* [dunfell 1/5] strongswan: Add fix of CVE-2021-45079
2022-02-26 15:41 [dunfell 0/5] Patch review Feb 26th Armin Kuster
@ 2022-02-26 15:41 ` Armin Kuster
2022-02-26 15:41 ` [dunfell 2/5] nss: Add fix for CVE-2022-22747 Armin Kuster
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2022-02-26 15:41 UTC (permalink / raw)
To: openembedded-devel
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Add a patch to fix CVE-2021-45079
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../strongswan/files/CVE-2021-45079.patch | 156 ++++++++++++++++++
.../strongswan/strongswan_5.8.4.bb | 1 +
2 files changed, 157 insertions(+)
create mode 100644 meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch
diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch
new file mode 100644
index 0000000000..97aa6a0efc
--- /dev/null
+++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch
@@ -0,0 +1,156 @@
+From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias@strongswan.org>
+Date: Tue, 14 Dec 2021 10:51:35 +0100
+Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails
+
+Without this, the authentication succeeded if the server sent an early
+EAP-Success message for mutual, key-generating EAP methods like EAP-TLS,
+which may be used in EAP-only scenarios but would complete without server
+or client authentication. For clients configured for such EAP-only
+scenarios, a rogue server could capture traffic after the tunnel is
+established or even access hosts behind the client. For non-mutual EAP
+methods, public key server authentication has been enforced for a while.
+
+A server previously could also crash a client by sending an EAP-Success
+immediately without initiating an actual EAP method.
+
+Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK")
+Fixes: CVE-2021-45079
+
+Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch]
+CVE: CVE-2021-45079
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +-
+ src/libcharon/plugins/eap_md5/eap_md5.c | 2 +-
+ src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++-
+ src/libcharon/sa/eap/eap_method.h | 8 ++++-
+ .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++---
+ 5 files changed, 40 insertions(+), 8 deletions(-)
+
+diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c
+index 95ba090b79ce..cffb6222c2f8 100644
+--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c
++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c
+@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
+ METHOD(eap_method_t, get_msk, status_t,
+ private_eap_gtc_t *this, chunk_t *msk)
+ {
+- return FAILED;
++ return NOT_SUPPORTED;
+ }
+
+ METHOD(eap_method_t, get_identifier, uint8_t,
+diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c
+index ab5f7ff6a823..3a92ad7c0a04 100644
+--- a/src/libcharon/plugins/eap_md5/eap_md5.c
++++ b/src/libcharon/plugins/eap_md5/eap_md5.c
+@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t,
+ METHOD(eap_method_t, get_msk, status_t,
+ private_eap_md5_t *this, chunk_t *msk)
+ {
+- return FAILED;
++ return NOT_SUPPORTED;
+ }
+
+ METHOD(eap_method_t, is_mutual, bool,
+diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c
+index 2dc7a423e702..5336dead13d9 100644
+--- a/src/libcharon/plugins/eap_radius/eap_radius.c
++++ b/src/libcharon/plugins/eap_radius/eap_radius.c
+@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t,
+ *out = msk;
+ return SUCCESS;
+ }
+- return FAILED;
++ /* we assume the selected method did not establish an MSK, if it failed
++ * to establish one, process() would have failed */
++ return NOT_SUPPORTED;
+ }
+
+ METHOD(eap_method_t, get_identifier, uint8_t,
+diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
+index 0b5218dfec15..33564831f86e 100644
+--- a/src/libcharon/sa/eap/eap_method.h
++++ b/src/libcharon/sa/eap/eap_method.h
+@@ -114,10 +114,16 @@ struct eap_method_t {
+ * Not all EAP methods establish a shared secret. For implementations of
+ * the EAP-Identity method, get_msk() returns the received identity.
+ *
++ * @note Returning NOT_SUPPORTED is important for implementations of EAP
++ * methods that don't establish an MSK. In particular as client because
++ * key-generating EAP methods MUST fail to process EAP-Success messages if
++ * no MSK is established.
++ *
+ * @param msk chunk receiving internal stored MSK
+ * @return
+- * - SUCCESS, or
++ * - SUCCESS, if MSK is established
+ * - FAILED, if MSK not established (yet)
++ * - NOT_SUPPORTED, for non-MSK-establishing methods
+ */
+ status_t (*get_msk) (eap_method_t *this, chunk_t *msk);
+
+diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+index e1e6cd7ee6f3..87548fc471a6 100644
+--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+ this->method->destroy(this->method);
+ return server_initiate_eap(this, FALSE);
+ }
+- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
++ switch (this->method->get_msk(this->method, &this->msk))
+ {
+- this->msk = chunk_clone(this->msk);
++ case SUCCESS:
++ this->msk = chunk_clone(this->msk);
++ break;
++ case NOT_SUPPORTED:
++ break;
++ case FAILED:
++ default:
++ DBG1(DBG_IKE, "failed to establish MSK");
++ goto failure;
+ }
+ if (vendor)
+ {
+@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+ return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
+ case FAILED:
+ default:
++failure:
+ /* type might have changed for virtual methods */
+ type = this->method->get_type(this->method, &vendor);
+ if (vendor)
+@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t,
+ uint32_t vendor;
+ auth_cfg_t *cfg;
+
+- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
++ if (!this->method)
+ {
+- this->msk = chunk_clone(this->msk);
++ DBG1(DBG_IKE, "received unexpected %N",
++ eap_code_names, eap_payload->get_code(eap_payload));
++ return FAILED;
++ }
++ switch (this->method->get_msk(this->method, &this->msk))
++ {
++ case SUCCESS:
++ this->msk = chunk_clone(this->msk);
++ break;
++ case NOT_SUPPORTED:
++ break;
++ case FAILED:
++ default:
++ DBG1(DBG_IKE, "received %N but failed to establish MSK",
++ eap_code_names, eap_payload->get_code(eap_payload));
++ return FAILED;
+ }
+ type = this->method->get_type(this->method, &vendor);
+ if (vendor)
+--
+2.25.1
+
diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
index b45b8074c4..8a5855fb87 100644
--- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
+++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \
file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \
file://CVE-2021-41990.patch \
file://CVE-2021-41991.patch \
+ file://CVE-2021-45079.patch \
"
SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [dunfell 2/5] nss: Add fix for CVE-2022-22747
2022-02-26 15:41 [dunfell 0/5] Patch review Feb 26th Armin Kuster
2022-02-26 15:41 ` [dunfell 1/5] strongswan: Add fix of CVE-2021-45079 Armin Kuster
@ 2022-02-26 15:41 ` Armin Kuster
2022-02-26 15:41 ` [dunfell 3/5] graphviz: native: create /usr/lib/graphviz/config6 in populate_sysroot Armin Kuster
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2022-02-26 15:41 UTC (permalink / raw)
To: openembedded-devel
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Add a patch to fix CVE-2022-22747
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../nss/nss/CVE-2022-22747.patch | 63 +++++++++++++++++++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
2 files changed, 64 insertions(+)
create mode 100644 meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
new file mode 100644
index 0000000000..cccb73187d
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User John M. Schanck <jschanck@mozilla.com>
+# Date 1633990165 0
+# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0
+# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f
+Bug 1735028 - check for missing signedData field r=keeler
+
+Differential Revision: https://phabricator.services.mozilla.com/D128112
+
+Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0]
+CVE: CVE-2022-22747
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc
++++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage
+ unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+ 0x05, 0xa0, 0x02, 0x30, 0x00};
+ EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
+ reinterpret_cast<char*>(emptyCertPackage),
+ sizeof(emptyCertPackage)));
+ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+ }
++
++TEST_F(DecodeCertsTest, EmptySignedData) {
++ // This represents a PKCS#7 ContentInfo of contentType
++ // 1.2.840.113549.1.7.2 (signedData) with missing content.
++ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86,
++ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
++ 0x02, 0x00, 0x00, 0x05, 0x00};
++
++ EXPECT_EQ(nullptr,
++ CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData),
++ sizeof(emptySignedData)));
++ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
++}
+diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c
+--- a/nss/lib/pkcs7/certread.c
++++ b/nss/lib/pkcs7/certread.c
+@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C
+ pkcs7Item) != SECSuccess) {
+ goto done;
+ }
+
+ if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
+ goto done;
+ }
+
++ if (contentInfo.content.signedData == NULL) {
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ goto done;
++ }
++
+ rv = SECSuccess;
+
+ certs = contentInfo.content.signedData->certificates;
+ if (certs) {
+ count = 0;
+
+ while (*certs) {
+ count++;
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index f03473b1a0..8b59f7ea8f 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
file://CVE-2020-12403_1.patch \
file://CVE-2020-12403_2.patch \
file://CVE-2021-43527.patch \
+ file://CVE-2022-22747.patch \
"
SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [dunfell 3/5] graphviz: native: create /usr/lib/graphviz/config6 in populate_sysroot
2022-02-26 15:41 [dunfell 0/5] Patch review Feb 26th Armin Kuster
2022-02-26 15:41 ` [dunfell 1/5] strongswan: Add fix of CVE-2021-45079 Armin Kuster
2022-02-26 15:41 ` [dunfell 2/5] nss: Add fix for CVE-2022-22747 Armin Kuster
@ 2022-02-26 15:41 ` Armin Kuster
2022-02-26 15:41 ` [dunfell 4/5] cryptsetup: Add runtime dependency on lvm2-udevrules for udev Armin Kuster
2022-02-26 15:41 ` [dunfell 5/5] protobuf: Fix CVE-2021-22570 Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2022-02-26 15:41 UTC (permalink / raw)
To: openembedded-devel
From: Christian Eggers <ceggers@arri.de>
The `dot` tool requires to be run once after installation in order to
create its configuration file.
The do_prepare_recipe_sysroot task uses do_populate_sysroot in order to
prepare the recipe-sysroot-native. Package postinstall scripts are not
executed for -native packages, but files under ${BINDIR}/postinst-* are.
This is quite the same as graphviz-setup.sh does for nativesdk. The
general idea has been taken from
OECORE/meta/classes/pixbufcache.bbclass.
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb
index 81ab86c762..72e2f5cc7a 100644
--- a/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb
+++ b/meta-oe/recipes-graphics/graphviz/graphviz_2.40.1.bb
@@ -55,6 +55,17 @@ do_install_append_class-native() {
install -m755 ${B}/lib/gvpr/mkdefs ${D}${bindir}
}
+# create /usr/lib/graphviz/config6
+graphviz_sstate_postinst() {
+ mkdir -p ${SYSROOT_DESTDIR}${bindir}
+ dest=${SYSROOT_DESTDIR}${bindir}/postinst-${PN}
+ echo '#!/bin/sh' > $dest
+ echo '' >> $dest
+ echo 'dot -c' >> $dest
+ chmod 0755 $dest
+}
+SYSROOT_PREPROCESS_FUNCS_append_class-native = " graphviz_sstate_postinst"
+
PACKAGES =+ "${PN}-python ${PN}-perl ${PN}-demo"
FILES_${PN}-python += "${libdir}/python*/site-packages/ ${libdir}/graphviz/python/"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [dunfell 4/5] cryptsetup: Add runtime dependency on lvm2-udevrules for udev
2022-02-26 15:41 [dunfell 0/5] Patch review Feb 26th Armin Kuster
` (2 preceding siblings ...)
2022-02-26 15:41 ` [dunfell 3/5] graphviz: native: create /usr/lib/graphviz/config6 in populate_sysroot Armin Kuster
@ 2022-02-26 15:41 ` Armin Kuster
2022-02-26 15:41 ` [dunfell 5/5] protobuf: Fix CVE-2021-22570 Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2022-02-26 15:41 UTC (permalink / raw)
To: openembedded-devel
From: Kristian Klausen <kristian@klausen.dk>
Without the udevrules cryptsetup luksOpen will be hanging with "Udev
cookie 0xd4de0f6 (semid 5) waiting for zero".
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 60b33e376b2331cd20950f0745336397790d2201)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 32f1d758a14bba35d67a75778ae747f1ff5c5482)
[Minor fixup for Dunfell]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb
index b9668eb099..3c1c8b0beb 100644
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb
@@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
-PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev"
+PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto"
# gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't
# recognized.
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread* [dunfell 5/5] protobuf: Fix CVE-2021-22570
2022-02-26 15:41 [dunfell 0/5] Patch review Feb 26th Armin Kuster
` (3 preceding siblings ...)
2022-02-26 15:41 ` [dunfell 4/5] cryptsetup: Add runtime dependency on lvm2-udevrules for udev Armin Kuster
@ 2022-02-26 15:41 ` Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2022-02-26 15:41 UTC (permalink / raw)
To: openembedded-devel
From: Sana Kazi <sanakazisk19@gmail.com>
Fix CVE-2021-22570.
Link: https://koji.fedoraproject.org/koji/buildinfo?buildID=1916865
Link: https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch
Remove first and second hunk because the second argument in
InsertIfNotPresent() function is of type const char* const& but the
first and second hunk makes the type of second argument as const string
which is not compatible with the type of second argument in
InsertIfNotPresent().
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../protobuf/protobuf/CVE-2021-22570.patch | 64 +++++++++++++++++++
.../protobuf/protobuf_3.11.4.bb | 1 +
2 files changed, 65 insertions(+)
create mode 100644 meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
new file mode 100644
index 0000000000..be3180181a
--- /dev/null
+++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch
@@ -0,0 +1,64 @@
+CVE: CVE-2021-22570
+Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch]
+Comment: Removed first and second hunk
+Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
+
+diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc
+index 7af37c57f3..03c4e2b516 100644
+--- a/src/google/protobuf/descriptor.cc
++++ b/src/google/protobuf/descriptor.cc
+@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents,
+ const Descriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start + 1) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end > FieldDescriptor::kMaxNumber) {
++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end - 1);
+@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString(
+ const EnumDescriptor::ReservedRange* range = reserved_range(i);
+ if (range->end == range->start) {
+ strings::SubstituteAndAppend(contents, "$0, ", range->start);
++ } else if (range->end == INT_MAX) {
++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
+ } else {
+ strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
+ range->end);
+@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ // Use its file as the parent instead.
+ if (parent == nullptr) parent = file_;
+
++ if (full_name.find('\0') != std::string::npos) {
++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + full_name + "\" contains null character.");
++ return false;
++ }
+ if (tables_->AddSymbol(full_name, symbol)) {
+ if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
+ // This is only possible if there was already an error adding something of
+@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
+ void DescriptorBuilder::AddPackage(const std::string& name,
+ const Message& proto,
+ const FileDescriptor* file) {
++ if (name.find('\0') != std::string::npos) {
++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + name + "\" contains null character.");
++ return;
++ }
+ if (tables_->AddSymbol(name, Symbol(file))) {
+ // Success. Also add parent package, if any.
+ std::string::size_type dot_pos = name.find_last_of('.');
+@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
+ }
+ result->pool_ = pool_;
+
++ if (result->name().find('\0') != std::string::npos) {
++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
++ "\"" + result->name() + "\" contains null character.");
++ return nullptr;
++ }
++
+ // Add to tables.
+ if (!tables_->AddFile(result)) {
+ AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,
diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
index d2f22ba6b8..55d56ff08e 100644
--- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
+++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \
file://0001-protobuf-fix-configure-error.patch \
file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \
file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \
+ file://CVE-2021-22570.patch \
"
S = "${WORKDIR}/git"
--
2.25.1
^ permalink raw reply related [flat|nested] 6+ messages in thread