fd70c1"
+SRC_URI[md5sum] = "504d1ab22cbc4d1a59a8d8c7ee5ed3bf"
+SRC_URI[sha256sum] = "b296b7a21ea576c2b180611ccb19d06aec8dddaedf7c704b0c6a81210c25635f"
 
 inherit autotools gettext pkgconfig
 
-- 
2.25.1

[hardknott 5/9] cryptsetup: Only recommend kernel modules when building for target

[Armin Kuster]

From: Peter Kjellerstedt <peter.kjellerstedt@axis.com>

Otherwise cryptsetup-native depends on the target kernel and thus the
target compiler, as can be seen by:

  $ bitbake -g cryptsetup-native
  $ grep 'cryptsetup.*linux-yocto' task-depends.dot
  "cryptsetup-native.do_build" -> "linux-yocto.do_deploy"
  "cryptsetup-native.do_build" -> "linux-yocto.do_package_write_rpm"
  "cryptsetup-native.do_populate_sysroot" -> "linux-yocto.do_populate_sysroot"
  $ grep 'linux-yocto.*gcc-cross' task-depends.dot
  "linux-yocto.do_kernel_configme" -> "gcc-cross-x86_64.do_populate_sysroot"
  "linux-yocto.do_prepare_recipe_sysroot" -> "gcc-cross-x86_64.do_populate_sysroot"

This also moves the runtime dependencies to near the end of the recipe,
which is more customary.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 497602b4840720e8351ecf961ac6f85103093750)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../cryptsetup/cryptsetup_2.3.6.bb            | 25 ++++++++++---------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
index 562ac83fb1..9e83b90eab 100644
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
@@ -16,10 +16,6 @@ DEPENDS = " \
     util-linux-libuuid \
 "
 
-RDEPENDS_${PN} = " \
-    libdevmapper \
-"
-
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz"
 SRC_URI[md5sum] = "504d1ab22cbc4d1a59a8d8c7ee5ed3bf"
 SRC_URI[sha256sum] = "b296b7a21ea576c2b180611ccb19d06aec8dddaedf7c704b0c6a81210c25635f"
@@ -71,14 +67,6 @@ PACKAGECONFIG[kernel] = "--with-crypto_backend=kernel"
 PACKAGECONFIG[nettle] = "--with-crypto_backend=nettle,,nettle"
 PACKAGECONFIG[luks2] = "--with-default-luks-format=LUKS2,--with-default-luks-format=LUKS1"
 
-RRECOMMENDS_${PN} = "kernel-module-aes-generic \
-                     kernel-module-dm-crypt \
-                     kernel-module-md5 \
-                     kernel-module-cbc \
-                     kernel-module-sha256-generic \
-                     kernel-module-xts \
-"
-
 EXTRA_OECONF = "--enable-static"
 # Building without largefile is not supported by upstream
 EXTRA_OECONF += "--enable-largefile"
@@ -89,4 +77,17 @@ EXTRA_OECONF += "--disable-libargon2"
 
 FILES_${PN} += "${@bb.utils.contains('DISTRO_FEATURES','systemd','${exec_prefix}/lib/tmpfiles.d/cryptsetup.conf', '', d)}"
 
+RDEPENDS_${PN} = " \
+    libdevmapper \
+"
+
+RRECOMMENDS_${PN}_class-target = " \
+    kernel-module-aes-generic \
+    kernel-module-dm-crypt \
+    kernel-module-md5 \
+    kernel-module-cbc \
+    kernel-module-sha256-generic \
+    kernel-module-xts \
+"
+
 BBCLASSEXTEND = "native nativesdk"
-- 
2.25.1

[hardknott 6/9] cryptsetup: Add runtime dependency on lvm2-udevrules for udev

[Armin Kuster]

From: Kristian Klausen <kristian@klausen.dk>

Without the udevrules cryptsetup luksOpen will be hanging with "Udev
cookie 0xd4de0f6 (semid 5) waiting for zero".

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 60b33e376b2331cd20950f0745336397790d2201)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
index 9e83b90eab..498f333810 100644
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
@@ -50,7 +50,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
 PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
 PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
 PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
-PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev"
+PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
 PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
 # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
 # recognized.
-- 
2.25.1

Re: [oe] [hardknott 6/9] cryptsetup: Add runtime dependency on lvm2-udevrules for udev

[Denys Dmytriyenko]

Can we also get this backported to Dunfell please?
Do you want me to submit a separate patch for this to happen?
Thanks!


On Wed, Sep 15, 2021 at 06:55:17AM -0700, Armin Kuster wrote:
> From: Kristian Klausen <kristian@klausen.dk>
> 
> Without the udevrules cryptsetup luksOpen will be hanging with "Udev
> cookie 0xd4de0f6 (semid 5) waiting for zero".
> 
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> (cherry picked from commit 60b33e376b2331cd20950f0745336397790d2201)
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
> index 9e83b90eab..498f333810 100644
> --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
> +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
> @@ -50,7 +50,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
>  PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
>  PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
>  PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
> -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev"
> +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
>  PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
>  # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
>  # recognized.
> -- 
> 2.25.1
> 

-- 
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964

Re: [oe] [hardknott 6/9] cryptsetup: Add runtime dependency on lvm2-udevrules for udev

[Denys Dmytriyenko]

Armin,

Ping. Just wanted to check if you saw this and if it got into your queue 
for Dunfell. Thanks!


On Wed, Feb 16, 2022 at 04:06:16PM -0500, Denys Dmytriyenko wrote:
> Can we also get this backported to Dunfell please?
> Do you want me to submit a separate patch for this to happen?
> Thanks!
> 
> 
> On Wed, Sep 15, 2021 at 06:55:17AM -0700, Armin Kuster wrote:
> > From: Kristian Klausen <kristian@klausen.dk>
> > 
> > Without the udevrules cryptsetup luksOpen will be hanging with "Udev
> > cookie 0xd4de0f6 (semid 5) waiting for zero".
> > 
> > Signed-off-by: Khem Raj <raj.khem@gmail.com>
> > (cherry picked from commit 60b33e376b2331cd20950f0745336397790d2201)
> > Signed-off-by: Armin Kuster <akuster808@gmail.com>
> > ---
> >  meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
> > index 9e83b90eab..498f333810 100644
> > --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
> > +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.6.bb
> > @@ -50,7 +50,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
> >  PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
> >  PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
> >  PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
> > -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev"
> > +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
> >  PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
> >  # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
> >  # recognized.
> > -- 
> > 2.25.1
> > 

-- 
Regards,
Denys Dmytriyenko <denis@denix.org>
PGP: 0x420902729A92C964 - https://denix.org/0x420902729A92C964
Fingerprint: 25FC E4A5 8A72 2F69 1186  6D76 4209 0272 9A92 C964

[hardknott 7/9] redis: fix CVE-2021-32761

[Armin Kuster]

From: Joe Slater <joe.slater@windriver.com>

Backport from version 6.2.5.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../redis/redis/CVE-2021-32761.patch          | 257 ++++++++++++++++++
 meta-oe/recipes-extended/redis/redis_6.2.2.bb |   1 +
 2 files changed, 258 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2021-32761.patch

diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32761.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32761.patch
new file mode 100644
index 0000000000..14992b789a
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2021-32761.patch
@@ -0,0 +1,257 @@
+From 835d15b5360e277e6f95529c4d8685946a977ddd Mon Sep 17 00:00:00 2001
+From: Huang Zhw <huang_zhw@126.com>
+Date: Wed, 21 Jul 2021 21:25:19 +0800
+Subject: [PATCH 1/1] On 32 bit platform, the bit position of
+ GETBIT/SETBIT/BITFIELD/BITCOUNT,BITPOS may overflow (see CVE-2021-32761)
+ (#9191)
+
+GETBIT, SETBIT may access wrong address because of wrap.
+BITCOUNT and BITPOS may return wrapped results.
+BITFIELD may access the wrong address but also allocate insufficient memory and segfault (see CVE-2021-32761).
+
+This commit uses `uint64_t` or `long long` instead of `size_t`.
+related https://github.com/redis/redis/pull/8096
+
+At 32bit platform:
+> setbit bit 4294967295 1
+(integer) 0
+> config set proto-max-bulk-len 536870913
+OK
+> append bit "\xFF"
+(integer) 536870913
+> getbit bit 4294967296
+(integer) 0
+
+When the bit index is larger than 4294967295, size_t can't hold bit index. In the past,  `proto-max-bulk-len` is limit to 536870912, so there is no problem.
+
+After this commit, bit position is stored in `uint64_t` or `long long`. So when `proto-max-bulk-len > 536870912`, 32bit platforms can still be correct.
+
+For 64bit platform, this problem still exists. The major reason is bit pos 8 times of byte pos. When proto-max-bulk-len is very larger, bit pos may overflow.
+But at 64bit platform, we don't have so long string. So this bug may never happen.
+
+Additionally this commit add a test cost `512MB` memory which is tag as `large-memory`. Make freebsd ci and valgrind ci ignore this test.
+
+(cherry picked from commit 71d452876ebf8456afaadd6b3c27988abadd1148)d
+---
+
+CVE: CVE-2021-32761
+
+Upstream-Status: Backport [835d15b5360e277e6f95529c4d8685946a977ddd]
+                          https://github.com/redis/redis.git
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+---
+ .github/workflows/daily.yml |  6 +++---
+ src/bitops.c                | 32 ++++++++++++++++----------------
+ src/server.h                |  2 +-
+ tests/unit/bitops.tcl       | 28 ++++++++++++++++++++++++++++
+ 4 files changed, 48 insertions(+), 20 deletions(-)
+
+diff --git a/.github/workflows/daily.yml b/.github/workflows/daily.yml
+index 9e4630e29..432971a9d 100644
+--- a/.github/workflows/daily.yml
++++ b/.github/workflows/daily.yml
+@@ -151,7 +151,7 @@ jobs:
+       run: |
+         sudo apt-get update
+         sudo apt-get install tcl8.6 valgrind -y
+-        ./runtest --valgrind --verbose --clients 1 --dump-logs
++        ./runtest --valgrind --verbose --clients 1 --tags -large-memory --dump-logs
+     - name: module api test
+       run: ./runtest-moduleapi --valgrind --no-latency --verbose --clients 1
+     - name: unittest
+@@ -171,7 +171,7 @@ jobs:
+       run: |
+         sudo apt-get update
+         sudo apt-get install tcl8.6 valgrind -y
+-        ./runtest --valgrind --verbose --clients 1 --dump-logs
++        ./runtest --valgrind --verbose --clients 1 --tags -large-memory --dump-logs
+     - name: module api test
+       run: ./runtest-moduleapi --valgrind --no-latency --verbose --clients 1
+ 
+@@ -260,7 +260,7 @@ jobs:
+         prepare: pkg install -y bash gmake lang/tcl86
+         run: >
+           gmake &&
+-          ./runtest --accurate --verbose --no-latency --dump-logs &&
++          ./runtest --accurate --verbose --no-latency --tags -large-memory --dump-logs &&
+           MAKE=gmake ./runtest-moduleapi --verbose &&
+           ./runtest-sentinel &&
+           ./runtest-cluster
+diff --git a/src/bitops.c b/src/bitops.c
+index afd79ad88..f1c563a41 100644
+--- a/src/bitops.c
++++ b/src/bitops.c
+@@ -37,8 +37,8 @@
+ /* Count number of bits set in the binary array pointed by 's' and long
+  * 'count' bytes. The implementation of this function is required to
+  * work with an input string length up to 512 MB or more (server.proto_max_bulk_len) */
+-size_t redisPopcount(void *s, long count) {
+-    size_t bits = 0;
++long long redisPopcount(void *s, long count) {
++    long long bits = 0;
+     unsigned char *p = s;
+     uint32_t *p4;
+     static const unsigned char bitsinbyte[256] = {0,1,1,2,1,2,2,3,1,2,2,3,2,3,3,4,1,2,2,3,2,3,3,4,2,3,3,4,3,4,4,5,1,2,2,3,2,3,3,4,2,3,3,4,3,4,4,5,2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,1,2,2,3,2,3,3,4,2,3,3,4,3,4,4,5,2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,3,4,4,5,4,5,5,6,4,5,5,6,5,6,6,7,1,2,2,3,2,3,3,4,2,3,3,4,3,4,4,5,2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,3,4,4,5,4,5,5,6,4,5,5,6,5,6,6,7,2,3,3,4,3,4,4,5,3,4,4,5,4,5,5,6,3,4,4,5,4,5,5,6,4,5,5,6,5,6,6,7,3,4,4,5,4,5,5,6,4,5,5,6,5,6,6,7,4,5,5,6,5,6,6,7,5,6,6,7,6,7,7,8};
+@@ -98,11 +98,11 @@ size_t redisPopcount(void *s, long count) {
+  * no zero bit is found, it returns count*8 assuming the string is zero
+  * padded on the right. However if 'bit' is 1 it is possible that there is
+  * not a single set bit in the bitmap. In this special case -1 is returned. */
+-long redisBitpos(void *s, unsigned long count, int bit) {
++long long redisBitpos(void *s, unsigned long count, int bit) {
+     unsigned long *l;
+     unsigned char *c;
+     unsigned long skipval, word = 0, one;
+-    long pos = 0; /* Position of bit, to return to the caller. */
++    long long pos = 0; /* Position of bit, to return to the caller. */
+     unsigned long j;
+     int found;
+ 
+@@ -410,7 +410,7 @@ void printBits(unsigned char *p, unsigned long count) {
+  * If the 'hash' argument is true, and 'bits is positive, then the command
+  * will also parse bit offsets prefixed by "#". In such a case the offset
+  * is multiplied by 'bits'. This is useful for the BITFIELD command. */
+-int getBitOffsetFromArgument(client *c, robj *o, size_t *offset, int hash, int bits) {
++int getBitOffsetFromArgument(client *c, robj *o, uint64_t *offset, int hash, int bits) {
+     long long loffset;
+     char *err = "bit offset is not an integer or out of range";
+     char *p = o->ptr;
+@@ -435,7 +435,7 @@ int getBitOffsetFromArgument(client *c, robj *o, size_t *offset, int hash, int b
+         return C_ERR;
+     }
+ 
+-    *offset = (size_t)loffset;
++    *offset = loffset;
+     return C_OK;
+ }
+ 
+@@ -477,7 +477,7 @@ int getBitfieldTypeFromArgument(client *c, robj *o, int *sign, int *bits) {
+  * so that the 'maxbit' bit can be addressed. The object is finally
+  * returned. Otherwise if the key holds a wrong type NULL is returned and
+  * an error is sent to the client. */
+-robj *lookupStringForBitCommand(client *c, size_t maxbit) {
++robj *lookupStringForBitCommand(client *c, uint64_t maxbit) {
+     size_t byte = maxbit >> 3;
+     robj *o = lookupKeyWrite(c->db,c->argv[1]);
+     if (checkType(c,o,OBJ_STRING)) return NULL;
+@@ -527,7 +527,7 @@ unsigned char *getObjectReadOnlyString(robj *o, long *len, char *llbuf) {
+ void setbitCommand(client *c) {
+     robj *o;
+     char *err = "bit is not an integer or out of range";
+-    size_t bitoffset;
++    uint64_t bitoffset;
+     ssize_t byte, bit;
+     int byteval, bitval;
+     long on;
+@@ -566,7 +566,7 @@ void setbitCommand(client *c) {
+ void getbitCommand(client *c) {
+     robj *o;
+     char llbuf[32];
+-    size_t bitoffset;
++    uint64_t bitoffset;
+     size_t byte, bit;
+     size_t bitval = 0;
+ 
+@@ -888,7 +888,7 @@ void bitposCommand(client *c) {
+         addReplyLongLong(c, -1);
+     } else {
+         long bytes = end-start+1;
+-        long pos = redisBitpos(p+start,bytes,bit);
++        long long pos = redisBitpos(p+start,bytes,bit);
+ 
+         /* If we are looking for clear bits, and the user specified an exact
+          * range with start-end, we can't consider the right of the range as
+@@ -897,11 +897,11 @@ void bitposCommand(client *c) {
+          * So if redisBitpos() returns the first bit outside the range,
+          * we return -1 to the caller, to mean, in the specified range there
+          * is not a single "0" bit. */
+-        if (end_given && bit == 0 && pos == bytes*8) {
++        if (end_given && bit == 0 && pos == (long long)bytes<<3) {
+             addReplyLongLong(c,-1);
+             return;
+         }
+-        if (pos != -1) pos += start*8; /* Adjust for the bytes we skipped. */
++        if (pos != -1) pos += (long long)start<<3; /* Adjust for the bytes we skipped. */
+         addReplyLongLong(c,pos);
+     }
+ }
+@@ -933,12 +933,12 @@ struct bitfieldOp {
+  * GET subcommand is allowed, other subcommands will return an error. */
+ void bitfieldGeneric(client *c, int flags) {
+     robj *o;
+-    size_t bitoffset;
++    uint64_t bitoffset;
+     int j, numops = 0, changes = 0;
+     struct bitfieldOp *ops = NULL; /* Array of ops to execute at end. */
+     int owtype = BFOVERFLOW_WRAP; /* Overflow type. */
+     int readonly = 1;
+-    size_t highest_write_offset = 0;
++    uint64_t highest_write_offset = 0;
+ 
+     for (j = 2; j < c->argc; j++) {
+         int remargs = c->argc-j-1; /* Remaining args other than current. */
+@@ -1128,9 +1128,9 @@ void bitfieldGeneric(client *c, int flags) {
+              * object boundaries. */
+             memset(buf,0,9);
+             int i;
+-            size_t byte = thisop->offset >> 3;
++            uint64_t byte = thisop->offset >> 3;
+             for (i = 0; i < 9; i++) {
+-                if (src == NULL || i+byte >= (size_t)strlen) break;
++                if (src == NULL || i+byte >= (uint64_t)strlen) break;
+                 buf[i] = src[i+byte];
+             }
+ 
+diff --git a/src/server.h b/src/server.h
+index 67541fe60..caf9df31c 100644
+--- a/src/server.h
++++ b/src/server.h
+@@ -1795,7 +1795,7 @@ void getRandomHexChars(char *p, size_t len);
+ void getRandomBytes(unsigned char *p, size_t len);
+ uint64_t crc64(uint64_t crc, const unsigned char *s, uint64_t l);
+ void exitFromChild(int retcode);
+-size_t redisPopcount(void *s, long count);
++long long redisPopcount(void *s, long count);
+ int redisSetProcTitle(char *title);
+ int validateProcTitleTemplate(const char *template);
+ int redisCommunicateSystemd(const char *sd_notify_msg);
+diff --git a/tests/unit/bitops.tcl b/tests/unit/bitops.tcl
+index 926f38295..534832974 100644
+--- a/tests/unit/bitops.tcl
++++ b/tests/unit/bitops.tcl
+@@ -349,3 +349,31 @@ start_server {tags {"bitops"}} {
+         }
+     }
+ }
++
++start_server {tags {"bitops large-memory"}} {
++    test "BIT pos larger than UINT_MAX" {
++        set bytes [expr (1 << 29) + 1]
++        set bitpos [expr (1 << 32)]
++        set oldval [lindex [r config get proto-max-bulk-len] 1]
++        r config set proto-max-bulk-len $bytes
++        r setbit mykey $bitpos 1
++        assert_equal $bytes [r strlen mykey]
++        assert_equal 1 [r getbit mykey $bitpos]
++        assert_equal [list 128 128 -1] [r bitfield mykey get u8 $bitpos set u8 $bitpos 255 get i8 $bitpos]
++        assert_equal $bitpos [r bitpos mykey 1]
++        assert_equal $bitpos [r bitpos mykey 1 [expr $bytes - 1]]
++        if {$::accurate} {
++            # set all bits to 1
++            set mega [expr (1 << 23)]
++            set part [string repeat "\xFF" $mega]
++            for {set i 0} {$i < 64} {incr i} {
++                r setrange mykey [expr $i * $mega] $part
++            }
++            r setrange mykey [expr $bytes - 1] "\xFF"
++            assert_equal [expr $bitpos + 8] [r bitcount mykey]
++            assert_equal -1 [r bitpos mykey 0 0 [expr $bytes - 1]]
++        }
++        r config set proto-max-bulk-len $oldval
++        r del mykey
++    } {1}
++}
+-- 
+2.24.1
+
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
index a9e6eaffaa..ad675e9e04 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://fix-CVE-2021-29477.patch \
            file://fix-CVE-2021-29478.patch \
            file://fix-CVE-2021-32625.patch \
+           file://CVE-2021-32761.patch \
            "
 SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
 
-- 
2.25.1

[hardknott 8/9] vboxguestdrivers: Remove __divmoddi4 patch

[Armin Kuster]

From: Khem Raj <raj.khem@gmail.com>

This function has been added upstream as well, therefore the patch is no
longer needed

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Gianfranco Costamagna <locutusofborg@debian.org>
(cherry picked from commit 552269da69d3c7d366ca3ad7340de715f06005a5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../vboxguestdrivers/add__divmoddi4.patch     | 36 -------------------
 .../vboxguestdrivers_6.1.26.bb                |  1 -
 2 files changed, 37 deletions(-)
 delete mode 100644 meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch

diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch
deleted file mode 100644
index 8dd30a20ef..0000000000
--- a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers/add__divmoddi4.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-add __divmoddi4 builtin
-
-GCC 11 will generate it in code
-
-void foo(unsigned char *u8Second, unsigned int *u32Nanosecond, long long timeSpec)
-{
-    long long i64Div;
-    int i32Div;
-    int i32Rem;
-    i64Div = timeSpec;
-    i32Rem = (int)(i64Div % 1000000000);
-    i64Div /= 1000000000;
-    *u32Nanosecond = i32Rem;
-    i32Rem = (int)(i64Div % 60);
-    *u8Second = i32Rem;
-}
-
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
---- a/src/VBox/Runtime/common/math/gcc/divdi3.c
-+++ b/src/VBox/Runtime/common/math/gcc/divdi3.c
-@@ -68,3 +68,12 @@ __divdi3(a, b)
- 		uq = - uq;
- 	return uq;
- }
-+
-+quad_t
-+__divmoddi4(quad_t a, quad_t b, quad_t* rem)
-+{
-+	quad_t d = __divdi3(a,b);
-+	*rem = a - (d*b);
-+	return d;
-+}
-+
diff --git a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.26.bb b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.26.bb
index 1b2fb44036..d1e42a4d7a 100644
--- a/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.26.bb
+++ b/meta-oe/recipes-support/vboxguestdrivers/vboxguestdrivers_6.1.26.bb
@@ -13,7 +13,6 @@ VBOX_NAME = "VirtualBox-${PV}"
 
 SRC_URI = "http://download.virtualbox.org/virtualbox/${PV}/${VBOX_NAME}.tar.bz2 \
     file://Makefile.utils \
-    file://add__divmoddi4.patch \
 "
 
 SRC_URI[md5sum] = "fce04bbef244b4df1a50e53d132d3e6f"
-- 
2.25.1

[hardknott 9/9] c-ares: fix CVE-2021-3672

[Armin Kuster]

From: Changqing Li <changqing.li@windriver.com>

Refer:
https://c-ares.org/adv_20210810.html
https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83
https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../c-ares/c-ares/0001-CVE-2021-3672.patch    |  91 +++++++++++++++
 .../c-ares/c-ares/0002-CVE-2021-3672.patch    | 104 ++++++++++++++++++
 .../recipes-support/c-ares/c-ares_1.16.1.bb   |   2 +
 3 files changed, 197 insertions(+)
 create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
 create mode 100644 meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch

diff --git a/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
new file mode 100644
index 0000000000..93afb838fb
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0001-CVE-2021-3672.patch
@@ -0,0 +1,91 @@
+From 13363ab0eb3f5a3223571d073888816bd3e650f9 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 14 Sep 2021 13:49:11 +0800
+Subject: [PATCH 1/2] ares_expand_name() should escape more characters
+
+RFC1035 5.1 specifies some reserved characters and escaping sequences
+that are allowed to be specified.  Expand the list of reserved characters
+and also escape non-printable characters using the \DDD format as
+specified in the RFC.
+
+Bug Reported By: philipp.jeitner@sit.fraunhofer.de
+Fix By: Brad House (@bradh352)
+
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/362f91d807d293791008cdb7616d40f7784ece83]
+CVE: CVE-2021-3672
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ares_expand_name.c | 41 ++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 38 insertions(+), 3 deletions(-)
+
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 3a38e67..8604543 100644
+--- a/ares_expand_name.c
++++ b/ares_expand_name.c
+@@ -38,6 +38,26 @@
+ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+                        int alen);
+ 
++/* Reserved characters for names that need to be escaped */
++static int is_reservedch(int ch)
++{
++  switch (ch) {
++    case '"':
++    case '.':
++    case ';':
++    case '\\':
++    case '(':
++    case ')':
++    case '@':
++    case '$':
++      return 1;
++    default:
++      break;
++  }
++
++  return 0;
++}
++
+ /* Expand an RFC1035-encoded domain name given by encoded.  The
+  * containing message is given by abuf and alen.  The result given by
+  * *s, which is set to a NUL-terminated allocated buffer.  *enclen is
+@@ -117,9 +137,18 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+           p++;
+           while (len--)
+             {
+-              if (*p == '.' || *p == '\\')
++              if (!isprint(*p)) {
++                /* Output as \DDD for consistency with RFC1035 5.1 */
++                *q++ = '\\';
++                *q++ = '0' + *p / 100;
++                *q++ = '0' + (*p % 100) / 10;
++                *q++ = '0' + (*p % 10);
++              } else if (is_reservedch(*p)) {
+                 *q++ = '\\';
+-              *q++ = *p;
++                *q++ = *p;
++              } else {
++                *q++ = *p;
++              }
+               p++;
+             }
+           *q++ = '.';
+@@ -177,7 +206,13 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+           encoded++;
+           while (offset--)
+             {
+-              n += (*encoded == '.' || *encoded == '\\') ? 2 : 1;
++              if (!isprint(*encoded)) {
++                n += 4;
++              } else if (is_reservedch(*encoded)) {
++                n += 2;
++              } else {
++                n += 1;
++              }
+               encoded++;
+             }
+           n++;
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
new file mode 100644
index 0000000000..e3b32f5fef
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/0002-CVE-2021-3672.patch
@@ -0,0 +1,104 @@
+From 446225e54b4f23c08a07968433b39d62ed65afd1 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 14 Sep 2021 13:59:28 +0800
+Subject: [PATCH 2/2] ares_expand_name(): fix formatting and handling of root
+ name response
+
+Fixes issue introduced in prior commit with formatting and handling
+of parsing a root name response which should not be escaped.
+
+Fix By: Brad House
+
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/44c009b8e62ea1929de68e3f438181bea469ec14]
+CVE: CVE-2021-3672
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ ares_expand_name.c | 56 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 35 insertions(+), 21 deletions(-)
+
+diff --git a/ares_expand_name.c b/ares_expand_name.c
+index 8604543..af0c2e8 100644
+--- a/ares_expand_name.c
++++ b/ares_expand_name.c
+@@ -133,22 +133,30 @@ int ares_expand_name(const unsigned char *encoded, const unsigned char *abuf,
+         }
+       else
+         {
+-          len = *p;
++          int name_len = *p;
++          len = name_len;
+           p++;
+           while (len--)
+             {
+-              if (!isprint(*p)) {
+-                /* Output as \DDD for consistency with RFC1035 5.1 */
+-                *q++ = '\\';
+-                *q++ = '0' + *p / 100;
+-                *q++ = '0' + (*p % 100) / 10;
+-                *q++ = '0' + (*p % 10);
+-              } else if (is_reservedch(*p)) {
+-                *q++ = '\\';
+-                *q++ = *p;
+-              } else {
+-                *q++ = *p;
+-              }
++              /* Output as \DDD for consistency with RFC1035 5.1, except
++               * for the special case of a root name response  */
++              if (!isprint(*p) && !(name_len == 1 && *p == 0))
++                {
++
++                  *q++ = '\\';
++                  *q++ = '0' + *p / 100;
++                  *q++ = '0' + (*p % 100) / 10;
++                  *q++ = '0' + (*p % 10);
++                }
++              else if (is_reservedch(*p))
++                {
++                  *q++ = '\\';
++                  *q++ = *p;
++                }
++              else
++                {
++                  *q++ = *p;
++                }
+               p++;
+             }
+           *q++ = '.';
+@@ -200,19 +208,25 @@ static int name_length(const unsigned char *encoded, const unsigned char *abuf,
+         }
+       else if (top == 0x00)
+         {
+-          offset = *encoded;
++          int name_len = *encoded;
++          offset = name_len;
+           if (encoded + offset + 1 >= abuf + alen)
+             return -1;
+           encoded++;
+           while (offset--)
+             {
+-              if (!isprint(*encoded)) {
+-                n += 4;
+-              } else if (is_reservedch(*encoded)) {
+-                n += 2;
+-              } else {
+-                n += 1;
+-              }
++              if (!isprint(*encoded) && !(name_len == 1 && *encoded == 0))
++                {
++                  n += 4;
++                }
++              else if (is_reservedch(*encoded))
++                {
++                  n += 2;
++                }
++              else
++                {
++                  n += 1;
++                }
+               encoded++;
+             }
+           n++;
+-- 
+2.17.1
+
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
index 67dd701807..afcc1cc4b8 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.16.1.bb
@@ -11,6 +11,8 @@ SRC_URI = "\
     git://github.com/c-ares/c-ares.git \
     file://cmake-install-libcares.pc.patch \
     file://0001-fix-configure-error-mv-libcares.pc.cmakein-to-libcar.patch \
+    file://0001-CVE-2021-3672.patch \
+    file://0002-CVE-2021-3672.patch \
 "
 SRCREV = "74a1426ba60e2cd7977e53a22ef839c87415066e"
 
-- 
2.25.1