* [OE-core][kirkstone 0/9] Patch review
@ 2022-05-23 13:59 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-05-23 13:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by end
of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3692
The following changes since commit ec9e9497730f0a9c8ad3d696c8cdcec06267aacf:
base-passwd: Disable shell for default users (2022-05-16 13:59:44 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
mmc-utils: upgrade to latest revision
Claudius Heine (1):
classes: rootfs-postcommands: add skip option to overlayfs_qa_check
Marta Rybczynska (1):
cve-check: Fix report generation
Richard Purdie (2):
staging: Fix rare sysroot corruption issue
selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES
Robert Joslyn (1):
curl: Backport CVE fixes
Samuli Piippo (1):
binutils: Bump to latest 2.38 release branch
Steve Sakoman (1):
python3: fix reproducibility issue with python3-core
wangmy (1):
librepo: upgrade 1.14.2 -> 1.14.3
meta/classes/cve-check.bbclass | 18 +-
meta/classes/rootfs-postcommands.bbclass | 10 +-
meta/classes/staging.bbclass | 24 +
meta/lib/oeqa/selftest/cases/imagefeatures.py | 2 +-
meta/lib/oeqa/selftest/cases/overlayfs.py | 36 +-
.../binutils/binutils-2.38.inc | 2 +-
.../{librepo_1.14.2.bb => librepo_1.14.3.bb} | 2 +-
meta/recipes-devtools/mmc/mmc-utils_git.bb | 2 +-
.../recipes-devtools/python/python3_3.10.4.bb | 5 +
.../curl/curl/CVE-2022-22576.patch | 145 ++++++
.../curl/curl/CVE-2022-27774-1.patch | 45 ++
.../curl/curl/CVE-2022-27774-2.patch | 80 +++
.../curl/curl/CVE-2022-27774-3.patch | 83 ++++
.../curl/curl/CVE-2022-27774-4.patch | 35 ++
.../curl/curl/CVE-2022-27775.patch | 37 ++
.../curl/curl/CVE-2022-27776.patch | 115 +++++
.../curl/curl/CVE-2022-27779.patch | 42 ++
.../curl/curl/CVE-2022-27780.patch | 33 ++
.../curl/curl/CVE-2022-27781.patch | 43 ++
.../curl/curl/CVE-2022-27782-1.patch | 458 ++++++++++++++++++
.../curl/curl/CVE-2022-27782-2.patch | 71 +++
.../curl/curl/CVE-2022-30115.patch | 82 ++++
meta/recipes-support/curl/curl_7.82.0.bb | 16 +-
23 files changed, 1362 insertions(+), 24 deletions(-)
rename meta/recipes-devtools/librepo/{librepo_1.14.2.bb => librepo_1.14.3.bb} (94%)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27779.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27780.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-30115.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2022-11-13 14:12 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-11-13 14:12 UTC (permalink / raw)
To: openembedded-core
Please review this set of patchesd for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4468
The following changes since commit 0c0723757fbba9a4b88c0f98477a18d1e220da2e:
mirrors.bbclass: use shallow tarball for binutils-native (2022-11-06 06:00:05 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (2):
lttng-modules: upgrade 2.13.4 -> 2.13.5
quilt: backport a patch to address grep 3.8 failures
Hitendra Prajapati (1):
QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext
leads to CPU exhaustion
Michael Opdenacker (1):
create-spdx.bbclass: remove unused SPDX_INCLUDE_PACKAGED
Narpat Mali (1):
python3-mako: backport fix for CVE-2022-40023
Ross Burton (3):
pixman: backport fix for CVE-2022-44638
sanity: check for GNU tar specifically
qemu: add io_uring PACKAGECONFIG
ciarancourtney (1):
wic: swap partitions are not added to fstab
meta/classes/create-spdx.bbclass | 2 -
meta/classes/sanity.bbclass | 8 +
.../python/python3-mako/CVE-2022-40023.patch | 119 +++++++++++++++
.../python/python3-mako_1.1.6.bb | 2 +
meta/recipes-devtools/qemu/qemu.inc | 3 +-
.../qemu/qemu/CVE-2022-3165.patch | 61 ++++++++
meta/recipes-devtools/quilt/quilt.inc | 1 +
.../quilt/quilt/fix-grep-3.8.patch | 144 ++++++++++++++++++
.../xorg-lib/pixman/CVE-2022-44638.patch | 33 ++++
.../xorg-lib/pixman_0.40.0.bb | 1 +
.../lttng-modules/0001-fix-compaction.patch | 68 ---------
...c-fix-tracepoint-mm_page_alloc_zone_.patch | 106 -------------
...oduce-kfree_skb_reason-v5.15.58.v5.1.patch | 53 -------
...ags-parameter-from-aops-write_begin-.patch | 76 ---------
...Fix-type-of-cpu-in-trace-event-v5.19.patch | 124 ---------------
...ules_2.13.4.bb => lttng-modules_2.13.5.bb} | 7 +-
scripts/lib/wic/plugins/imager/direct.py | 2 +-
17 files changed, 373 insertions(+), 437 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
create mode 100644 meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch
create mode 100644 meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-compaction.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch
rename meta/recipes-kernel/lttng/{lttng-modules_2.13.4.bb => lttng-modules_2.13.5.bb} (78%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2023-01-17 14:08 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4800
The following changes since commit 4760fac939a6204e3cb7dcd3699cd9a2508f9dee:
devtool: process local files only for the main branch (2023-01-12 04:56:26 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bhabu Bindu (1):
qemu: Fix CVE-2022-4144
Daniel Gomez (1):
gtk-icon-cache: Fix GTKIC_CMD if-else condition
KARN JYE LAU (1):
freetype:update mirror site.
Martin Jansa (1):
ffmpeg: refresh patches to apply cleanly
Narpat Mali (3):
python3-setuptools: fix for CVE-2022-40897
python3-wheel: fix for CVE-2022-40898
python3-git: fix for CVE-2022-24439
Yash Shinde (1):
glibc: stable 2.35 branch updates.
Yogita Urade (1):
libksba: fix CVE-2022-47629
meta/classes/gtk-icon-cache.bbclass | 2 +-
meta/recipes-core/glibc/glibc-version.inc | 2 +-
...-git-CVE-2022-24439-fix-from-PR-1518.patch | 97 ++++
...-git-CVE-2022-24439-fix-from-PR-1521.patch | 488 ++++++++++++++++++
.../python/python3-git_3.1.27.bb | 4 +
...-of-whitespace-to-search-backtrack.-.patch | 31 ++
.../python/python3-setuptools_59.5.0.bb | 1 +
...tential-DoS-attack-via-WHEEL_INFO_RE.patch | 32 ++
.../python/python3-wheel_0.37.1.bb | 4 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2022-4144.patch | 99 ++++
.../freetype/freetype_2.11.1.bb | 2 +-
...c-stop-accessing-out-of-bounds-frame.patch | 19 +-
...c-stop-accessing-out-of-bounds-frame.patch | 7 +-
...-vp3-Add-missing-check-for-av_malloc.patch | 12 +-
...overflow-in-the-CRL-signature-parser.patch | 72 +++
meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +-
17 files changed, 848 insertions(+), 28 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
create mode 100644 meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch
create mode 100644 meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
create mode 100644 meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2023-06-20 15:37 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-06-20 15:37 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5492
The following changes since commit 0e17a5a4f0e3301bf78f77bb5ca4aaf3e4dbc7af:
Revert "ipk: Decode byte data to string in manifest handling" (2023-06-17 05:18:44 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
nasm: fix CVE-2022-46457
Bruce Ashfield (1):
kernel: don't force PAHOLE=false
Chen Qi (1):
staging.bbclass: do not add extend_recipe_sysroot to prefuncs of
prepare_recipe_sysroot
Lorenzo Arena (1):
conf: add nice level to the hash config ignred variables
Martin Jansa (1):
go.bbclass: don't use test to check output from ls
Pavel Zhukov (1):
lib/terminal.py: Add urxvt terminal
Ranjitsinh Rathod (1):
kmscube: Correct DEPENDS to avoid overwrite
Thomas Roos (1):
oeqa/selftest/cases/devtool.py: skip all tests require folder a git
repo
Wang Mingyu (1):
iso-codes: upgrade 4.13.0 -> 4.15.0
meta/classes/go.bbclass | 2 +-
meta/classes/kernel.bbclass | 2 +-
meta/classes/staging.bbclass | 2 +-
meta/conf/bitbake.conf | 2 +-
meta/lib/oe/terminal.py | 4 ++
meta/lib/oeqa/selftest/cases/devtool.py | 8 +++
.../nasm/nasm/CVE-2022-46457.patch | 50 +++++++++++++++++++
meta/recipes-devtools/nasm/nasm_2.15.05.bb | 1 +
meta/recipes-graphics/kmscube/kmscube_git.bb | 3 +-
...so-codes_4.13.0.bb => iso-codes_4.15.0.bb} | 2 +-
10 files changed, 69 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch
rename meta/recipes-support/iso-codes/{iso-codes_4.13.0.bb => iso-codes_4.15.0.bb} (94%)
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-03-07 23:37 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-03-07 23:37 UTC (permalink / raw)
To: openembedded-core
Unfortunately this series of linux-yocto version bumps has caused a
number of issues with adding and resizing partitions. The problem was
introduced in 5.15.132 and has not been fixed in any of the subsequent
version bumps.
Bruce and have decided to revert this series until we have an acceptable fix.
Please have any comments back by end of day Monday, March 11.
The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e:
golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Steve Sakoman (9):
Revert "linux-yocto/5.15: update CVE exclusions"
Revert "linux-yocto/5.15: update to v5.15.148"
Revert "linux-yocto/5.15: update CVE exclusions"
Revert "linux-yocto/5.15: update to v5.15.147"
Revert "linux-yocto/5.15: update CVE exclusions"
Revert "linux-yocto/5.15: update to v5.15.146"
Revert "linux-yocto/5.15: update to v5.15.145"
Revert "linux-yocto/5.15: update to v5.15.142"
Revert "linux-yocto/5.15: update to v5.15.141"
.../linux/cve-exclusion_5.15.inc | 372 ++----------------
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +-
4 files changed, 57 insertions(+), 353 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-04-03 3:46 Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 1/9] nghttp2: fix CVE-2023-44487 Steve Sakoman
` (8 more replies)
0 siblings, 9 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6758
The following changes since commit 1b5405955c7c2579ed1f52522e2e177d0281fa33:
glibc: Fix subscript typos for get_nscd_addresses (2024-03-19 03:33:32 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Claus Stovgaard (1):
gcc: Backport sanitizer fix for 32-bit ALSR
Colin McAllister (1):
common-licenses: Backport missing license
Lee Chee Yang (2):
xwayland: fix CVE-2023-6816 CVE-2024-0408/0409
tiff: fix CVE-2023-52356 CVE-2023-6277
Meenali Gupta (1):
expat: fix CVE-2023-52425
Tan Wen Yan (1):
python3-urllib3: update to v1.26.18
Vijay Anusuri (2):
curl: backport Debian patch for CVE-2024-2398
qemu: Fix for CVE-2023-6683
aszh07 (1):
nghttp2: fix CVE-2023-44487
.../LGPL-3.0-with-zeromq-exception | 181 ++++
.../expat/expat/CVE-2023-52425-0001.patch | 40 +
.../expat/expat/CVE-2023-52425-0002.patch | 87 ++
.../expat/expat/CVE-2023-52425-0003.patch | 222 +++++
.../expat/expat/CVE-2023-52425-0004.patch | 42 +
.../expat/expat/CVE-2023-52425-0005.patch | 69 ++
.../expat/expat/CVE-2023-52425-0006.patch | 67 ++
.../expat/expat/CVE-2023-52425-0007.patch | 159 +++
.../expat/expat/CVE-2023-52425-0008.patch | 95 ++
.../expat/expat/CVE-2023-52425-0009.patch | 52 +
.../expat/expat/CVE-2023-52425-0010.patch | 111 +++
.../expat/expat/CVE-2023-52425-0011.patch | 89 ++
.../expat/expat/CVE-2023-52425-0012.patch | 87 ++
meta/recipes-core/expat/expat_2.5.0.bb | 12 +
meta/recipes-devtools/gcc/gcc-11.4.inc | 1 +
.../gcc/gcc/0031-gcc-sanitizers-fix.patch | 63 ++
..._1.26.17.bb => python3-urllib3_1.26.18.bb} | 2 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-6683.patch | 92 ++
.../xwayland/xwayland/CVE-2023-6816.patch | 57 ++
.../xwayland/xwayland/CVE-2024-0408.patch | 65 ++
.../xwayland/xwayland/CVE-2024-0409.patch | 47 +
.../xwayland/xwayland_22.1.8.bb | 3 +
.../libtiff/tiff/CVE-2023-52356.patch | 54 +
.../libtiff/tiff/CVE-2023-6277-1.patch | 178 ++++
.../libtiff/tiff/CVE-2023-6277-2.patch | 151 +++
.../libtiff/tiff/CVE-2023-6277-3.patch | 46 +
.../libtiff/tiff/CVE-2023-6277-4.patch | 93 ++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +
.../curl/curl/CVE-2024-2398.patch | 89 ++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
.../nghttp2/nghttp2/CVE-2023-44487.patch | 927 ++++++++++++++++++
.../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 +
33 files changed, 3188 insertions(+), 1 deletion(-)
create mode 100644 meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
create mode 100644 meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
rename meta/recipes-devtools/python/{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} (86%)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 1/9] nghttp2: fix CVE-2023-44487
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
@ 2024-04-03 3:46 ` Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 2/9] xwayland: fix CVE-2023-6816 CVE-2024-0408/0409 Steve Sakoman
` (7 subsequent siblings)
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
From: aszh07 <mail2szahir@gmail.com>
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in
the wild in August through October 2023.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../nghttp2/nghttp2/CVE-2023-44487.patch | 927 ++++++++++++++++++
.../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 +
2 files changed, 928 insertions(+)
create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
new file mode 100644
index 0000000000..3cba83307c
--- /dev/null
+++ b/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
@@ -0,0 +1,927 @@
+From 72b4af6143681f528f1d237b21a9a7aee1738832 Mon Sep 17 00:00:00 2001
+From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
+Date: Sun, 1 Oct 2023 00:05:01 +0900
+Subject: [PATCH] Rework session management
+
+CVE: CVE-2023-44487
+
+Upstream-Status: Backport [https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832]
+
+Signed-off-by: Zahir Hussain zahir.basha@kpit.com
+Signed-off-by: aszh07 <mail2szahir@gmail.com>
+---
+CMakeLists.txt | 4 ++
+cmakeconfig.h.in | 9 +++
+configure.ac | 21 +++++++
+doc/Makefile.am | 1 +
+lib/CMakeLists.txt | 2 +
+lib/Makefile.am | 4 ++
+lib/includes/nghttp2/nghttp2.h | 17 ++++++
+lib/nghttp2_option.c | 7 +++
+lib/nghttp2_ratelim.c | 75 ++++++++++++++++++++++++
+lib/nghttp2_ratelim.h | 57 ++++++++++++++++++
+lib/nghttp2_session.c | 34 ++++++++++-
+lib/nghttp2_session.h | 12 +++-
+lib/nghttp2_time.c | 62 ++++++++++++++++++++
+lib/nghttp2_time.h | 38 ++++++++++++
+tests/nghttp2_ratelim_test.c | 101 ++++++++++++++++++++++++++++++++
+tests/nghttp2_ratelim_test.h | 35 +++++++++++
+tests/nghttp2_session_test.c | 103 +++++++++++++++++++++++++++++++++
+tests/nghttp2_session_test.h | 1 +
+tests/CMakeLists.txt | 1 +
+tests/Makefile.am | 6 +-
+lib/nghttp2_option.h | 6 ++
+tests/main.c | 7 ++-
+22 files changed, 598 insertions(+), 5 deletions(-)
+create mode 100644 lib/nghttp2_ratelim.c
+create mode 100644 lib/nghttp2_ratelim.h
+create mode 100644 lib/nghttp2_time.c
+create mode 100644 lib/nghttp2_time.h
+create mode 100644 tests/nghttp2_ratelim_test.c
+create mode 100644 tests/nghttp2_ratelim_test.h
+
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -262,6 +262,7 @@ check_include_file("netinet/in.h" HAVE
+ check_include_file("pwd.h" HAVE_PWD_H)
+ check_include_file("sys/socket.h" HAVE_SYS_SOCKET_H)
+ check_include_file("sys/time.h" HAVE_SYS_TIME_H)
++check_include_file("sysinfoapi.h" HAVE_SYSINFOAPI_H)
+ check_include_file("syslog.h" HAVE_SYSLOG_H)
+ check_include_file("time.h" HAVE_TIME_H)
+ check_include_file("unistd.h" HAVE_UNISTD_H)
+@@ -302,8 +303,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
+ include(CheckFunctionExists)
+ check_function_exists(_Exit HAVE__EXIT)
+ check_function_exists(accept4 HAVE_ACCEPT4)
++check_function_exists(clock_gettime HAVE_CLOCK_GETTIME)
+ check_function_exists(mkostemp HAVE_MKOSTEMP)
+
++check_symbol_exists(GetTickCount64 sysinfoapi.h HAVE_GETTICKCOUNT64)
++
+ include(CheckSymbolExists)
+ # XXX does this correctly detect initgroups (un)availability on cygwin?
+ check_symbol_exists(initgroups grp.h HAVE_DECL_INITGROUPS)
+--- a/cmakeconfig.h.in
++++ b/cmakeconfig.h.in
+@@ -34,9 +34,15 @@
+ /* Define to 1 if you have the `accept4` function. */
+ #cmakedefine HAVE_ACCEPT4 1
+
++/* Define to 1 if you have the `clock_gettime` function. */
++#cmakedefine HAVE_CLOCK_GETTIME 1
++
+ /* Define to 1 if you have the `mkostemp` function. */
+ #cmakedefine HAVE_MKOSTEMP 1
+
++/* Define to 1 if you have the `GetTickCount64` function. */
++#cmakedefine HAVE_GETTICKCOUNT64 1
++
+ /* Define to 1 if you have the `initgroups` function. */
+ #cmakedefine01 HAVE_DECL_INITGROUPS
+
+@@ -73,6 +79,9 @@
+ /* Define to 1 if you have the <sys/time.h> header file. */
+ #cmakedefine HAVE_SYS_TIME_H 1
+
++/* Define to 1 if you have the <sysinfoapi.h> header file. */
++#cmakedefine HAVE_SYSINFOAPI_H 1
++
+ /* Define to 1 if you have the <syslog.h> header file. */
+ #cmakedefine HAVE_SYSLOG_H 1
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -607,6 +607,7 @@ AC_CHECK_HEADERS([ \
+ string.h \
+ sys/socket.h \
+ sys/time.h \
++ sysinfoapi.h \
+ syslog.h \
+ time.h \
+ unistd.h \
+@@ -681,6 +682,7 @@ AC_FUNC_STRNLEN
+ AC_CHECK_FUNCS([ \
+ _Exit \
+ accept4 \
++ clock_gettime \
+ dup2 \
+ getcwd \
+ getpwnam \
+@@ -706,6 +708,25 @@ AC_CHECK_FUNCS([ \
+ AC_CHECK_FUNC([timerfd_create],
+ [have_timerfd_create=yes], [have_timerfd_create=no])
+
++AC_MSG_CHECKING([checking for GetTickCount64])
++AC_LINK_IFELSE([AC_LANG_PROGRAM(
++[[
++#include <sysinfoapi.h>
++]],
++[[
++GetTickCount64();
++]])],
++[have_gettickcount64=yes],
++[have_gettickcount64=no])
++
++if test "x${have_gettickcount64}" = "xyes"; then
++ AC_MSG_RESULT([yes])
++ AC_DEFINE([HAVE_GETTICKCOUNT64], [1],
++ [Define to 1 if you have `GetTickCount64` function.])
++else
++ AC_MSG_RESULT([no])
++fi
++
+ # For cygwin: we can link initgroups, so AC_CHECK_FUNCS succeeds, but
+ # cygwin disables initgroups due to feature test macro magic with our
+ # configuration. FreeBSD declares initgroups() in unistd.h.
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -69,6 +69,7 @@ APIDOCS= \
+ nghttp2_option_set_user_recv_extension_type.rst \
+ nghttp2_option_set_max_outbound_ack.rst \
+ nghttp2_option_set_max_settings.rst \
++ nghttp2_option_set_stream_reset_rate_limit.rst \
+ nghttp2_pack_settings_payload.rst \
+ nghttp2_priority_spec_check_default.rst \
+ nghttp2_priority_spec_default_init.rst \
+--- a/lib/CMakeLists.txt
++++ b/lib/CMakeLists.txt
+@@ -23,6 +23,8 @@ set(NGHTTP2_SOURCES
+ nghttp2_mem.c
+ nghttp2_http.c
+ nghttp2_rcbuf.c
++ nghttp2_ratelim.c
++ nghttp2_time.c
+ nghttp2_debug.c
+ )
+
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -49,6 +49,8 @@ OBJECTS = nghttp2_pq.c nghttp2_map.c ngh
+ nghttp2_mem.c \
+ nghttp2_http.c \
+ nghttp2_rcbuf.c \
++ nghttp2_ratelim.c \
++ nghttp2_time.c \
+ nghttp2_debug.c
+
+ HFILES = nghttp2_pq.h nghttp2_int.h nghttp2_map.h nghttp2_queue.h \
+@@ -65,6 +67,8 @@ HFILES = nghttp2_pq.h nghttp2_int.h nght
+ nghttp2_mem.h \
+ nghttp2_http.h \
+ nghttp2_rcbuf.h \
++ nghttp2_ratelim.h \
++ nghttp2_time.h \
+ nghttp2_debug.h
+
+ libnghttp2_la_SOURCES = $(HFILES) $(OBJECTS)
+--- a/lib/includes/nghttp2/nghttp2.h
++++ b/lib/includes/nghttp2/nghttp2.h
+@@ -2763,6 +2763,23 @@ nghttp2_session_client_new2(nghttp2_sess
+ /**
+ * @function
+ *
++ * This function sets the rate limit for the incoming stream reset
++ * (RST_STREAM frame). It is server use only. It is a token-bucket
++ * based rate limiter. |burst| specifies the number of tokens that is
++ * initially available. The maximum number of tokens is capped to
++ * this value. |rate| specifies the number of tokens that are
++ * regenerated per second. An incoming RST_STREAM consumes one token.
++ * If there is no token available, GOAWAY is sent to tear down the
++ * connection. |burst| and |rate| default to 1000 and 33
++ * respectively.
++ */
++NGHTTP2_EXTERN void
++nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
++ uint64_t burst, uint64_t rate);
++
++/**
++ * @function
++ *
+ * Like `nghttp2_session_server_new()`, but with additional options
+ * specified in the |option|.
+ *
+--- a/lib/nghttp2_option.c
++++ b/lib/nghttp2_option.c
+@@ -126,3 +126,10 @@ void nghttp2_option_set_max_settings(ngh
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_SETTINGS;
+ option->max_settings = val;
+ }
++
++void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
++ uint64_t burst, uint64_t rate) {
++ option->opt_set_mask |= NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT;
++ option->stream_reset_burst = burst;
++ option->stream_reset_rate = rate;
++}
+--- /dev/null
++++ b/lib/nghttp2_ratelim.c
+@@ -0,0 +1,75 @@
++/*
++ * nghttp2 - HTTP/2 C Library
++ *
++ * Copyright (c) 2023 nghttp2 contributors
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining
++ * a copy of this software and associated documentation files (the
++ * "Software"), to deal in the Software without restriction, including
++ * without limitation the rights to use, copy, modify, merge, publish,
++ * distribute, sublicense, and/or sell copies of the Software, and to
++ * permit persons to whom the Software is furnished to do so, subject to
++ * the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++ */
++#include "nghttp2_ratelim.h"
++#include "nghttp2_helper.h"
++
++void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate) {
++ rl->val = rl->burst = burst;
++ rl->rate = rate;
++ rl->tstamp = 0;
++}
++
++void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp) {
++ uint64_t d, gain;
++
++ if (tstamp == rl->tstamp) {
++ return;
++ }
++
++ if (tstamp > rl->tstamp) {
++ d = tstamp - rl->tstamp;
++ } else {
++ d = 1;
++ }
++
++ rl->tstamp = tstamp;
++
++ if (UINT64_MAX / d < rl->rate) {
++ rl->val = rl->burst;
++
++ return;
++ }
++
++ gain = rl->rate * d;
++
++ if (UINT64_MAX - gain < rl->val) {
++ rl->val = rl->burst;
++
++ return;
++ }
++
++ rl->val += gain;
++ rl->val = nghttp2_min(rl->val, rl->burst);
++}
++
++int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n) {
++ if (rl->val < n) {
++ return -1;
++ }
++
++ rl->val -= n;
++
++ return 0;
++}
+--- /dev/null
++++ b/lib/nghttp2_ratelim.h
+@@ -0,0 +1,57 @@
++/*
++ * nghttp2 - HTTP/2 C Library
++ *
++ * Copyright (c) 2023 nghttp2 contributors
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining
++ * a copy of this software and associated documentation files (the
++ * "Software"), to deal in the Software without restriction, including
++ * without limitation the rights to use, copy, modify, merge, publish,
++ * distribute, sublicense, and/or sell copies of the Software, and to
++ * permit persons to whom the Software is furnished to do so, subject to
++ * the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++ */
++#ifndef NGHTTP2_RATELIM_H
++#define NGHTTP2_RATELIM_H
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif /* HAVE_CONFIG_H */
++
++#include <nghttp2/nghttp2.h>
++
++typedef struct nghttp2_ratelim {
++ /* burst is the maximum value of val. */
++ uint64_t burst;
++ /* rate is the amount of value that is regenerated per 1 tstamp. */
++ uint64_t rate;
++ /* val is the amount of value available to drain. */
++ uint64_t val;
++ /* tstamp is the last timestamp in second resolution that is known
++ to this object. */
++ uint64_t tstamp;
++} nghttp2_ratelim;
++
++/* nghttp2_ratelim_init initializes |rl| with the given parameters. */
++void nghttp2_ratelim_init(nghttp2_ratelim *rl, uint64_t burst, uint64_t rate);
++
++/* nghttp2_ratelim_update updates rl->val with the current |tstamp|
++ given in second resolution. */
++void nghttp2_ratelim_update(nghttp2_ratelim *rl, uint64_t tstamp);
++
++/* nghttp2_ratelim_drain drains |n| from rl->val. It returns 0 if it
++ succeeds, or -1. */
++int nghttp2_ratelim_drain(nghttp2_ratelim *rl, uint64_t n);
++
++#endif /* NGHTTP2_RATELIM_H */
+--- a/lib/nghttp2_session.c
++++ b/lib/nghttp2_session.c
+@@ -36,6 +36,7 @@
+ #include "nghttp2_option.h"
+ #include "nghttp2_http.h"
+ #include "nghttp2_pq.h"
++#include "nghttp2_time.h"
+ #include "nghttp2_debug.h"
+
+ /*
+@@ -443,6 +444,10 @@ static int session_new(nghttp2_session *
+ NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS;
+ (*session_ptr)->pending_enable_push = 1;
+
++ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,
++ NGHTTP2_DEFAULT_STREAM_RESET_BURST,
++ NGHTTP2_DEFAULT_STREAM_RESET_RATE);
++
+ if (server) {
+ (*session_ptr)->server = 1;
+ }
+@@ -527,6 +532,12 @@ static int session_new(nghttp2_session *
+ option->max_settings) {
+ (*session_ptr)->max_settings = option->max_settings;
+ }
++
++ if (option->opt_set_mask & NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT) {
++ nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,
++ option->stream_reset_burst,
++ option->stream_reset_rate);
++ }
+ }
+
+ rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
+@@ -4144,6 +4155,23 @@ static int session_process_priority_fram
+ return nghttp2_session_on_priority_received(session, frame);
+ }
+
++static int session_update_stream_reset_ratelim(nghttp2_session *session) {
++ if (!session->server || (session->goaway_flags & NGHTTP2_GOAWAY_SUBMITTED)) {
++ return 0;
++ }
++
++ nghttp2_ratelim_update(&session->stream_reset_ratelim,
++ nghttp2_time_now_sec());
++
++ if (nghttp2_ratelim_drain(&session->stream_reset_ratelim, 1) == 0) {
++ return 0;
++ }
++
++ return nghttp2_session_add_goaway(session, session->last_recv_stream_id,
++ NGHTTP2_INTERNAL_ERROR, NULL, 0,
++ NGHTTP2_GOAWAY_AUX_NONE);
++}
++
+ int nghttp2_session_on_rst_stream_received(nghttp2_session *session,
+ nghttp2_frame *frame) {
+ int rv;
+@@ -4173,7 +4201,8 @@ int nghttp2_session_on_rst_stream_receiv
+ if (nghttp2_is_fatal(rv)) {
+ return rv;
+ }
+- return 0;
++
++ return session_update_stream_reset_ratelim(session);
+ }
+
+ static int session_process_rst_stream_frame(nghttp2_session *session) {
+@@ -6965,6 +6994,9 @@ int nghttp2_session_add_goaway(nghttp2_s
+ nghttp2_mem_free(mem, item);
+ return rv;
+ }
++
++ session->goaway_flags |= NGHTTP2_GOAWAY_SUBMITTED;
++
+ return 0;
+ }
+
+--- a/lib/nghttp2_session.h
++++ b/lib/nghttp2_session.h
+@@ -39,6 +39,7 @@
+ #include "nghttp2_buf.h"
+ #include "nghttp2_callbacks.h"
+ #include "nghttp2_mem.h"
++#include "nghttp2_ratelim.h"
+
+ /* The global variable for tests where we want to disable strict
+ preface handling. */
+@@ -102,6 +103,10 @@ typedef struct {
+ /* The default value of maximum number of concurrent streams. */
+ #define NGHTTP2_DEFAULT_MAX_CONCURRENT_STREAMS 0xffffffffu
+
++/* The default values for stream reset rate limiter. */
++#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
++#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
++
+ /* Internal state when receiving incoming frame */
+ typedef enum {
+ /* Receiving frame header */
+@@ -176,7 +181,9 @@ typedef enum {
+ /* Flag means GOAWAY was sent */
+ NGHTTP2_GOAWAY_SENT = 0x4,
+ /* Flag means GOAWAY was received */
+- NGHTTP2_GOAWAY_RECV = 0x8
++ NGHTTP2_GOAWAY_RECV = 0x8,
++ /* Flag means GOAWAY has been submitted at least once */
++ NGHTTP2_GOAWAY_SUBMITTED = 0x10
+ } nghttp2_goaway_flag;
+
+ /* nghttp2_inflight_settings stores the SETTINGS entries which local
+@@ -230,6 +237,9 @@ struct nghttp2_session {
+ /* Queue of In-flight SETTINGS values. SETTINGS bearing ACK is not
+ considered as in-flight. */
+ nghttp2_inflight_settings *inflight_settings_head;
++ /* Stream reset rate limiter. If receiving excessive amount of
++ stream resets, GOAWAY will be sent. */
++ nghttp2_ratelim stream_reset_ratelim;
+ /* The number of outgoing streams. This will be capped by
+ remote_settings.max_concurrent_streams. */
+ size_t num_outgoing_streams;
+--- /dev/null
++++ b/lib/nghttp2_time.c
+@@ -0,0 +1,62 @@
++/*
++ * nghttp2 - HTTP/2 C Library
++ *
++ * Copyright (c) 2023 nghttp2 contributors
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining
++ * a copy of this software and associated documentation files (the
++ * "Software"), to deal in the Software without restriction, including
++ * without limitation the rights to use, copy, modify, merge, publish,
++ * distribute, sublicense, and/or sell copies of the Software, and to
++ * permit persons to whom the Software is furnished to do so, subject to
++ * the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++ */
++#include "nghttp2_time.h"
++
++#ifdef HAVE_TIME_H
++# include <time.h>
++#endif /* HAVE_TIME_H */
++
++#ifdef HAVE_SYSINFOAPI_H
++# include <sysinfoapi.h>
++#endif /* HAVE_SYSINFOAPI_H */
++
++#ifndef HAVE_GETTICKCOUNT64
++static uint64_t time_now_sec(void) {
++ time_t t = time(NULL);
++
++ if (t == -1) {
++ return 0;
++ }
++
++ return (uint64_t)t;
++}
++#endif /* HAVE_GETTICKCOUNT64 */
++
++#ifdef HAVE_CLOCK_GETTIME
++uint64_t nghttp2_time_now_sec(void) {
++ struct timespec tp;
++ int rv = clock_gettime(CLOCK_MONOTONIC, &tp);
++
++ if (rv == -1) {
++ return time_now_sec();
++ }
++
++ return (uint64_t)tp.tv_sec;
++}
++#elif defined(HAVE_GETTICKCOUNT64)
++uint64_t nghttp2_time_now_sec(void) { return GetTickCount64() / 1000; }
++#else /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
++uint64_t nghttp2_time_now_sec(void) { return time_now_sec(); }
++#endif /* !HAVE_CLOCK_GETTIME && !HAVE_GETTICKCOUNT64 */
+--- /dev/null
++++ b/lib/nghttp2_time.h
+@@ -0,0 +1,38 @@
++/*
++ * nghttp2 - HTTP/2 C Library
++ *
++ * Copyright (c) 2023 nghttp2 contributors
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining
++ * a copy of this software and associated documentation files (the
++ * "Software"), to deal in the Software without restriction, including
++ * without limitation the rights to use, copy, modify, merge, publish,
++ * distribute, sublicense, and/or sell copies of the Software, and to
++ * permit persons to whom the Software is furnished to do so, subject to
++ * the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++ */
++#ifndef NGHTTP2_TIME_H
++#define NGHTTP2_TIME_H
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif /* HAVE_CONFIG_H */
++
++#include <nghttp2/nghttp2.h>
++
++/* nghttp2_time_now_sec returns seconds from implementation-specific
++ timepoint. If it is unable to get seconds, it returns 0. */
++uint64_t nghttp2_time_now_sec(void);
++
++#endif /* NGHTTP2_TIME_H */
+--- /dev/null
++++ b/tests/nghttp2_ratelim_test.c
+@@ -0,0 +1,101 @@
++/*
++ * nghttp2 - HTTP/2 C Library
++ *
++ * Copyright (c) 2023 nghttp2 contributors
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining
++ * a copy of this software and associated documentation files (the
++ * "Software"), to deal in the Software without restriction, including
++ * without limitation the rights to use, copy, modify, merge, publish,
++ * distribute, sublicense, and/or sell copies of the Software, and to
++ * permit persons to whom the Software is furnished to do so, subject to
++ * the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++ */
++#include "nghttp2_ratelim_test.h"
++
++#include <stdio.h>
++
++#include <CUnit/CUnit.h>
++
++#include "nghttp2_ratelim.h"
++
++void test_nghttp2_ratelim_update(void) {
++ nghttp2_ratelim rl;
++
++ nghttp2_ratelim_init(&rl, 1000, 21);
++
++ CU_ASSERT(1000 == rl.val);
++ CU_ASSERT(1000 == rl.burst);
++ CU_ASSERT(21 == rl.rate);
++ CU_ASSERT(0 == rl.tstamp);
++
++ nghttp2_ratelim_update(&rl, 999);
++
++ CU_ASSERT(1000 == rl.val);
++ CU_ASSERT(999 == rl.tstamp);
++
++ nghttp2_ratelim_drain(&rl, 100);
++
++ CU_ASSERT(900 == rl.val);
++
++ nghttp2_ratelim_update(&rl, 1000);
++
++ CU_ASSERT(921 == rl.val);
++
++ nghttp2_ratelim_update(&rl, 1002);
++
++ CU_ASSERT(963 == rl.val);
++
++ nghttp2_ratelim_update(&rl, 1004);
++
++ CU_ASSERT(1000 == rl.val);
++ CU_ASSERT(1004 == rl.tstamp);
++
++ /* timer skew */
++ nghttp2_ratelim_init(&rl, 1000, 21);
++ nghttp2_ratelim_update(&rl, 1);
++
++ CU_ASSERT(1000 == rl.val);
++
++ nghttp2_ratelim_update(&rl, 0);
++
++ CU_ASSERT(1000 == rl.val);
++
++ /* rate * duration overflow */
++ nghttp2_ratelim_init(&rl, 1000, 100);
++ nghttp2_ratelim_drain(&rl, 999);
++
++ CU_ASSERT(1 == rl.val);
++
++ nghttp2_ratelim_update(&rl, UINT64_MAX);
++
++ CU_ASSERT(1000 == rl.val);
++
++ /* val + rate * duration overflow */
++ nghttp2_ratelim_init(&rl, UINT64_MAX - 1, 2);
++ nghttp2_ratelim_update(&rl, 1);
++
++ CU_ASSERT(UINT64_MAX - 1 == rl.val);
++}
++
++void test_nghttp2_ratelim_drain(void) {
++ nghttp2_ratelim rl;
++
++ nghttp2_ratelim_init(&rl, 100, 7);
++
++ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 101));
++ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 51));
++ CU_ASSERT(0 == nghttp2_ratelim_drain(&rl, 49));
++ CU_ASSERT(-1 == nghttp2_ratelim_drain(&rl, 1));
++}
+--- /dev/null
++++ b/tests/nghttp2_ratelim_test.h
+@@ -0,0 +1,35 @@
++/*
++ * nghttp2 - HTTP/2 C Library
++ *
++ * Copyright (c) 2023 nghttp2 contributors
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining
++ * a copy of this software and associated documentation files (the
++ * "Software"), to deal in the Software without restriction, including
++ * without limitation the rights to use, copy, modify, merge, publish,
++ * distribute, sublicense, and/or sell copies of the Software, and to
++ * permit persons to whom the Software is furnished to do so, subject to
++ * the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be
++ * included in all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++ * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
++ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
++ */
++#ifndef NGHTTP2_RATELIM_TEST_H
++#define NGHTTP2_RATELIM_TEST_H
++
++#ifdef HAVE_CONFIG_H
++# include <config.h>
++#endif /* HAVE_CONFIG_H */
++
++void test_nghttp2_ratelim_update(void);
++void test_nghttp2_ratelim_drain(void);
++
++#endif /* NGHTTP2_RATELIM_TEST_H */
+--- a/tests/nghttp2_session_test.c
++++ b/tests/nghttp2_session_test.c
+@@ -10813,6 +10813,109 @@ void test_nghttp2_session_set_stream_use
+ nghttp2_session_del(session);
+ }
+
++void test_nghttp2_session_stream_reset_ratelim(void) {
++ nghttp2_session *session;
++ nghttp2_session_callbacks callbacks;
++ nghttp2_frame frame;
++ ssize_t rv;
++ nghttp2_bufs bufs;
++ nghttp2_buf *buf;
++ nghttp2_mem *mem;
++ size_t i;
++ nghttp2_hd_deflater deflater;
++ size_t nvlen;
++ nghttp2_nv *nva;
++ int32_t stream_id;
++ nghttp2_outbound_item *item;
++ nghttp2_option *option;
++
++ mem = nghttp2_mem_default();
++ frame_pack_bufs_init(&bufs);
++
++ memset(&callbacks, 0, sizeof(nghttp2_session_callbacks));
++ callbacks.send_callback = null_send_callback;
++
++ nghttp2_option_new(&option);
++ nghttp2_option_set_stream_reset_rate_limit(
++ option, NGHTTP2_DEFAULT_STREAM_RESET_BURST, 0);
++
++ nghttp2_session_server_new2(&session, &callbacks, NULL, option);
++
++ nghttp2_frame_settings_init(&frame.settings, NGHTTP2_FLAG_NONE, NULL, 0);
++ rv = nghttp2_frame_pack_settings(&bufs, &frame.settings);
++
++ CU_ASSERT(0 == rv);
++
++ nghttp2_frame_settings_free(&frame.settings, mem);
++
++ buf = &bufs.head->buf;
++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
++
++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
++
++ /* Send SETTINGS ACK */
++ rv = nghttp2_session_send(session);
++
++ CU_ASSERT(0 == rv);
++
++ nghttp2_hd_deflate_init(&deflater, mem);
++
++ for (i = 0; i < NGHTTP2_DEFAULT_STREAM_RESET_BURST + 2; ++i) {
++ stream_id = (int32_t)(i * 2 + 1);
++
++ nghttp2_bufs_reset(&bufs);
++
++ /* HEADERS */
++ nvlen = ARRLEN(reqnv);
++ nghttp2_nv_array_copy(&nva, reqnv, nvlen, mem);
++ nghttp2_frame_headers_init(&frame.headers, NGHTTP2_FLAG_END_HEADERS,
++ stream_id, NGHTTP2_HCAT_HEADERS, NULL, nva,
++ nvlen);
++ rv = nghttp2_frame_pack_headers(&bufs, &frame.headers, &deflater);
++
++ CU_ASSERT(0 == rv);
++
++ nghttp2_frame_headers_free(&frame.headers, mem);
++
++ buf = &bufs.head->buf;
++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
++
++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
++
++ nghttp2_bufs_reset(&bufs);
++
++ /* RST_STREAM */
++ nghttp2_frame_rst_stream_init(&frame.rst_stream, stream_id,
++ NGHTTP2_NO_ERROR);
++ nghttp2_frame_pack_rst_stream(&bufs, &frame.rst_stream);
++ nghttp2_frame_rst_stream_free(&frame.rst_stream);
++
++ buf = &bufs.head->buf;
++ rv = nghttp2_session_mem_recv(session, buf->pos, nghttp2_buf_len(buf));
++
++ CU_ASSERT((ssize_t)nghttp2_buf_len(buf) == rv);
++
++ if (i < NGHTTP2_DEFAULT_STREAM_RESET_BURST) {
++ CU_ASSERT(0 == nghttp2_outbound_queue_size(&session->ob_reg));
++
++ continue;
++ }
++
++ CU_ASSERT(1 == nghttp2_outbound_queue_size(&session->ob_reg));
++
++ item = nghttp2_session_get_next_ob_item(session);
++
++ CU_ASSERT(NGHTTP2_GOAWAY == item->frame.hd.type);
++ CU_ASSERT(NGHTTP2_DEFAULT_STREAM_RESET_BURST * 2 + 1 ==
++ item->frame.goaway.last_stream_id);
++ }
++
++ nghttp2_hd_deflate_free(&deflater);
++ nghttp2_session_del(session);
++ nghttp2_bufs_free(&bufs);
++ nghttp2_option_del(option);
++}
++
+ static void check_nghttp2_http_recv_headers_fail(
+ nghttp2_session *session, nghttp2_hd_deflater *deflater, int32_t stream_id,
+ int stream_state, const nghttp2_nv *nva, size_t nvlen) {
+--- a/tests/nghttp2_session_test.h
++++ b/tests/nghttp2_session_test.h
+@@ -160,6 +160,7 @@ void test_nghttp2_session_removed_closed
+ void test_nghttp2_session_pause_data(void);
+ void test_nghttp2_session_no_closed_streams(void);
+ void test_nghttp2_session_set_stream_user_data(void);
++void test_nghttp2_session_stream_reset_ratelim(void);
+ void test_nghttp2_http_mandatory_headers(void);
+ void test_nghttp2_http_content_length(void);
+ void test_nghttp2_http_content_length_mismatch(void);
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -21,6 +21,7 @@ if(HAVE_CUNIT)
+ nghttp2_npn_test.c
+ nghttp2_helper_test.c
+ nghttp2_buf_test.c
++ nghttp2_ratelim_test.c
+ )
+
+ add_executable(main EXCLUDE_FROM_ALL
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -40,14 +40,16 @@ OBJECTS = main.c nghttp2_pq_test.c nghtt
+ nghttp2_hd_test.c \
+ nghttp2_npn_test.c \
+ nghttp2_helper_test.c \
+- nghttp2_buf_test.c
++ nghttp2_buf_test.c \
++ nghttp2_ratelim_test.c
+
+ HFILES = nghttp2_pq_test.h nghttp2_map_test.h nghttp2_queue_test.h \
+ nghttp2_session_test.h \
+ nghttp2_frame_test.h nghttp2_stream_test.h nghttp2_hd_test.h \
+ nghttp2_npn_test.h nghttp2_helper_test.h \
+ nghttp2_test_helper.h \
+- nghttp2_buf_test.h
++ nghttp2_buf_test.h \
++ nghttp2_ratelim_test.h
+
+ main_SOURCES = $(HFILES) $(OBJECTS)
+
+--- a/lib/nghttp2_option.h
++++ b/lib/nghttp2_option.h
+@@ -68,6 +68,7 @@ typedef enum {
+ NGHTTP2_OPT_NO_CLOSED_STREAMS = 1 << 10,
+ NGHTTP2_OPT_MAX_OUTBOUND_ACK = 1 << 11,
+ NGHTTP2_OPT_MAX_SETTINGS = 1 << 12,
++ NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+ } nghttp2_option_flag;
+
+ /**
+@@ -75,6 +76,11 @@ typedef enum {
+ */
+ struct nghttp2_option {
+ /**
++ * NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT
++ */
++ uint64_t stream_reset_burst;
++ uint64_t stream_reset_rate;
++ /**
+ * NGHTTP2_OPT_MAX_SEND_HEADER_BLOCK_LENGTH
+ */
+ size_t max_send_header_block_length;
+--- a/tests/main.c
++++ b/tests/main.c
+@@ -40,6 +40,7 @@
+ #include "nghttp2_npn_test.h"
+ #include "nghttp2_helper_test.h"
+ #include "nghttp2_buf_test.h"
++#include "nghttp2_ratelim_test.h"
+
+ extern int nghttp2_enable_strict_preface;
+
+@@ -323,6 +324,8 @@ int main() {
+ test_nghttp2_session_no_closed_streams) ||
+ !CU_add_test(pSuite, "session_set_stream_user_data",
+ test_nghttp2_session_set_stream_user_data) ||
++ !CU_add_test(pSuite, "session_stream_reset_ratelim",
++ test_nghttp2_session_stream_reset_ratelim) ||
+ !CU_add_test(pSuite, "http_mandatory_headers",
+ test_nghttp2_http_mandatory_headers) ||
+ !CU_add_test(pSuite, "http_content_length",
+@@ -418,7 +421,9 @@ int main() {
+ !CU_add_test(pSuite, "bufs_advance", test_nghttp2_bufs_advance) ||
+ !CU_add_test(pSuite, "bufs_next_present",
+ test_nghttp2_bufs_next_present) ||
+- !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc)) {
++ !CU_add_test(pSuite, "bufs_realloc", test_nghttp2_bufs_realloc) ||
++ !CU_add_test(pSuite, "ratelim_update", test_nghttp2_ratelim_update) ||
++ !CU_add_test(pSuite, "ratelim_drain", test_nghttp2_ratelim_drain)) {
+ CU_cleanup_registry();
+ return (int)CU_get_error();
+ }
diff --git a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb
index 0b9091f7e8..b67313b5c2 100644
--- a/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb
+++ b/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb
@@ -10,6 +10,7 @@ SRC_URI = "\
https://github.com/nghttp2/nghttp2/releases/download/v${PV}/nghttp2-${PV}.tar.xz \
file://0001-fetch-ocsp-response-use-python3.patch \
file://CVE-2023-35945.patch \
+ file://CVE-2023-44487.patch \
"
SRC_URI[sha256sum] = "68271951324554c34501b85190f22f2221056db69f493afc3bbac8e7be21e7cc"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 2/9] xwayland: fix CVE-2023-6816 CVE-2024-0408/0409
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 1/9] nghttp2: fix CVE-2023-44487 Steve Sakoman
@ 2024-04-03 3:46 ` Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 3/9] expat: fix CVE-2023-52425 Steve Sakoman
` (6 subsequent siblings)
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
fix CVE-2023-6816 CVE-2024-0408 CVE-2024-0409
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2023-6816.patch | 57 ++++++++++++++++
.../xwayland/xwayland/CVE-2024-0408.patch | 65 +++++++++++++++++++
.../xwayland/xwayland/CVE-2024-0409.patch | 47 ++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 3 +
4 files changed, 172 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
new file mode 100644
index 0000000000..5c68bfb3c1
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
@@ -0,0 +1,57 @@
+CVE: CVE-2023-6816
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/b5cb27032d3e486ba84a491e1420e85171c4c0a3 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From b5cb27032d3e486ba84a491e1420e85171c4c0a3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+(cherry picked from commit 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3)
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c | 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
++++ b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+ if (pDev->button) {
+ int i;
+
+- rep.buttons_len =
+- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
+ rep.length += rep.buttons_len;
+ buttons = calloc(rep.buttons_len, 4);
+ if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
+
+ mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+
+- /* XI 2 event */
+- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
++ /* XI 2 event contains the logical button map - maps are CARD8
++ * so we need 256 bits for the possibly maximum mapping */
++ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+ btlen = bytes_to_int32(btlen);
+ len = sizeof(xXIFocusInEvent) + btlen * 4;
+
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
new file mode 100644
index 0000000000..9063cd00b2
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
@@ -0,0 +1,65 @@
+CVE: CVE-2024-0408
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/4093057b98bc5a178f130c9ba6b0b28385e24ae5 ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From 4093057b98bc5a178f130c9ba6b0b28385e24ae5 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 12:09:41 +0100
+Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
+
+The XSELINUX code will label resources at creation by checking the
+access mode. When the access mode is DixCreateAccess, it will call the
+function to label the new resource SELinuxLabelResource().
+
+However, GLX buffers do not go through the XACE hooks when created,
+hence leaving the resource actually unlabeled.
+
+When, later, the client tries to create another resource using that
+drawable (like a GC for example), the XSELINUX code would try to use
+the security ID of that object which has never been labeled, get a NULL
+pointer and crash when checking whether the requested permissions are
+granted for subject security ID.
+
+To avoid the issue, make sure to call the XACE hooks when creating the
+GLX buffers.
+
+Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
+
+CVE-2024-0408
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit e5e8586a12a3ec915673edffa10dc8fe5e15dac3)
+---
+ glx/glxcmds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index fc26a2e345..1e46d0c723 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -48,6 +48,7 @@
+ #include "indirect_util.h"
+ #include "protocol-versions.h"
+ #include "glxvndabi.h"
++#include "xace.h"
+
+ static char GLXServerVendorName[] = "SGI";
+
+@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
+ if (!pPixmap)
+ return BadAlloc;
+
++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
++ pPixmap, RT_NONE, NULL, DixCreateAccess);
++ if (err != Success) {
++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
++ return err;
++ }
++
+ /* Assign the pixmap the same id as the pbuffer and add it as a
+ * resource so it and the DRI2 drawable will be reclaimed when the
+ * pbuffer is destroyed. */
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
new file mode 100644
index 0000000000..de3396a410
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
@@ -0,0 +1,47 @@
+CVE: CVE-2024-0409
+Upstream-Status: Backport [ https://gitlab.freedesktop.org/xorg/xserver/-/commit/51be9e767a02cdc6a524dc895dcc81abb689d50b ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+From 51be9e767a02cdc6a524dc895dcc81abb689d50b Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 11:51:56 +0100
+Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
+
+The cursor in DIX is actually split in two parts, the cursor itself and
+the cursor bits, each with their own devPrivates.
+
+The cursor itself includes the cursor bits, meaning that the cursor bits
+devPrivates in within structure of the cursor.
+
+Both Xephyr and Xwayland were using the private key for the cursor bits
+to store the data for the cursor, and when using XSELINUX which comes
+with its own special devPrivates, the data stored in that cursor bits'
+devPrivates would interfere with the XSELINUX devPrivates data and the
+SELINUX security ID would point to some other unrelated data, causing a
+crash in the XSELINUX code when trying to (re)use the security ID.
+
+CVE-2024-0409
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7)
+---
+ hw/xwayland/xwayland-cursor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/xwayland/xwayland-cursor.c b/hw/xwayland/xwayland-cursor.c
+index e3c1aaa50c..bd94b0cfbb 100644
+--- a/hw/xwayland/xwayland-cursor.c
++++ b/hw/xwayland/xwayland-cursor.c
+@@ -431,7 +431,7 @@ static miPointerScreenFuncRec xwl_pointer_screen_funcs = {
+ Bool
+ xwl_screen_init_cursor(struct xwl_screen *xwl_screen)
+ {
+- if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR_BITS, 0))
++ if (!dixRegisterPrivateKey(&xwl_cursor_private_key, PRIVATE_CURSOR, 0))
+ return FALSE;
+
+ return miPointerInitialize(xwl_screen->screen,
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index e6e17d7da5..133c65fbc3 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -13,6 +13,9 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2023-5367.patch \
file://CVE-2023-6377.patch \
file://CVE-2023-6478.patch \
+ file://CVE-2023-6816.patch \
+ file://CVE-2024-0408.patch \
+ file://CVE-2024-0409.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 3/9] expat: fix CVE-2023-52425
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 1/9] nghttp2: fix CVE-2023-44487 Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 2/9] xwayland: fix CVE-2023-6816 CVE-2024-0408/0409 Steve Sakoman
@ 2024-04-03 3:46 ` Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 4/9] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman
` (5 subsequent siblings)
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
From: Meenali Gupta <meenali.gupta@windriver.com>
libexpat through 2.5.0 allows a denial of service (resource consumption) because
many full reparsings are required in the case of a large token for which multiple
buffer fills are needed.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52425
Changes related to test directory are not included as most of the files are not present
and are introduced in the later version.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../expat/expat/CVE-2023-52425-0001.patch | 40 ++++
.../expat/expat/CVE-2023-52425-0002.patch | 87 +++++++
.../expat/expat/CVE-2023-52425-0003.patch | 222 ++++++++++++++++++
.../expat/expat/CVE-2023-52425-0004.patch | 42 ++++
.../expat/expat/CVE-2023-52425-0005.patch | 69 ++++++
.../expat/expat/CVE-2023-52425-0006.patch | 67 ++++++
.../expat/expat/CVE-2023-52425-0007.patch | 159 +++++++++++++
.../expat/expat/CVE-2023-52425-0008.patch | 95 ++++++++
.../expat/expat/CVE-2023-52425-0009.patch | 52 ++++
.../expat/expat/CVE-2023-52425-0010.patch | 111 +++++++++
.../expat/expat/CVE-2023-52425-0011.patch | 89 +++++++
.../expat/expat/CVE-2023-52425-0012.patch | 87 +++++++
meta/recipes-core/expat/expat_2.5.0.bb | 12 +
13 files changed, 1132 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
new file mode 100644
index 0000000000..4e21ade018
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
@@ -0,0 +1,40 @@
+From d5b02e96ab95d2a7ae0aea72d00054b9d036d76d Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 9 Nov 2023 19:28:05 +0100
+Subject: [PATCH] xmlwf: Document argument "-q"
+
+Rebased-and-adapted-by: Snild Dolkow <snild@sony.com>
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d5b02e96ab95d2a7ae0aea72d00054b9d036d76d]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ doc/xmlwf.xml | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/doc/xmlwf.xml b/doc/xmlwf.xml
+index 9603abf..3d35393 100644
+--- a/doc/xmlwf.xml
++++ b/doc/xmlwf.xml
+@@ -313,6 +313,16 @@ supports both.
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><option>-q</option></term>
++ <listitem>
++ <para>
++ Disable reparse deferral, and allow quadratic parse runtime
++ on large tokens (default: reparse deferral enabled).
++ </para>
++ </listitem>
++ </varlistentry>
++
+ <varlistentry>
+ <term><option>-r</option></term>
+ <listitem>
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
new file mode 100644
index 0000000000..8376727778
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
@@ -0,0 +1,87 @@
+From 09fdf998e7cf3f8f9327e6602077791095aedd4d Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Thu, 9 Nov 2023 19:14:14 +0100
+Subject: [PATCH] xmlwf: Support disabling reparse deferral
+
+Rebased-and-adapted-by: Snild Dolkow <snild@sony.com>
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/09fdf998e7cf3f8f9327e6602077791095aedd4d]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ xmlwf/xmlwf.c | 20 ++++++++++++++++++++
+ xmlwf/xmlwf_helpgen.py | 4 ++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
+index dd023a9..9a5441c 100644
+--- a/xmlwf/xmlwf.c
++++ b/xmlwf/xmlwf.c
+@@ -911,6 +911,9 @@ usage(const XML_Char *prog, int rc) {
+ T("billion laughs attack protection:\n")
+ T(" NOTE: If you ever need to increase these values for non-attack payload, please file a bug report.\n")
+ T("\n")
++ T("reparse deferral:\n")
++ T(" -q disable reparse deferral, and allow [q]uadratic parse runtime with large tokens\n")
++ T("\n")
+ T(" -a FACTOR set maximum tolerated [a]mplification factor (default: 100.0)\n")
+ T(" -b BYTES set number of output [b]ytes needed to activate (default: 8 MiB)\n")
+ T("\n")
+@@ -967,6 +970,8 @@ tmain(int argc, XML_Char **argv) {
+ unsigned long long attackThresholdBytes;
+ XML_Bool attackThresholdGiven = XML_FALSE;
+
++ XML_Bool disableDeferral = XML_FALSE;
++
+ int exitCode = XMLWF_EXIT_SUCCESS;
+ enum XML_ParamEntityParsing paramEntityParsing
+ = XML_PARAM_ENTITY_PARSING_NEVER;
+@@ -1091,6 +1096,11 @@ tmain(int argc, XML_Char **argv) {
+ #endif
+ break;
+ }
++ case T('q'): {
++ disableDeferral = XML_TRUE;
++ j++;
++ break;
++ }
+ case T('\0'):
+ if (j > 1) {
+ i++;
+@@ -1136,6 +1146,16 @@ tmain(int argc, XML_Char **argv) {
+ #endif
+ }
+
++ if (disableDeferral) {
++ const XML_Bool success = XML_SetReparseDeferralEnabled(parser, XML_FALSE);
++ if (! success) {
++ // This prevents tperror(..) from reporting misleading "[..]: Success"
++ errno = EINVAL;
++ tperror(T("Failed to disable reparse deferral"));
++ exit(XMLWF_EXIT_INTERNAL_ERROR);
++ }
++ }
++
+ if (requireStandalone)
+ XML_SetNotStandaloneHandler(parser, notStandalone);
+ XML_SetParamEntityParsing(parser, paramEntityParsing);
+diff --git a/xmlwf/xmlwf_helpgen.py b/xmlwf/xmlwf_helpgen.py
+index c2a527f..1bd0a0a 100755
+--- a/xmlwf/xmlwf_helpgen.py
++++ b/xmlwf/xmlwf_helpgen.py
+@@ -81,6 +81,10 @@ billion_laughs.add_argument('-a', metavar='FACTOR',
+ help='set maximum tolerated [a]mplification factor (default: 100.0)')
+ billion_laughs.add_argument('-b', metavar='BYTES', help='set number of output [b]ytes needed to activate (default: 8 MiB)')
+
++reparse_deferral = parser.add_argument_group('reparse deferral')
++reparse_deferral.add_argument('-q', metavar='FACTOR',
++ help='disable reparse deferral, and allow [q]uadratic parse runtime with large tokens')
++
+ parser.add_argument('files', metavar='FILE', nargs='*', help='file to process (default: STDIN)')
+
+ info = parser.add_argument_group('info arguments')
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
new file mode 100644
index 0000000000..e5c3606e19
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
@@ -0,0 +1,222 @@
+From 9cdf9b8d77d5c2c2a27d15fb68dd3f83cafb45a1 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Thu, 17 Aug 2023 16:25:26 +0200
+Subject: [PATCH] Skip parsing after repeated partials on the same token When
+ the parse buffer contains the starting bytes of a token but not all of them,
+ we cannot parse the token to completion. We call this a partial token. When
+ this happens, the parse position is reset to the start of the token, and the
+ parse() call returns. The client is then expected to provide more data and
+ call parse() again.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In extreme cases, this means that the bytes of a token may be parsed
+many times: once for every buffer refill required before the full token
+is present in the buffer.
+
+Math:
+ Assume there's a token of T bytes
+ Assume the client fills the buffer in chunks of X bytes
+ We'll try to parse X, 2X, 3X, 4X ... until mX == T (technically >=)
+ That's (m²+m)X/2 = (T²/X+T)/2 bytes parsed (arithmetic progression)
+ While it is alleviated by larger refills, this amounts to O(T²)
+
+Expat grows its internal buffer by doubling it when necessary, but has
+no way to inform the client about how much space is available. Instead,
+we add a heuristic that skips parsing when we've repeatedly stopped on
+an incomplete token. Specifically:
+
+ * Only try to parse if we have a certain amount of data buffered
+ * Every time we stop on an incomplete token, double the threshold
+ * As soon as any token completes, the threshold is reset
+
+This means that when we get stuck on an incomplete token, the threshold
+grows exponentially, effectively making the client perform larger buffer
+fills, limiting how many times we can end up re-parsing the same bytes.
+
+Math:
+ Assume there's a token of T bytes
+ Assume the client fills the buffer in chunks of X bytes
+ We'll try to parse X, 2X, 4X, 8X ... until (2^k)X == T (or larger)
+ That's (2^(k+1)-1)X bytes parsed -- e.g. 15X if T = 8X
+ This is equal to 2T-X, which amounts to O(T)
+
+We could've chosen a faster growth rate, e.g. 4 or 8. Those seem to
+increase performance further, at the cost of further increasing the
+risk of growing the buffer more than necessary. This can easily be
+adjusted in the future, if desired.
+
+This is all completely transparent to the client, except for:
+1. possible delay of some callbacks (when our heuristic overshoots)
+2. apps that never do isFinal=XML_TRUE could miss data at the end
+
+For the affected testdata, this change shows a 100-400x speedup.
+The recset.xml benchmark shows no clear change either way.
+
+Before:
+benchmark -n ../testdata/largefiles/recset.xml 65535 3
+ 3 loops, with buffer size 65535. Average time per loop: 0.270223
+benchmark -n ../testdata/largefiles/aaaaaa_attr.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 15.033048
+benchmark -n ../testdata/largefiles/aaaaaa_cdata.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 0.018027
+benchmark -n ../testdata/largefiles/aaaaaa_comment.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 11.775362
+benchmark -n ../testdata/largefiles/aaaaaa_tag.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 11.711414
+benchmark -n ../testdata/largefiles/aaaaaa_text.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 0.019362
+
+After:
+./run.sh benchmark -n ../testdata/largefiles/recset.xml 65535 3
+ 3 loops, with buffer size 65535. Average time per loop: 0.269030
+./run.sh benchmark -n ../testdata/largefiles/aaaaaa_attr.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 0.044794
+./run.sh benchmark -n ../testdata/largefiles/aaaaaa_cdata.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 0.016377
+./run.sh benchmark -n ../testdata/largefiles/aaaaaa_comment.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 0.027022
+./run.sh benchmark -n ../testdata/largefiles/aaaaaa_tag.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 0.099360
+./run.sh benchmark -n ../testdata/largefiles/aaaaaa_text.xml 4096 3
+ 3 loops, with buffer size 4096. Average time per loop: 0.017956
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9cdf9b8d77d5c2c2a27d15fb68dd3f83cafb45a1]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 58 +++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 39 insertions(+), 19 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index bbffcaa..5695417 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -81,6 +81,7 @@
+ # endif
+ #endif
+
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <string.h> /* memset(), memcpy() */
+ #include <assert.h>
+@@ -629,6 +630,7 @@ struct XML_ParserStruct {
+ const char *m_bufferLim;
+ XML_Index m_parseEndByteIndex;
+ const char *m_parseEndPtr;
++ size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */
+ XML_Char *m_dataBuf;
+ XML_Char *m_dataBufEnd;
+ XML_StartElementHandler m_startElementHandler;
+@@ -960,6 +962,32 @@ get_hash_secret_salt(XML_Parser parser) {
+ return parser->m_hash_secret_salt;
+ }
+
++static enum XML_Error
++callProcessor(XML_Parser parser, const char *start, const char *end,
++ const char **endPtr) {
++ const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start);
++
++ if (! parser->m_parsingStatus.finalBuffer) {
++ // Heuristic: don't try to parse a partial token again until the amount of
++ // available data has increased significantly.
++ const size_t had_before = parser->m_partialTokenBytesBefore;
++ const bool enough = (have_now >= 2 * had_before);
++
++ if (! enough) {
++ *endPtr = start; // callers may expect this to be set
++ return XML_ERROR_NONE;
++ }
++ }
++ const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr);
++ // if we consumed nothing, remember what we had on this parse attempt.
++ if (*endPtr == start) {
++ parser->m_partialTokenBytesBefore = have_now;
++ } else {
++ parser->m_partialTokenBytesBefore = 0;
++ }
++ return ret;
++}
++
+ static XML_Bool /* only valid for root parser */
+ startParsing(XML_Parser parser) {
+ /* hash functions must be initialized before setContext() is called */
+@@ -1141,6 +1169,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_bufferEnd = parser->m_buffer;
+ parser->m_parseEndByteIndex = 0;
+ parser->m_parseEndPtr = NULL;
++ parser->m_partialTokenBytesBefore = 0;
+ parser->m_declElementType = NULL;
+ parser->m_declAttributeId = NULL;
+ parser->m_declEntity = NULL;
+@@ -1872,29 +1901,20 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+ to detect errors based on that fact.
+ */
+ parser->m_errorCode
+- = parser->m_processor(parser, parser->m_bufferPtr,
+- parser->m_parseEndPtr, &parser->m_bufferPtr);
++ = callProcessor(parser, parser->m_bufferPtr, parser->m_parseEndPtr,
++ &parser->m_bufferPtr);
+
+ if (parser->m_errorCode == XML_ERROR_NONE) {
+ switch (parser->m_parsingStatus.parsing) {
+ case XML_SUSPENDED:
+- /* It is hard to be certain, but it seems that this case
+- * cannot occur. This code is cleaning up a previous parse
+- * with no new data (since len == 0). Changing the parsing
+- * state requires getting to execute a handler function, and
+- * there doesn't seem to be an opportunity for that while in
+- * this circumstance.
+- *
+- * Given the uncertainty, we retain the code but exclude it
+- * from coverage tests.
+- *
+- * LCOV_EXCL_START
+- */
++ /* While we added no new data, the finalBuffer flag may have caused
++ * us to parse previously-unparsed data in the internal buffer.
++ * If that triggered a callback to the application, it would have
++ * had an opportunity to suspend parsing. */
+ XmlUpdatePosition(parser->m_encoding, parser->m_positionPtr,
+ parser->m_bufferPtr, &parser->m_position);
+ parser->m_positionPtr = parser->m_bufferPtr;
+ return XML_STATUS_SUSPENDED;
+- /* LCOV_EXCL_STOP */
+ case XML_INITIALIZED:
+ case XML_PARSING:
+ parser->m_parsingStatus.parsing = XML_FINISHED;
+@@ -1924,7 +1944,7 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+ parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal;
+
+ parser->m_errorCode
+- = parser->m_processor(parser, s, parser->m_parseEndPtr = s + len, &end);
++ = callProcessor(parser, s, parser->m_parseEndPtr = s + len, &end);
+
+ if (parser->m_errorCode != XML_ERROR_NONE) {
+ parser->m_eventEndPtr = parser->m_eventPtr;
+@@ -2027,8 +2047,8 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
+ parser->m_parseEndByteIndex += len;
+ parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal;
+
+- parser->m_errorCode = parser->m_processor(
+- parser, start, parser->m_parseEndPtr, &parser->m_bufferPtr);
++ parser->m_errorCode = callProcessor(parser, start, parser->m_parseEndPtr,
++ &parser->m_bufferPtr);
+
+ if (parser->m_errorCode != XML_ERROR_NONE) {
+ parser->m_eventEndPtr = parser->m_eventPtr;
+@@ -2220,7 +2240,7 @@ XML_ResumeParser(XML_Parser parser) {
+ }
+ parser->m_parsingStatus.parsing = XML_PARSING;
+
+- parser->m_errorCode = parser->m_processor(
++ parser->m_errorCode = callProcessor(
+ parser, parser->m_bufferPtr, parser->m_parseEndPtr, &parser->m_bufferPtr);
+
+ if (parser->m_errorCode != XML_ERROR_NONE) {
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
new file mode 100644
index 0000000000..35e8e0b1e5
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
@@ -0,0 +1,42 @@
+From 1b9d398517befeb944cbbadadf10992b07e96fa2 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Mon, 4 Sep 2023 17:21:14 +0200
+Subject: [PATCH] [PATCH] Don't update partial token heuristic on error
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1b9d398517befeb944cbbadadf10992b07e96fa2]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 5695417..5c66f54 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -979,11 +979,13 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+ }
+ }
+ const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr);
+- // if we consumed nothing, remember what we had on this parse attempt.
+- if (*endPtr == start) {
+- parser->m_partialTokenBytesBefore = have_now;
+- } else {
+- parser->m_partialTokenBytesBefore = 0;
++ if (ret == XML_ERROR_NONE) {
++ // if we consumed nothing, remember what we had on this parse attempt.
++ if (*endPtr == start) {
++ parser->m_partialTokenBytesBefore = have_now;
++ } else {
++ parser->m_partialTokenBytesBefore = 0;
++ }
+ }
+ return ret;
+ }
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
new file mode 100644
index 0000000000..d4e112db58
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
@@ -0,0 +1,69 @@
+From 09957b8ced725b96a95acff150facda93f03afe1 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Thu, 26 Oct 2023 10:41:00 +0200
+Subject: [PATCH] Allow XML_GetBuffer() with len=0 on a fresh parser
+
+len=0 was previously OK if there had previously been a non-zero call.
+It makes sense to allow an application to work the same way on a
+newly-created parser, and not have to care if its incoming buffer
+happens to be 0.
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/09957b8ced725b96a95acff150facda93f03afe1]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 5c66f54..5b112c6 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2095,7 +2095,8 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ default:;
+ }
+
+- if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd)) {
++ if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd)
++ || parser->m_buffer == NULL) {
+ #ifdef XML_CONTEXT_BYTES
+ int keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+@@ -2118,8 +2119,9 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ }
+ neededSize += keep;
+ #endif /* defined XML_CONTEXT_BYTES */
+- if (neededSize
+- <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) {
++ if (parser->m_buffer && parser->m_bufferPtr
++ && neededSize
++ <= EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer)) {
+ #ifdef XML_CONTEXT_BYTES
+ if (keep < EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer)) {
+ int offset
+@@ -2133,14 +2135,12 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ parser->m_bufferPtr -= offset;
+ }
+ #else
+- if (parser->m_buffer && parser->m_bufferPtr) {
+- memmove(parser->m_buffer, parser->m_bufferPtr,
+- EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr));
+- parser->m_bufferEnd
+- = parser->m_buffer
+- + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr);
+- parser->m_bufferPtr = parser->m_buffer;
+- }
++ memmove(parser->m_buffer, parser->m_bufferPtr,
++ EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr));
++ parser->m_bufferEnd
++ = parser->m_buffer
++ + EXPAT_SAFE_PTR_DIFF(parser->m_bufferEnd, parser->m_bufferPtr);
++ parser->m_bufferPtr = parser->m_buffer;
+ #endif /* not defined XML_CONTEXT_BYTES */
+ } else {
+ char *newBuf;
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
new file mode 100644
index 0000000000..c1fb4893ed
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
@@ -0,0 +1,67 @@
+From 9fe3672459c1bf10926b85f013aa1b623d855545 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Mon, 18 Sep 2023 20:32:55 +0200
+Subject: [PATCH] tests: Run both with and without partial token heuristic
+
+If we always run with the heuristic enabled, it may hide some bugs by
+grouping up input into bigger parse attempts.
+
+CI-fighting-assistance-by: Sebastian Pipping <sebastian@pipping.org>
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/9fe3672459c1bf10926b85f013aa1b623d855545]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/internal.h | 3 +++
+ lib/xmlparse.c | 5 ++++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/internal.h b/lib/internal.h
+index 03c8fde..1df417f 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -31,6 +31,7 @@
+ Copyright (c) 2016-2022 Sebastian Pipping <sebastian@pipping.org>
+ Copyright (c) 2018 Yury Gribov <tetra2005@gmail.com>
+ Copyright (c) 2019 David Loffredo <loffredo@steptools.com>
++ Copyright (c) 2023 Sony Corporation / Snild Dolkow <snild@sony.com>
+ Licensed under the MIT license:
+
+ Permission is hereby granted, free of charge, to any person obtaining
+@@ -160,6 +161,8 @@ unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser);
+ const char *unsignedCharToPrintable(unsigned char c);
+ #endif
+
++extern XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c
++ //
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 5b112c6..be6dd92 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -615,6 +615,8 @@ static unsigned long getDebugLevel(const char *variableName,
+ ? 0 \
+ : ((*((pool)->ptr)++ = c), 1))
+
++XML_Bool g_reparseDeferralEnabledDefault = XML_TRUE; // write ONLY in runtests.c
++ //
+ struct XML_ParserStruct {
+ /* The first member must be m_userData so that the XML_GetUserData
+ macro works. */
+@@ -967,7 +969,8 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+ const char **endPtr) {
+ const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start);
+
+- if (! parser->m_parsingStatus.finalBuffer) {
++ if (g_reparseDeferralEnabledDefault
++ && ! parser->m_parsingStatus.finalBuffer) {
+ // Heuristic: don't try to parse a partial token again until the amount of
+ // available data has increased significantly.
+ const size_t had_before = parser->m_partialTokenBytesBefore;
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
new file mode 100644
index 0000000000..e2fb35eae6
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
@@ -0,0 +1,159 @@
+From 1d3162da8a85a398ab451aadd6c2ad19587e5a68 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Mon, 11 Sep 2023 15:31:24 +0200
+Subject: [PATCH] Add app setting for enabling/disabling reparse heuristic
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+CI-fighting-assistance-by: Sebastian Pipping <sebastian@pipping.org>
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1d3162da8a85a398ab451aadd6c2ad19587e5a68]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ doc/reference.html | 30 ++++++++++++++++++++++++------
+ lib/expat.h | 5 +++++
+ lib/libexpat.def.cmake | 2 ++
+ lib/xmlparse.c | 13 ++++++++++++-
+ 4 files changed, 43 insertions(+), 7 deletions(-)
+
+diff --git a/doc/reference.html b/doc/reference.html
+index 9953aa7..7dd9370 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -151,10 +151,11 @@ interface.</p>
+ </ul>
+ </li>
+ <li>
+- <a href="#billion-laughs">Billion Laughs Attack Protection</a>
++ <a href="#attack-protection">Attack Protection</a>
+ <ul>
+ <li><a href="#XML_SetBillionLaughsAttackProtectionMaximumAmplification">XML_SetBillionLaughsAttackProtectionMaximumAmplification</a></li>
+ <li><a href="#XML_SetBillionLaughsAttackProtectionActivationThreshold">XML_SetBillionLaughsAttackProtectionActivationThreshold</a></li>
++ <li><a href="#XML_SetReparseDeferralEnabled">XML_SetReparseDeferralEnabled</a></li>
+ </ul>
+ </li>
+ <li><a href="#miscellaneous">Miscellaneous Functions</a>
+@@ -2123,11 +2124,7 @@ parse position may be before the beginning of the buffer.</p>
+ return NULL.</p>
+ </div>
+
+-<h3><a name="billion-laughs">Billion Laughs Attack Protection</a></h3>
+-
+-<p>The functions in this section configure the built-in
+- protection against various forms of
+- <a href="https://en.wikipedia.org/wiki/Billion_laughs_attack">billion laughs attacks</a>.</p>
++<h3><a name="attack-protection">Attack Protection</a><a name="billion-laughs"></a></h3>
+
+ <h4 id="XML_SetBillionLaughsAttackProtectionMaximumAmplification">XML_SetBillionLaughsAttackProtectionMaximumAmplification</h4>
+ <pre class="fcndec">
+@@ -2215,6 +2212,27 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(XML_Parser p,
+ </p>
+ </div>
+
++<h4 id="XML_SetReparseDeferralEnabled">XML_SetReparseDeferralEnabled</h4>
++<pre class="fcndec">
++/* Added in Expat 2.6.0. */
++XML_Bool XMLCALL
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
++</pre>
++<div class="fcndef">
++ <p>
++ Large tokens may require many parse calls before enough data is available for Expat to parse it in full.
++ If Expat retried parsing the token on every parse call, parsing could take quadratic time.
++ To avoid this, Expat only retries once a significant amount of new data is available.
++ This function allows disabling this behavior.
++ </p>
++ <p>
++ The <code>enabled</code> argument should be <code>XML_TRUE</code> or <code>XML_FALSE</code>.
++ </p>
++ <p>
++ Returns <code>XML_TRUE</code> on success, and <code>XML_FALSE</code> on error.
++ </p>
++</div>
++
+ <h3><a name="miscellaneous">Miscellaneous functions</a></h3>
+
+ <p>The functions in this section either obtain state information from
+diff --git a/lib/expat.h b/lib/expat.h
+index 9e64174..73dda6d 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -16,6 +16,7 @@
+ Copyright (c) 2016 Thomas Beutlich <tc@tbeu.de>
+ Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk>
+ Copyright (c) 2022 Thijs Schreijer <thijs@thijsschreijer.nl>
++ Copyright (c) 2023 Sony Corporation / Snild Dolkow <snild@sony.com>
+ Licensed under the MIT license:
+
+ Permission is hereby granted, free of charge, to any person obtaining
+@@ -1054,6 +1055,10 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ XML_Parser parser, unsigned long long activationThresholdBytes);
+ #endif
+
++/* Added in Expat 2.6.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
++
+ /* Expat follows the semantic versioning convention.
+ See http://semver.org.
+ */
+diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
+index 61a4f00..10ee9cd 100644
+--- a/lib/libexpat.def.cmake
++++ b/lib/libexpat.def.cmake
+@@ -77,3 +77,5 @@ EXPORTS
+ ; added with version 2.4.0
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
++; added with version 2.6.0
++ XML_SetReparseDeferralEnabled @71
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index be6dd92..8cf32e0 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -633,6 +633,7 @@ struct XML_ParserStruct {
+ XML_Index m_parseEndByteIndex;
+ const char *m_parseEndPtr;
+ size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */
++ XML_Bool m_reparseDeferralEnabled;
+ XML_Char *m_dataBuf;
+ XML_Char *m_dataBufEnd;
+ XML_StartElementHandler m_startElementHandler;
+@@ -969,7 +970,7 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+ const char **endPtr) {
+ const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start);
+
+- if (g_reparseDeferralEnabledDefault
++ if (parser->m_reparseDeferralEnabled
+ && ! parser->m_parsingStatus.finalBuffer) {
+ // Heuristic: don't try to parse a partial token again until the amount of
+ // available data has increased significantly.
+@@ -1175,6 +1176,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_parseEndByteIndex = 0;
+ parser->m_parseEndPtr = NULL;
+ parser->m_partialTokenBytesBefore = 0;
++ parser->m_reparseDeferralEnabled = g_reparseDeferralEnabledDefault;
+ parser->m_declElementType = NULL;
+ parser->m_declAttributeId = NULL;
+ parser->m_declEntity = NULL;
+@@ -2601,6 +2603,15 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ }
+ #endif /* XML_GE == 1 */
+
++XML_Bool XMLCALL
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled) {
++ if (parser != NULL && (enabled == XML_TRUE || enabled == XML_FALSE)) {
++ parser->m_reparseDeferralEnabled = enabled;
++ return XML_TRUE;
++ }
++ return XML_FALSE;
++}
++
+ /* Initially tag->rawName always points into the parse buffer;
+ for those TAG instances opened while the current parse buffer was
+ processed, and not yet closed, we need to store tag->rawName in a more
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
new file mode 100644
index 0000000000..fa25fcd2db
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
@@ -0,0 +1,95 @@
+From 8ddd8e86aa446d02eb8d398972d3b10d4cad908a Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Fri, 29 Sep 2023 10:14:59 +0200
+Subject: [PATCH] Try to parse even when incoming len is zero
+
+If the reparse deferral setting has changed, it may be possible to
+finish a token.
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8ddd8e86aa446d02eb8d398972d3b10d4cad908a]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 55 ++++++++------------------------------------------
+ 1 file changed, 8 insertions(+), 47 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 8cf32e0..f4ff66e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1896,46 +1896,8 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+ parser->m_parsingStatus.parsing = XML_PARSING;
+ }
+
+- if (len == 0) {
+- parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal;
+- if (! isFinal)
+- return XML_STATUS_OK;
+- parser->m_positionPtr = parser->m_bufferPtr;
+- parser->m_parseEndPtr = parser->m_bufferEnd;
+-
+- /* If data are left over from last buffer, and we now know that these
+- data are the final chunk of input, then we have to check them again
+- to detect errors based on that fact.
+- */
+- parser->m_errorCode
+- = callProcessor(parser, parser->m_bufferPtr, parser->m_parseEndPtr,
+- &parser->m_bufferPtr);
+-
+- if (parser->m_errorCode == XML_ERROR_NONE) {
+- switch (parser->m_parsingStatus.parsing) {
+- case XML_SUSPENDED:
+- /* While we added no new data, the finalBuffer flag may have caused
+- * us to parse previously-unparsed data in the internal buffer.
+- * If that triggered a callback to the application, it would have
+- * had an opportunity to suspend parsing. */
+- XmlUpdatePosition(parser->m_encoding, parser->m_positionPtr,
+- parser->m_bufferPtr, &parser->m_position);
+- parser->m_positionPtr = parser->m_bufferPtr;
+- return XML_STATUS_SUSPENDED;
+- case XML_INITIALIZED:
+- case XML_PARSING:
+- parser->m_parsingStatus.parsing = XML_FINISHED;
+- /* fall through */
+- default:
+- return XML_STATUS_OK;
+- }
+- }
+- parser->m_eventEndPtr = parser->m_eventPtr;
+- parser->m_processor = errorProcessor;
+- return XML_STATUS_ERROR;
+- }
+ #ifndef XML_CONTEXT_BYTES
+- else if (parser->m_bufferPtr == parser->m_bufferEnd) {
++ if (parser->m_bufferPtr == parser->m_bufferEnd) {
+ const char *end;
+ int nLeftOver;
+ enum XML_Status result;
+@@ -2006,15 +1968,14 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+ return result;
+ }
+ #endif /* not defined XML_CONTEXT_BYTES */
+- else {
+- void *buff = XML_GetBuffer(parser, len);
+- if (buff == NULL)
+- return XML_STATUS_ERROR;
+- else {
+- memcpy(buff, s, len);
+- return XML_ParseBuffer(parser, len, isFinal);
+- }
++ void *buff = XML_GetBuffer(parser, len);
++ if (buff == NULL)
++ return XML_STATUS_ERROR;
++ if (len > 0) {
++ assert(s != NULL); // make sure s==NULL && len!=0 was rejected above
++ memcpy(buff, s, len);
+ }
++ return XML_ParseBuffer(parser, len, isFinal);
+ }
+
+ enum XML_Status XMLCALL
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
new file mode 100644
index 0000000000..9c1157faac
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
@@ -0,0 +1,52 @@
+From ad9c01be8ee5d3d5cac2bfd3949ad764541d35e7 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Thu, 26 Oct 2023 13:55:02 +0200
+Subject: [PATCH] Make external entity parser inherit partial token heuristic
+ setting
+
+The test is essentially a copy of the existing test for the setter,
+adapted to run on the external parser instead of the original one.
+
+Suggested-by: Sebastian Pipping <sebastian@pipping.org>
+CI-fighting-assistance-by: Sebastian Pipping <sebastian@pipping.org>
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/ad9c01be8ee5d3d5cac2bfd3949ad764541d35e7]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index f4ff66e..6746d70 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1346,6 +1346,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ to worry which hash secrets each table has.
+ */
+ unsigned long oldhash_secret_salt;
++ XML_Bool oldReparseDeferralEnabled;
+
+ /* Validate the oldParser parameter before we pull everything out of it */
+ if (oldParser == NULL)
+@@ -1390,6 +1391,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ to worry which hash secrets each table has.
+ */
+ oldhash_secret_salt = parser->m_hash_secret_salt;
++ oldReparseDeferralEnabled = parser->m_reparseDeferralEnabled;
+
+ #ifdef XML_DTD
+ if (! context)
+@@ -1442,6 +1444,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ parser->m_defaultExpandInternalEntities = oldDefaultExpandInternalEntities;
+ parser->m_ns_triplets = oldns_triplets;
+ parser->m_hash_secret_salt = oldhash_secret_salt;
++ parser->m_reparseDeferralEnabled = oldReparseDeferralEnabled;
+ parser->m_parentParser = oldParser;
+ #ifdef XML_DTD
+ parser->m_paramEntityParsing = oldParamEntityParsing;
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
new file mode 100644
index 0000000000..3fbf69de08
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
@@ -0,0 +1,111 @@
+From 60b74209899a67d426d208662674b55a5eed918c Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Wed, 4 Oct 2023 16:00:14 +0200
+Subject: [PATCH] Bypass partial token heuristic when close to maximum buffer
+ size
+
+For huge tokens, we may end up in a situation where the partial token
+parse deferral heuristic demands more bytes than Expat's maximum buffer
+size (currently ~half of INT_MAX) could fit.
+
+INT_MAX/2 is 1024 MiB on most systems. Clearly, a token of 950 MiB could
+fit in that buffer, but the reparse threshold might be such that
+callProcessor() will defer it, allowing the app to keep filling the
+buffer until XML_GetBuffer() eventually returns a memory error.
+
+By bypassing the heuristic when we're getting close to the maximum
+buffer size, it will once again be possible to parse tokens in the size
+range INT_MAX/2/ratio < size < INT_MAX/2 reliably.
+
+We subtract the last buffer fill size as a way to detect that the next
+XML_GetBuffer() call has a risk of returning a memory error -- assuming
+that the application is likely to keep using the same (or smaller) fill.
+
+We subtract XML_CONTEXT_BYTES because that's the maximum amount of bytes
+that could remain at the start of the buffer, preceding the partial
+token. Technically, it could be fewer bytes, but XML_CONTEXT_BYTES is
+normally small relative to INT_MAX, and is much simpler to use.
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/60b74209899a67d426d208662674b55a5eed918c]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 6746d70..32c57f6 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -205,6 +205,8 @@ typedef char ICHAR;
+ /* Do safe (NULL-aware) pointer arithmetic */
+ #define EXPAT_SAFE_PTR_DIFF(p, q) (((p) && (q)) ? ((p) - (q)) : 0)
+
++#define EXPAT_MIN(a, b) (((a) < (b)) ? (a) : (b))
++
+ #include "internal.h"
+ #include "xmltok.h"
+ #include "xmlrole.h"
+@@ -634,6 +636,7 @@ struct XML_ParserStruct {
+ const char *m_parseEndPtr;
+ size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */
+ XML_Bool m_reparseDeferralEnabled;
++ int m_lastBufferRequestSize;
+ XML_Char *m_dataBuf;
+ XML_Char *m_dataBufEnd;
+ XML_StartElementHandler m_startElementHandler;
+@@ -975,7 +978,18 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+ // Heuristic: don't try to parse a partial token again until the amount of
+ // available data has increased significantly.
+ const size_t had_before = parser->m_partialTokenBytesBefore;
+- const bool enough = (have_now >= 2 * had_before);
++ // ...but *do* try anyway if we're close to reaching the max buffer size.
++ size_t close_to_maxbuf = INT_MAX / 2 + (INT_MAX & 1); // round up
++#if XML_CONTEXT_BYTES > 0
++ // subtract XML_CONTEXT_BYTES, but don't go below zero
++ close_to_maxbuf -= EXPAT_MIN(close_to_maxbuf, XML_CONTEXT_BYTES);
++#endif
++ // subtract the last buffer fill size, but don't go below zero
++ // m_lastBufferRequestSize is never assigned a value < 0, so the cast is ok
++ close_to_maxbuf
++ -= EXPAT_MIN(close_to_maxbuf, (size_t)parser->m_lastBufferRequestSize);
++ const bool enough
++ = (have_now >= 2 * had_before) || (have_now > close_to_maxbuf);
+
+ if (! enough) {
+ *endPtr = start; // callers may expect this to be set
+@@ -1177,6 +1191,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_parseEndPtr = NULL;
+ parser->m_partialTokenBytesBefore = 0;
+ parser->m_reparseDeferralEnabled = g_reparseDeferralEnabledDefault;
++ parser->m_lastBufferRequestSize = 0;
+ parser->m_declElementType = NULL;
+ parser->m_declAttributeId = NULL;
+ parser->m_declEntity = NULL;
+@@ -1911,6 +1926,9 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+ parser->m_processor = errorProcessor;
+ return XML_STATUS_ERROR;
+ }
++ // though this isn't a buffer request, we assume that `len` is the app's
++ // preferred buffer fill size, and therefore save it here.
++ parser->m_lastBufferRequestSize = len;
+ parser->m_parseEndByteIndex += len;
+ parser->m_positionPtr = s;
+ parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal;
+@@ -2064,6 +2082,9 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ default:;
+ }
+
++ // whether or not the request succeeds, `len` seems to be the app's preferred
++ // buffer fill size; remember it.
++ parser->m_lastBufferRequestSize = len;
+ if (len > EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd)
+ || parser->m_buffer == NULL) {
+ #ifdef XML_CONTEXT_BYTES
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
new file mode 100644
index 0000000000..800aaff544
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
@@ -0,0 +1,89 @@
+From 3d8141d26a3b01ff948e00956cb0723a89dadf7f Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Mon, 20 Nov 2023 16:11:24 +0100
+Subject: [PATCH] Bypass partial token heuristic when nearing full buffer
+
+...instead of only when approaching the maximum buffer size INT/2+1.
+
+We'd like to give applications a chance to finish parsing a large token
+before buffer reallocation, in case the reallocation fails.
+
+By bypassing the reparse deferral heuristic when getting close to the
+filling the buffer, we give them this chance -- if the whole token is
+present in the buffer, it will be parsed at that time.
+
+This may come at the cost of some extra reparse attempts. For a token
+of n bytes, these extra parses cause us to scan over a maximum of
+2n bytes (... + n/8 + n/4 + n/2 + n). Therefore, parsing of big tokens
+remains O(n) in regard how many bytes we scan in attempts to parse. The
+cost in reality is lower than that, since the reparses that happen due
+to the bypass will affect m_partialTokenBytesBefore, delaying the next
+ratio-based reparse. Furthermore, only the first token that "breaks
+through" a buffer ceiling takes that extra reparse attempt; subsequent
+large tokens will only bypass the heuristic if they manage to hit the
+new buffer ceiling.
+
+Note that this cost analysis depends on the assumption that Expat grows
+its buffer by doubling it (or, more generally, grows it exponentially).
+If this changes, the cost of this bypass may increase. Hopefully, this
+would be caught by test_big_tokens_take_linear_time or the new test.
+
+The bypass logic assumes that the application uses a consistent fill.
+If the app increases its fill size, it may miss the bypass (and the
+normal heuristic will apply). If the app decreases its fill size, the
+bypass may be hit multiple times for the same buffer size. The very
+worst case would be to always fill half of the remaining buffer space,
+in which case parsing of a large n-byte token becomes O(n log n).
+
+As an added bonus, the new test case should be faster than the old one,
+since it doesn't have to go all the way to 1GiB to check the behavior.
+
+Finally, this change necessitated a small modification to two existing
+tests related to reparse deferral. These tests are testing the deferral
+enabled setting, and assume that reparsing will not happen for any other
+reason. By pre-growing the buffer, we make sure that this new deferral
+does not affect those test cases.
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/3d8141d26a3b01ff948e00956cb0723a89dadf7f]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 32c57f6..2830c1e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -978,18 +978,18 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+ // Heuristic: don't try to parse a partial token again until the amount of
+ // available data has increased significantly.
+ const size_t had_before = parser->m_partialTokenBytesBefore;
+- // ...but *do* try anyway if we're close to reaching the max buffer size.
+- size_t close_to_maxbuf = INT_MAX / 2 + (INT_MAX & 1); // round up
++ // ...but *do* try anyway if we're close to causing a reallocation.
++ size_t available_buffer
++ = EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
+ #if XML_CONTEXT_BYTES > 0
+- // subtract XML_CONTEXT_BYTES, but don't go below zero
+- close_to_maxbuf -= EXPAT_MIN(close_to_maxbuf, XML_CONTEXT_BYTES);
++ available_buffer -= EXPAT_MIN(available_buffer, XML_CONTEXT_BYTES);
+ #endif
+- // subtract the last buffer fill size, but don't go below zero
++ available_buffer
++ += EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd);
+ // m_lastBufferRequestSize is never assigned a value < 0, so the cast is ok
+- close_to_maxbuf
+- -= EXPAT_MIN(close_to_maxbuf, (size_t)parser->m_lastBufferRequestSize);
+ const bool enough
+- = (have_now >= 2 * had_before) || (have_now > close_to_maxbuf);
++ = (have_now >= 2 * had_before)
++ || ((size_t)parser->m_lastBufferRequestSize > available_buffer);
+
+ if (! enough) {
+ *endPtr = start; // callers may expect this to be set
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
new file mode 100644
index 0000000000..8693e9449e
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
@@ -0,0 +1,87 @@
+From 119ae277abaabd4d17b2e64300fec712ef403b28 Mon Sep 17 00:00:00 2001
+From: Snild Dolkow <snild@sony.com>
+Date: Thu, 28 Sep 2023 18:26:19 +0200
+Subject: [PATCH] Grow buffer based on current size Until now, the buffer size
+ to grow to has been calculated based on the distance from the current parse
+ position to the end of the buffer. This means that the size of any
+ already-parsed data was not considered, leading to inconsistent buffer
+ growth.
+
+There was also a special case in XML_Parse() when XML_CONTEXT_BYTES was
+zero, where the buffer size would be set to twice the incoming string
+length. This patch replaces this with an XML_GetBuffer() call.
+
+Growing the buffer based on its total size makes its growth consistent.
+
+The commit includes a test that checks that we can reach the max buffer
+size (usually INT_MAX/2 + 1) regardless of previously parsed content.
+
+GitHub CI couldn't allocate the full 1GiB with MinGW/wine32, though it
+works locally with the same compiler and wine version. As a workaround,
+the test tries to malloc 1GiB, and reduces `maxbuf` to 512MiB in case
+of failure.
+
+CVE: CVE-2023-52425
+
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/119ae277abaabd4d17b2e64300fec712ef403b28]
+
+Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
+---
+ lib/xmlparse.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 2830c1e..81f9bb3 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -1961,23 +1961,22 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+ &parser->m_position);
+ nLeftOver = s + len - end;
+ if (nLeftOver) {
+- if (parser->m_buffer == NULL
+- || nLeftOver > parser->m_bufferLim - parser->m_buffer) {
+- /* avoid _signed_ integer overflow */
+- char *temp = NULL;
+- const int bytesToAllocate = (int)((unsigned)len * 2U);
+- if (bytesToAllocate > 0) {
+- temp = (char *)REALLOC(parser, parser->m_buffer, bytesToAllocate);
+- }
+- if (temp == NULL) {
+- parser->m_errorCode = XML_ERROR_NO_MEMORY;
+- parser->m_eventPtr = parser->m_eventEndPtr = NULL;
+- parser->m_processor = errorProcessor;
+- return XML_STATUS_ERROR;
+- }
+- parser->m_buffer = temp;
+- parser->m_bufferLim = parser->m_buffer + bytesToAllocate;
++ // Back up and restore the parsing status to avoid XML_ERROR_SUSPENDED
++ // (and XML_ERROR_FINISHED) from XML_GetBuffer.
++ const enum XML_Parsing originalStatus = parser->m_parsingStatus.parsing;
++ parser->m_parsingStatus.parsing = XML_PARSING;
++ void *const temp = XML_GetBuffer(parser, nLeftOver);
++ parser->m_parsingStatus.parsing = originalStatus;
++ if (temp == NULL) {
++ // NOTE: parser->m_errorCode has already been set by XML_GetBuffer().
++ parser->m_eventPtr = parser->m_eventEndPtr = NULL;
++ parser->m_processor = errorProcessor;
++ return XML_STATUS_ERROR;
+ }
++ // Since we know that the buffer was empty and XML_CONTEXT_BYTES is 0, we
++ // don't have any data to preserve, and can copy straight into the start
++ // of the buffer rather than the GetBuffer return pointer (which may be
++ // pointing further into the allocated buffer).
+ memcpy(parser->m_buffer, end, nLeftOver);
+ }
+ parser->m_bufferPtr = parser->m_buffer;
+@@ -2135,7 +2134,7 @@ XML_GetBuffer(XML_Parser parser, int len) {
+ } else {
+ char *newBuf;
+ int bufferSize
+- = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferPtr);
++ = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_buffer);
+ if (bufferSize == 0)
+ bufferSize = INIT_BUFFER_SIZE;
+ do {
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 31e989cfe2..b7b5cce925 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -22,6 +22,18 @@ SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TA
file://CVE-2023-52426-009.patch \
file://CVE-2023-52426-010.patch \
file://CVE-2023-52426-011.patch \
+ file://CVE-2023-52425-0001.patch \
+ file://CVE-2023-52425-0002.patch \
+ file://CVE-2023-52425-0003.patch \
+ file://CVE-2023-52425-0004.patch \
+ file://CVE-2023-52425-0005.patch \
+ file://CVE-2023-52425-0006.patch \
+ file://CVE-2023-52425-0007.patch \
+ file://CVE-2023-52425-0008.patch \
+ file://CVE-2023-52425-0009.patch \
+ file://CVE-2023-52425-0010.patch \
+ file://CVE-2023-52425-0011.patch \
+ file://CVE-2023-52425-0012.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 4/9] curl: backport Debian patch for CVE-2024-2398
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-04-03 3:46 ` [OE-core][kirkstone 3/9] expat: fix CVE-2023-52425 Steve Sakoman
@ 2024-04-03 3:46 ` Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 5/9] qemu: Fix for CVE-2023-6683 Steve Sakoman
` (4 subsequent siblings)
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
import patch from ubuntu to fix
CVE-2024-2398
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Fjammy-security
Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2024-2398.patch | 89 +++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
2 files changed, 90 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
new file mode 100644
index 0000000000..ea55117f4d
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
@@ -0,0 +1,89 @@
+Backport of:
+
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
+CVE: CVE-2024-2398
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -555,6 +555,15 @@ static int set_transfer_url(struct Curl_
+ return 0;
+ }
+
++static void free_push_headers(struct HTTP *stream)
++{
++ size_t i;
++ for(i = 0; i<stream->push_headers_used; i++)
++ free(stream->push_headers[i]);
++ Curl_safefree(stream->push_headers);
++ stream->push_headers_used = 0;
++}
++
+ static int push_promise(struct Curl_easy *data,
+ struct connectdata *conn,
+ const nghttp2_push_promise *frame)
+@@ -568,7 +577,6 @@ static int push_promise(struct Curl_easy
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+ struct http_conn *httpc;
+- size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = duphandle(data);
+ if(!newhandle) {
+@@ -604,11 +612,7 @@ static int push_promise(struct Curl_easy
+ Curl_set_in_callback(data, false);
+
+ /* free the headers again */
+- for(i = 0; i<stream->push_headers_used; i++)
+- free(stream->push_headers[i]);
+- free(stream->push_headers);
+- stream->push_headers = NULL;
+- stream->push_headers_used = 0;
++ free_push_headers(stream);
+
+ if(rv) {
+ DEBUGASSERT((rv > CURL_PUSH_OK) && (rv <= CURL_PUSH_ERROROUT));
+@@ -1045,10 +1049,10 @@ static int on_header(nghttp2_session *se
+ stream->push_headers_alloc) {
+ char **headp;
+ stream->push_headers_alloc *= 2;
+- headp = Curl_saferealloc(stream->push_headers,
+- stream->push_headers_alloc * sizeof(char *));
++ headp = realloc(stream->push_headers,
++ stream->push_headers_alloc * sizeof(char *));
+ if(!headp) {
+- stream->push_headers = NULL;
++ free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ stream->push_headers = headp;
+@@ -1214,15 +1218,7 @@ void Curl_http2_done(struct Curl_easy *d
+ setup */
+ Curl_dyn_free(&http->header_recvbuf);
+ Curl_dyn_free(&http->trailer_recvbuf);
+- if(http->push_headers) {
+- /* if they weren't used and then freed before */
+- for(; http->push_headers_used > 0; --http->push_headers_used) {
+- free(http->push_headers[http->push_headers_used - 1]);
+- }
+- free(http->push_headers);
+- http->push_headers = NULL;
+- }
+-
++ free_push_headers(http);
+ if(!(data->conn->handler->protocol&PROTO_FAMILY_HTTP) ||
+ !httpc->h2) /* not HTTP/2 ? */
+ return;
diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index 383cf415d9..72d8544e08 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -57,6 +57,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
file://CVE-2023-46219-0001.patch \
file://CVE-2023-46219-0002.patch \
file://CVE-2023-46219-0003.patch \
+ file://CVE-2024-2398.patch \
"
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 5/9] qemu: Fix for CVE-2023-6683
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-04-03 3:46 ` [OE-core][kirkstone 4/9] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman
@ 2024-04-03 3:46 ` Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 6/9] tiff: fix CVE-2023-52356 CVE-2023-6277 Steve Sakoman
` (3 subsequent siblings)
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a
Reference: https://security-tracker.debian.org/tracker/CVE-2023-6683
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-6683.patch | 92 +++++++++++++++++++
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index ad6b310137..4747310ae4 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -108,6 +108,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch \
file://scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch \
file://CVE-2023-42467.patch \
+ file://CVE-2023-6683.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
new file mode 100644
index 0000000000..e528574076
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
@@ -0,0 +1,92 @@
+From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
+From: Fiona Ebner <f.ebner@proxmox.com>
+Date: Wed, 24 Jan 2024 11:57:48 +0100
+Subject: [PATCH] ui/clipboard: mark type as not available when there is no
+ data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
+message with len=0. In qemu_clipboard_set_data(), the clipboard info
+will be updated setting data to NULL (because g_memdup(data, size)
+returns NULL when size is 0). If the client does not set the
+VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
+the 'request' callback for the clipboard peer is not initialized.
+Later, because data is NULL, qemu_clipboard_request() can be reached
+via vdagent_chr_write() and vdagent_clipboard_recv_request() and
+there, the clipboard owner's 'request' callback will be attempted to
+be called, but that is a NULL pointer.
+
+In particular, this can happen when using the KRDC (22.12.3) VNC
+client.
+
+Another scenario leading to the same issue is with two clients (say
+noVNC and KRDC):
+
+The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
+initializes its cbpeer.
+
+The KRDC client does not, but triggers a vnc_client_cut_text() (note
+it's not the _ext variant)). There, a new clipboard info with it as
+the 'owner' is created and via qemu_clipboard_set_data() is called,
+which in turn calls qemu_clipboard_update() with that info.
+
+In qemu_clipboard_update(), the notifier for the noVNC client will be
+called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
+noVNC client. The 'owner' in that clipboard info is the clipboard peer
+for the KRDC client, which did not initialize the 'request' function.
+That sounds correct to me, it is the owner of that clipboard info.
+
+Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
+the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
+passes), that clipboard info is passed to qemu_clipboard_request() and
+the original segfault still happens.
+
+Fix the issue by handling updates with size 0 differently. In
+particular, mark in the clipboard info that the type is not available.
+
+While at it, switch to g_memdup2(), because g_memdup() is deprecated.
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2023-6683
+Reported-by: Markus Frank <m.frank@proxmox.com>
+Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Tested-by: Markus Frank <m.frank@proxmox.com>
+Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/405484b29f6548c7b86549b0f961b906337aa68a]
+CVE: CVE-2023-6683
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ ui/clipboard.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf80..b3f6fa3c9e1 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+ }
+
+ g_free(info->types[type].data);
+- info->types[type].data = g_memdup(data, size);
+- info->types[type].size = size;
+- info->types[type].available = true;
++ if (size) {
++ info->types[type].data = g_memdup2(data, size);
++ info->types[type].size = size;
++ info->types[type].available = true;
++ } else {
++ info->types[type].data = NULL;
++ info->types[type].size = 0;
++ info->types[type].available = false;
++ }
+
+ if (update) {
+ qemu_clipboard_update(info);
+--
+GitLab
+
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 6/9] tiff: fix CVE-2023-52356 CVE-2023-6277
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (4 preceding siblings ...)
2024-04-03 3:46 ` [OE-core][kirkstone 5/9] qemu: Fix for CVE-2023-6683 Steve Sakoman
@ 2024-04-03 3:46 ` Steve Sakoman
2024-04-03 3:47 ` [OE-core][kirkstone 7/9] python3-urllib3: update to v1.26.18 Steve Sakoman
` (2 subsequent siblings)
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
import patch from ubuntu to fix CVE-2023-52356 CVE-2023-6277
import from
http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/tiff/CVE-2023-52356.patch | 54 ++++++
.../libtiff/tiff/CVE-2023-6277-1.patch | 178 ++++++++++++++++++
.../libtiff/tiff/CVE-2023-6277-2.patch | 151 +++++++++++++++
.../libtiff/tiff/CVE-2023-6277-3.patch | 46 +++++
.../libtiff/tiff/CVE-2023-6277-4.patch | 93 +++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +
6 files changed, 527 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
new file mode 100644
index 0000000000..4eb7d79c8f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
@@ -0,0 +1,54 @@
+CVE: CVE-2023-52356
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+
+--- tiff-4.3.0.orig/libtiff/tif_getimage.c
++++ tiff-4.3.0/libtiff/tif_getimage.c
+@@ -2942,6 +2942,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32_t
+ }
+
+ if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
++ if (row >= img.height)
++ {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++ "Invalid row passed to TIFFReadRGBAStrip().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
+
+ img.row_offset = row;
+ img.col_offset = 0;
+@@ -3018,6 +3025,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32_t
+ return( 0 );
+ }
+
++ if (col >= img.width || row >= img.height)
++ {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++ "Invalid row/col passed to TIFFReadRGBATile().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
++
+ /*
+ * The TIFFRGBAImageGet() function doesn't allow us to get off the
+ * edge of the image, even to fill an otherwise valid tile. So we
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..453df897ac
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
@@ -0,0 +1,178 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 31 Oct 2023 15:43:29 +0000
+Subject: [PATCH] Prevent some out-of-memory attacks
+
+Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
+
+At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
+
+See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
+---
+ libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 90 insertions(+), 2 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -866,6 +866,21 @@ static enum TIFFReadDirEntryErr TIFFRead
+ datasize=(*count)*typesize;
+ assert((tmsize_t)datasize>0);
+
++ /* Before allocating a huge amount of memory for corrupted files, check if
++ * size of requested memory is not greater than file size.
++ */
++ uint64_t filesize = TIFFGetFileSize(tif);
++ if (datasize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++ "Requested memory size for tag %d (0x%x) %" PRIu32
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated, tag not read",
++ direntry->tdir_tag, direntry->tdir_tag, datasize,
++ filesize);
++ return (TIFFReadDirEntryErrAlloc);
++ }
++
+ if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
+ return TIFFReadDirEntryErrIo;
+
+@@ -4593,6 +4608,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ if( !_TIFFFillStrilesInternal( tif, 0 ) )
+ return -1;
+
++ /* Before allocating a huge amount of memory for corrupted files, check if
++ * size of requested memory is not greater than file size. */
++ uint64_t filesize = TIFFGetFileSize(tif);
++ uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "Requested memory size for StripByteCounts of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ return -1;
++ }
++
+ if (td->td_stripbytecount_p)
+ _TIFFfree(td->td_stripbytecount_p);
+ td->td_stripbytecount_p = (uint64_t*)
+@@ -4603,9 +4632,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+
+ if (td->td_compression != COMPRESSION_NONE) {
+ uint64_t space;
+- uint64_t filesize;
+ uint16_t n;
+- filesize = TIFFGetFileSize(tif);
+ if (!(tif->tif_flags&TIFF_BIGTIFF))
+ space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
+ else
+@@ -4913,6 +4940,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ dircount16 = (uint16_t)dircount64;
+ dirsize = 20;
+ }
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ uint64_t filesize = TIFFGetFileSize(tif);
++ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for TIFF directory of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated, TIFF directory not read",
++ allocsize, filesize);
++ return 0;
++ }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize, "to read TIFF directory");
+ if (origdir == NULL)
+@@ -5016,6 +5057,20 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ "Sanity check on directory count failed, zero tag directories not supported");
+ return 0;
+ }
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ uint64_t filesize = TIFFGetFileSize(tif);
++ uint64_t allocsize = (uint64_t)dircount16 * dirsize;
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for TIFF directory of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated, TIFF directory not read",
++ allocsize, filesize);
++ return 0;
++ }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize,
+ "to read TIFF directory");
+@@ -5059,6 +5114,8 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ }
+ }
+ }
++ /* No check against filesize needed here because "dir" should have same size
++ * than "origdir" checked above. */
+ dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
+ sizeof(TIFFDirEntry),
+ "to read TIFF directory");
+@@ -5853,6 +5910,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ return(0);
+ }
+
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ uint64_t filesize = TIFFGetFileSize(tif);
++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "Requested memory size for StripArray of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ _TIFFfree(data);
++ return (0);
++ }
+ resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
+ if (resizeddata==0) {
+ _TIFFfree(data);
+@@ -5948,6 +6019,23 @@ static void allocChoppedUpStripArrays(TI
+ }
+ bytecount = last_offset + last_bytecount - offset;
+
++ /* Before allocating a huge amount of memory for corrupted files, check if
++ * size of StripByteCount and StripOffset tags is not greater than
++ * file size.
++ */
++ uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
++ uint64_t filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++ "Requested memory size for StripByteCount and "
++ "StripOffsets %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ return;
++ }
++
+ newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
+ "for chopped \"StripByteCounts\" array");
+ newoffsets = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..ad39c1c4dd
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
@@ -0,0 +1,151 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 19:47:22 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+Ammends 5320c9d89c054fa805d037d84c57da874470b01a
+
+This fixes a performance regression caught by the GDAL regression test
+suite.
+---
+ libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
+ 1 file changed, 48 insertions(+), 35 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -866,19 +866,22 @@ static enum TIFFReadDirEntryErr TIFFRead
+ datasize=(*count)*typesize;
+ assert((tmsize_t)datasize>0);
+
+- /* Before allocating a huge amount of memory for corrupted files, check if
+- * size of requested memory is not greater than file size.
+- */
+- uint64_t filesize = TIFFGetFileSize(tif);
+- if (datasize > filesize)
++ if (datasize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+- "Requested memory size for tag %d (0x%x) %" PRIu32
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated, tag not read",
+- direntry->tdir_tag, direntry->tdir_tag, datasize,
+- filesize);
+- return (TIFFReadDirEntryErrAlloc);
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size.
++ */
++ const uint64_t filesize = TIFFGetFileSize(tif);
++ if (datasize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++ "Requested memory size for tag %d (0x%x) %" PRIu32
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated, tag not read",
++ direntry->tdir_tag, direntry->tdir_tag, datasize,
++ filesize);
++ return (TIFFReadDirEntryErrAlloc);
++ }
+ }
+
+ if( isMapped(tif) && datasize > (uint64_t)tif->tif_size )
+@@ -4608,18 +4611,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ if( !_TIFFFillStrilesInternal( tif, 0 ) )
+ return -1;
+
+- /* Before allocating a huge amount of memory for corrupted files, check if
+- * size of requested memory is not greater than file size. */
+- uint64_t filesize = TIFFGetFileSize(tif);
+- uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
+- if (allocsize > filesize)
++ const uint64_t allocsize = (uint64_t)td->td_nstrips * sizeof(uint64_t);
++ uint64_t filesize = 0;
++ if (allocsize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(tif->tif_clientdata, module,
+- "Requested memory size for StripByteCounts of %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated",
+- allocsize, filesize);
+- return -1;
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for StripByteCounts of %" PRIu64
++ " is greater than filesize %" PRIu64 ". Memory not allocated",
++ allocsize, filesize);
++ return -1;
++ }
+ }
+
+ if (td->td_stripbytecount_p)
+@@ -4666,11 +4673,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ return -1;
+ space+=datasize;
+ }
++ if (filesize == 0)
++ filesize = TIFFGetFileSize(tif);
+ if( filesize < space )
+- /* we should perhaps return in error ? */
+- space = filesize;
+- else
+- space = filesize - space;
++ /* we should perhaps return in error ? */
++ space = filesize;
++ else
++ space = filesize - space;
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ space /= td->td_samplesperpixel;
+ for (strip = 0; strip < td->td_nstrips; strip++)
+@@ -4940,19 +4949,23 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ dircount16 = (uint16_t)dircount64;
+ dirsize = 20;
+ }
+- /* Before allocating a huge amount of memory for corrupted files, check
+- * if size of requested memory is not greater than file size. */
+- uint64_t filesize = TIFFGetFileSize(tif);
+- uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+- if (allocsize > filesize)
++ const uint64_t allocsize = (uint64_t)dircount16 * dirsize;
++ if (allocsize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(
+- tif->tif_clientdata, module,
+- "Requested memory size for TIFF directory of %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated, TIFF directory not read",
+- allocsize, filesize);
+- return 0;
++ /* Before allocating a huge amount of memory for corrupted files,
++ * check if size of requested memory is not greater than file size.
++ */
++ const uint64_t filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for TIFF directory of %" PRIu64
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated, TIFF directory not read",
++ allocsize, filesize);
++ return 0;
++ }
+ }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize, "to read TIFF directory");
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..71eba2f34e
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+Backport of:
+
+From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 20:13:45 +0100
+Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
+ check
+
+CoverityScan rightly points that the max value for dircount16 * dirsize
+is 4096 * 20. That's small enough not to do any check
+---
+ libtiff/tif_dirread.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -4949,24 +4949,6 @@ TIFFFetchDirectory(TIFF* tif, uint64_t d
+ dircount16 = (uint16_t)dircount64;
+ dirsize = 20;
+ }
+- const uint64_t allocsize = (uint64_t)dircount16 * dirsize;
+- if (allocsize > 100 * 1024 * 1024)
+- {
+- /* Before allocating a huge amount of memory for corrupted files,
+- * check if size of requested memory is not greater than file size.
+- */
+- const uint64_t filesize = TIFFGetFileSize(tif);
+- if (allocsize > filesize)
+- {
+- TIFFWarningExt(
+- tif->tif_clientdata, module,
+- "Requested memory size for TIFF directory of %" PRIu64
+- " is greater than filesize %" PRIu64
+- ". Memory not allocated, TIFF directory not read",
+- allocsize, filesize);
+- return 0;
+- }
+- }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize, "to read TIFF directory");
+ if (origdir == NULL)
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..61f48726e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
@@ -0,0 +1,93 @@
+CVE: CVE-2023-6277
+Upstream-Status: Backport [upstream : https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a
+ubuntu : http://archive.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_4.3.0-6ubuntu0.8.debian.tar.xz ]
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 21:30:58 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+---
+ libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 23 deletions(-)
+
+--- tiff-4.3.0.orig/libtiff/tif_dirread.c
++++ tiff-4.3.0/libtiff/tif_dirread.c
+@@ -5905,19 +5905,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ return(0);
+ }
+
+- /* Before allocating a huge amount of memory for corrupted files, check
+- * if size of requested memory is not greater than file size. */
+- uint64_t filesize = TIFFGetFileSize(tif);
+- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
+- if (allocsize > filesize)
++ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t);
++ if (allocsize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(tif->tif_clientdata, module,
+- "Requested memory size for StripArray of %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated",
+- allocsize, filesize);
+- _TIFFfree(data);
+- return (0);
++ /* Before allocating a huge amount of memory for corrupted files,
++ * check if size of requested memory is not greater than file size.
++ */
++ const uint64_t filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for StripArray of %" PRIu64
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ _TIFFfree(data);
++ return (0);
++ }
+ }
+ resizeddata=(uint64_t*)_TIFFCheckMalloc(tif, nstrips, sizeof(uint64_t), "for strip array");
+ if (resizeddata==0) {
+@@ -6018,17 +6023,20 @@ static void allocChoppedUpStripArrays(TI
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+- uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
+- uint64_t filesize = TIFFGetFileSize(tif);
+- if (allocsize > filesize)
++ const uint64_t allocsize = (uint64_t)nstrips * sizeof(uint64_t) * 2;
++ if (allocsize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+- "Requested memory size for StripByteCount and "
+- "StripOffsets %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated",
+- allocsize, filesize);
+- return;
++ const uint64_t filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++ "Requested memory size for StripByteCount and "
++ "StripOffsets %" PRIu64
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ return;
++ }
+ }
+
+ newcounts = (uint64_t*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64_t),
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index d284100ab2..b4af179e76 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -48,6 +48,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-40745.patch \
file://CVE-2023-41175.patch \
file://CVE-2023-6228.patch \
+ file://CVE-2023-52356.patch \
+ file://CVE-2023-6277-1.patch \
+ file://CVE-2023-6277-2.patch \
+ file://CVE-2023-6277-3.patch \
+ file://CVE-2023-6277-4.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 7/9] python3-urllib3: update to v1.26.18
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (5 preceding siblings ...)
2024-04-03 3:46 ` [OE-core][kirkstone 6/9] tiff: fix CVE-2023-52356 CVE-2023-6277 Steve Sakoman
@ 2024-04-03 3:47 ` Steve Sakoman
2024-04-03 3:47 ` [OE-core][kirkstone 8/9] gcc: Backport sanitizer fix for 32-bit ALSR Steve Sakoman
2024-04-03 3:47 ` [OE-core][kirkstone 9/9] common-licenses: Backport missing license Steve Sakoman
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:47 UTC (permalink / raw)
To: openembedded-core
From: Tan Wen Yan <wen.yan.tan@intel.com>
https://github.com/urllib3/urllib3/releases/tag/1.26.18
Major changes in python3-urllib3 1.26.18:
- Made body stripped from HTTP requests changing the request method to GET after HTTP 303 "See Other" redirect responses. (CVE-2023-45803)
(cherry picked from OE-Core rev: 74da05b63634c248910594456dae286947f33da5)
Signed-off-by: Tan Wen Yan <wen.yan.tan@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-devtools/python/{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} (86%)
diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.17.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
similarity index 86%
rename from meta/recipes-devtools/python/python3-urllib3_1.26.17.bb
rename to meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
index 57b166870a..d384b5eb2f 100644
--- a/meta/recipes-devtools/python/python3-urllib3_1.26.17.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/shazow/urllib3"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c2823cb995439c984fd62a973d79815c"
-SRC_URI[sha256sum] = "24d6a242c28d29af46c3fae832c36db3bbebcc533dd1bb549172cd739c82df21"
+SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e328580a0"
inherit pypi setuptools3
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 8/9] gcc: Backport sanitizer fix for 32-bit ALSR
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (6 preceding siblings ...)
2024-04-03 3:47 ` [OE-core][kirkstone 7/9] python3-urllib3: update to v1.26.18 Steve Sakoman
@ 2024-04-03 3:47 ` Steve Sakoman
2024-04-03 3:47 ` [OE-core][kirkstone 9/9] common-licenses: Backport missing license Steve Sakoman
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:47 UTC (permalink / raw)
To: openembedded-core
From: Claus Stovgaard <claus.stovgaard@gmail.com>
When using the gcc-sanitizers as part of the SDK on a Linux with a newer
kernel, the ASAN fails randomly. This was seen on Ubuntu 22.04.
This is also described at
https://stackoverflow.com/questions/77894856/possible-bug-in-gcc-sanitizers
Backport the fix from LLVM project, as gcc has not yet backported
anything for the 11 series.
Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/gcc/gcc-11.4.inc | 1 +
.../gcc/gcc/0031-gcc-sanitizers-fix.patch | 63 +++++++++++++++++++
2 files changed, 64 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
diff --git a/meta/recipes-devtools/gcc/gcc-11.4.inc b/meta/recipes-devtools/gcc/gcc-11.4.inc
index 88310e6b79..fd6a3e92e3 100644
--- a/meta/recipes-devtools/gcc/gcc-11.4.inc
+++ b/meta/recipes-devtools/gcc/gcc-11.4.inc
@@ -59,6 +59,7 @@ SRC_URI = "\
file://0028-debug-101473-apply-debug-prefix-maps-before-checksum.patch \
file://0029-Fix-install-path-of-linux64.h.patch \
file://0030-rust-recursion-limit.patch \
+ file://0031-gcc-sanitizers-fix.patch \
file://0001-CVE-2021-42574.patch \
file://0002-CVE-2021-42574.patch \
file://0003-CVE-2021-42574.patch \
diff --git a/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch b/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
new file mode 100644
index 0000000000..d63618132a
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
@@ -0,0 +1,63 @@
+From fb77ca05ffb4f8e666878f2f6718a9fb4d686839 Mon Sep 17 00:00:00 2001
+From: Thurston Dang <thurston@google.com>
+Date: Thu, 13 Apr 2023 23:55:01 +0000
+Subject: [PATCH] Re-land 'ASan: move allocator base to avoid conflict with
+ high-entropy ASLR for x86-64 Linux'
+
+D147984 was reverted because it broke lit tests on Mac. This revision is based on D147984
+but maintains the old behavior for Apple.
+
+Note that, per the follow-up discussion with MaskRay in D147984, this patch excludes Apple
+but includes other platforms (e.g., aarch64, MIPS64) and OSes (e.g., FreeBSD, S390X), not just
+x86-64 Linux.
+
+Original commit message from D147984:
+
+Users have discovered [*] that when CONFIG_ARCH_MMAP_RND_BITS == 32,
+it will frequently conflict with ASan's allocator on x86-64 Linux, because the
+PIE program segment base address of 0x555555555554 plus an ASLR shift of up to
+((2**32) * 4K == 0x100000000000) will sometimes exceed ASan's hardcoded
+base address of 0x600000000000. We fix this by simply moving the allocator base
+to 0x500000000000, which is below the PIE program segment base address. This is
+cleaner than trying to move it to another location that is sandwiched between
+the PIE program and library segments, because if either of those grow too large,
+it will collide with the allocator region.
+
+Note that we will never need to change this base address again (unless we want to increase
+the size of the allocator), because ASLR cannot be set above 32-bits for x86-64 Linux (the
+PIE program segment and library segments would collide with each other; see also
+ARCH_MMAP_RND_BITS_MAX in https://github.com/torvalds/linux/blob/master/arch/x86/Kconfig).
+
+[*] see https://b.corp.google.com/issues/276925478
+and https://groups.google.com/a/google.com/g/chrome-os-gardeners/c/BbfzCP3dEeo/m/h3C_vVUxCQAJ
+
+Differential Revision: https://reviews.llvm.org/D148280
+
+Upstream-Status: Backport from llvm-project: https://github.com/llvm/llvm-project/commit/fb77ca05ffb4f8e666878f2f6718a9fb4d686839
+Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
+---
+ libsanitizer/asan/asan_allocator.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libsanitizer/asan/asan_allocator.h b/libsanitizer/asan/asan_allocator.h
+index 0b4dbf03bb9d53..6a12a6c6025283 100644
+--- a/libsanitizer/asan/asan_allocator.h
++++ b/libsanitizer/asan/asan_allocator.h
+@@ -143,11 +143,15 @@ typedef DefaultSizeClassMap SizeClassMap;
+ const uptr kAllocatorSpace = ~(uptr)0;
+ const uptr kAllocatorSize = 0x8000000000ULL; // 500G
+ typedef DefaultSizeClassMap SizeClassMap;
+-# else
++# elif SANITIZER_APPLE
+ const uptr kAllocatorSpace = 0x600000000000ULL;
+ const uptr kAllocatorSize = 0x40000000000ULL; // 4T.
+ typedef DefaultSizeClassMap SizeClassMap;
+-# endif
++# else
++const uptr kAllocatorSpace = 0x500000000000ULL;
++const uptr kAllocatorSize = 0x40000000000ULL; // 4T.
++typedef DefaultSizeClassMap SizeClassMap;
++# endif
+ template <typename AddressSpaceViewTy>
+ struct AP64 { // Allocator64 parameters. Deliberately using a short name.
+ static const uptr kSpaceBeg = kAllocatorSpace;
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 9/9] common-licenses: Backport missing license
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (7 preceding siblings ...)
2024-04-03 3:47 ` [OE-core][kirkstone 8/9] gcc: Backport sanitizer fix for 32-bit ALSR Steve Sakoman
@ 2024-04-03 3:47 ` Steve Sakoman
8 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:47 UTC (permalink / raw)
To: openembedded-core
From: Colin McAllister <colin.mcallister@garmin.com>
Backports missing license from master to kirkstone.
Signed-off-by: Colin McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../LGPL-3.0-with-zeromq-exception | 181 ++++++++++++++++++
1 file changed, 181 insertions(+)
create mode 100644 meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
diff --git a/meta/files/common-licenses/LGPL-3.0-with-zeromq-exception b/meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
new file mode 100644
index 0000000000..02e943c4ac
--- /dev/null
+++ b/meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
@@ -0,0 +1,181 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
+ 4. Combined Works.
+
+ You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+ a) Give prominent notice with each copy of the Combined Work that
+ the Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the Combined Work with a copy of the GNU GPL and this license
+ document.
+
+ c) For a Combined Work that displays copyright notices during
+ execution, include the copyright notice for the Library among
+ these notices, as well as a reference directing the user to the
+ copies of the GNU GPL and this license document.
+
+ d) Do one of the following:
+
+ 0) Convey the Minimal Corresponding Source under the terms of this
+ License, and the Corresponding Application Code in a form
+ suitable for, and under terms that permit, the user to
+ recombine or relink the Application with a modified version of
+ the Linked Version to produce a modified Combined Work, in the
+ manner specified by section 6 of the GNU GPL for conveying
+ Corresponding Source.
+
+ 1) Use a suitable shared library mechanism for linking with the
+ Library. A suitable mechanism is one that (a) uses at run time
+ a copy of the Library already present on the user's computer
+ system, and (b) will operate properly with a modified version
+ of the Library that is interface-compatible with the Linked
+ Version.
+
+ e) Provide Installation Information, but only if you would otherwise
+ be required to provide such information under section 6 of the
+ GNU GPL, and only to the extent that such information is
+ necessary to install and execute a modified version of the
+ Combined Work produced by recombining or relinking the
+ Application with a modified version of the Linked Version. (If
+ you use option 4d0, the Installation Information must accompany
+ the Minimal Corresponding Source and Corresponding Application
+ Code. If you use option 4d1, you must provide the Installation
+ Information in the manner specified by section 6 of the GNU GPL
+ for conveying Corresponding Source.)
+
+ 5. Combined Libraries.
+
+ You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+ a) Accompany the combined library with a copy of the same work based
+ on the Library, uncombined with any other library facilities,
+ conveyed under the terms of this License.
+
+ b) Give prominent notice with the combined library that part of it
+ is a work based on the Library, and explaining where to find the
+ accompanying uncombined form of the same work.
+
+ 6. Revised Versions of the GNU Lesser General Public License.
+
+ The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+ If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+
+--------------------------------------------------------------------------------
+
+ SPECIAL EXCEPTION GRANTED BY COPYRIGHT HOLDERS
+
+As a special exception, copyright holders give you permission to link this
+library with independent modules to produce an executable, regardless of
+the license terms of these independent modules, and to copy and distribute
+the resulting executable under terms of your choice, provided that you also
+meet, for each linked independent module, the terms and conditions of
+the license of that module. An independent module is a module which is not
+derived from or based on this library. If you modify this library, you must
+extend this exception to your version of the library.
+
+Note: this exception relieves you of any obligations under sections 4 and 5
+of this license, and section 6 of the GNU General Public License.
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-06-22 11:57 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-06-22 11:57 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and hjave comments back by
end of day Tuesday, June 25
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7065
The following changes since commit ab2649ef6c83f0ae7cac554a72e6bea4dcda0e99:
build-appliance-image: Update to kirkstone head revision (2024-06-01 19:12:27 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Changqing Li (1):
man-pages: remove conflict pages
Deepthi Hemraj (1):
glibc: stable 2.35 branch updates
Khem Raj (1):
gobject-introspection: Do not hardcode objdump name
Peter Marko (1):
glib-2.0: patch CVE-2024-34397
Siddharth (1):
openssl: Upgrade 3.0.13 -> 3.0.14
Siddharth Doshi (1):
libxml2: Security fix for CVE-2024-34459
Thomas Perrot (1):
man-pages: add an alternative link name for crypt_r.3
Yogita Urade (2):
acpica: fix CVE-2024-24856
ruby: fix CVE-2024-27280
.../openssl/openssl/CVE-2024-2511.patch | 122 ---
.../openssl/openssl/CVE-2024-4603.patch | 180 ----
.../{openssl_3.0.13.bb => openssl_3.0.14.bb} | 4 +-
.../glib-2.0/glib-2.0/CVE-2024-34397_01.patch | 129 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_02.patch | 62 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_03.patch | 985 ++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2024-34397_04.patch | 253 +++++
.../glib-2.0/glib-2.0/CVE-2024-34397_05.patch | 88 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_06.patch | 263 +++++
.../glib-2.0/glib-2.0/CVE-2024-34397_07.patch | 45 +
.../glib-2.0/glib-2.0/CVE-2024-34397_08.patch | 168 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_09.patch | 81 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_10.patch | 108 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_11.patch | 133 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_12.patch | 173 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_13.patch | 513 +++++++++
.../glib-2.0/glib-2.0/CVE-2024-34397_14.patch | 75 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_15.patch | 47 +
.../glib-2.0/glib-2.0/CVE-2024-34397_16.patch | 62 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_17.patch | 121 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_18.patch | 50 +
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 18 +
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../libxml/libxml2/CVE-2024-34459.patch | 30 +
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
.../ruby/ruby/CVE-2024-27280.patch | 87 ++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
.../acpica/acpica/CVE-2024-24856.patch | 33 +
.../acpica/acpica_20211217.bb | 4 +-
.../man-pages/man-pages_5.13.bb | 12 +-
.../gobject-introspection_1.72.0.bb | 2 +-
31 files changed, 3536 insertions(+), 316 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
rename meta/recipes-connectivity/openssl/{openssl_3.0.13.bb => openssl_3.0.14.bb} (98%)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_04.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_05.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_06.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_07.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_08.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_09.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_10.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_11.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_12.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_13.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_14.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_15.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_16.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_17.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_18.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch
create mode 100644 meta/recipes-extended/acpica/acpica/CVE-2024-24856.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-12-17 20:54 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-12-17 20:54 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 19
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/663
The following changes since commit b132b817f5931b290e5348dd4a17fbfdc5c6e2c4:
dbus: disable assertions and enable only modular tests (2024-12-10 05:38:29 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alex Kiernan (1):
base-passwd: Add the sgx group
Alexandre Belloni (1):
base-passwd: fix patchreview warning
Ernst Persson (1):
package.bbclass: Use shlex instead of deprecated pipes
Jiaying Song (1):
subversion: fix CVE-2024-46901
Louis Rannou (1):
base-passwd: add the wheel group
Peter Kjellerstedt (3):
base-passwd: Regenerate the patches
base-passwd: Update to 3.5.52
base-passwd: Update the status for two patches
Yogita Urade (1):
xserver-xorg: fix CVE-2024-9632
meta/classes/package.bbclass | 4 +-
.../0001-Add-a-shutdown-group.patch | 26 +++
.../0001-base-passwd-Add-the-sgx-group.patch | 30 ++++
...nstead-of-bin-bash-for-the-root-user.patch | 23 +++
...t-since-we-do-not-have-an-etc-shadow.patch | 21 +++
...put-group-for-the-dev-input-devices.patch} | 17 +-
.../{kvm.patch => 0005-Add-kvm-group.patch} | 2 +-
...ble-to-build-without-debconf-support.patch | 129 ++++++++++++++
...-to-disable-the-generation-of-the-do.patch | 46 +++++
.../base-passwd/0008-Add-wheel-group.patch | 20 +++
.../base-passwd/add_shutdown.patch | 19 ---
.../base-passwd/disable-docs.patch | 24 ---
.../base-passwd/disable-shell.patch | 57 -------
.../base-passwd/base-passwd/nobash.patch | 15 --
.../base-passwd/base-passwd/noshadow.patch | 14 --
...passwd_3.5.29.bb => base-passwd_3.5.52.bb} | 30 ++--
.../subversion/CVE-2024-46901.patch | 161 ++++++++++++++++++
.../subversion/subversion_1.14.2.bb | 3 +-
.../xserver-xorg/CVE-2024-9632.patch | 58 +++++++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 1 +
20 files changed, 547 insertions(+), 153 deletions(-)
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-Add-a-shutdown-group.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0002-Use-bin-sh-instead-of-bin-bash-for-the-root-user.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0003-Remove-for-root-since-we-do-not-have-an-etc-shadow.patch
rename meta/recipes-core/base-passwd/base-passwd/{input.patch => 0004-Add-an-input-group-for-the-dev-input-devices.patch} (42%)
rename meta/recipes-core/base-passwd/base-passwd/{kvm.patch => 0005-Add-kvm-group.patch} (88%)
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0006-Make-it-possible-to-build-without-debconf-support.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0007-Make-it-possible-to-disable-the-generation-of-the-do.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0008-Add-wheel-group.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/add_shutdown.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-docs.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/nobash.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/noshadow.patch
rename meta/recipes-core/base-passwd/{base-passwd_3.5.29.bb => base-passwd_3.5.52.bb} (79%)
create mode 100644 meta/recipes-devtools/subversion/subversion/CVE-2024-46901.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-9632.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-07-04 15:28 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, July 8
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1949
The following changes since commit 75e54301c5076eb0454aee33c870adf078f563fd:
build-appliance-image: Update to kirkstone head revision (2025-06-27 08:10:04 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (6):
xwayland: fix CVE-2025-49175
xwayland: fix CVE-2025-49176
xwayland: fix CVE-2025-49177
xwayland: fix CVE-2025-49178
xwayland: fix CVE-2025-49178
xwayland: fix CVE-2025-49180
Chen Qi (1):
systemd: backport patches to fix CVE-2025-4598
Colin Pinnell McAllister (1):
libarchive: Fix CVE-2025-5914
Yogita Urade (1):
python3-urllib3: fix CVE-2025-50181
.../systemd/systemd/CVE-2025-4598-0001.patch | 92 ++++++++
.../systemd/systemd/CVE-2025-4598-0002.patch | 106 +++++++++
.../systemd/systemd/CVE-2025-4598-0003.patch | 144 ++++++++++++
.../systemd/systemd/CVE-2025-4598-0004.patch | 36 +++
meta/recipes-core/systemd/systemd_250.14.bb | 4 +
.../python3-urllib3/CVE-2025-50181.patch | 214 ++++++++++++++++++
.../python/python3-urllib3_1.26.18.bb | 4 +
.../libarchive/libarchive/CVE-2025-5914.patch | 46 ++++
.../libarchive/libarchive_3.6.2.bb | 1 +
.../xwayland/xwayland/CVE-2025-49175.patch | 92 ++++++++
.../xwayland/CVE-2025-49176-0001.patch | 93 ++++++++
.../xwayland/CVE-2025-49176-0002.patch | 38 ++++
.../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++
.../xwayland/xwayland/CVE-2025-49178.patch | 50 ++++
.../xwayland/xwayland/CVE-2025-49179.patch | 69 ++++++
.../xwayland/xwayland/CVE-2025-49180.patch | 45 ++++
.../xwayland/xwayland_22.1.8.bb | 7 +
17 files changed, 1096 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
--
2.43.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-08-19 20:49 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2025-08-19 20:49 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, August 21
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2236
The following changes since commit 3d1c037a7cb7858a4e3c33a94f5d343a81aac5f7:
go-helloworld: fix license (2025-08-12 09:57:24 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Dan McGregor (1):
systemd: Fix manpage build after CVE-2025-4598
Hitendra Prajapati (3):
gstreamer1.0-plugins-base: fix CVE-2025-47806 & CVE-2025-47808
gstreamer1.0-plugins-good: fix CVE-2025-47183 & CVE-2025-47219
git: fix CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835
Peter Marko (1):
glib-2.0: ignore CVE-2025-4056
Vijay Anusuri (3):
xserver-xorg: Fix for CVE-2025-49175
xserver-xorg: Fix for CVE-2025-49176
xserver-xorg: Fix for CVE-2025-49177
Youngseok Jeong (1):
libubootenv: backport patch to fix unknown type name 'size_t'
...-Include-cstddef-in-the-header-for-C.patch | 27 +
meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb | 6 +-
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 3 +
.../systemd/systemd/CVE-2025-4598-0003.patch | 7 +-
...-27613-CVE-2025-46334-CVE-2025-46835.patch | 2500 +++++++++++++++++
meta/recipes-devtools/git/git_2.35.7.bb | 1 +
.../xserver-xorg/CVE-2025-49175.patch | 91 +
.../xserver-xorg/CVE-2025-49176-1.patch | 92 +
.../xserver-xorg/CVE-2025-49176-2.patch | 37 +
.../xserver-xorg/CVE-2025-49177.patch | 54 +
.../xorg-xserver/xserver-xorg_21.1.8.bb | 4 +
.../CVE-2025-47806.patch | 50 +
.../CVE-2025-47808.patch | 36 +
.../gstreamer1.0-plugins-base_1.20.7.bb | 2 +
.../CVE-2025-47183-001.patch | 151 +
.../CVE-2025-47183-002.patch | 80 +
.../CVE-2025-47219.patch | 40 +
.../gstreamer1.0-plugins-good_1.20.7.bb | 3 +
18 files changed, 3179 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch
create mode 100644 meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch
--
2.43.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-08-26 13:44 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2025-08-26 13:44 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, August 28
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2267
The following changes since commit e401a16d8e26d25cec95fcea98d6530036cffca1:
libubootenv: backport patch to fix unknown type name 'size_t' (2025-08-19 10:14:55 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Hitendra Prajapati (1):
gstreamer1.0-plugins-base: fix CVE-2025-47807
Jiaying Song (1):
openssl: fix CVE-2023-50781
Peter Marko (4):
qemu: ignore CVE-2024-7730
glib-2.0: patch CVE-2025-7039
dpkg: patch CVE-2025-6297
libarchive: patch regression of patch for CVE-2025-5918
Vijay Anusuri (3):
xserver-xorg: Fix for CVE-2025-49178
xserver-xorg: Fix for CVE-2025-49179
xserver-xorg: Fix for CVE-2025-49180
.../openssl/openssl/CVE-2023-50781-1.patch | 618 ++++++++++++++++++
.../openssl/openssl/CVE-2023-50781-2.patch | 358 ++++++++++
.../openssl/openssl/CVE-2023-50781-3.patch | 41 ++
.../openssl/openssl/CVE-2023-50781-4.patch | 441 +++++++++++++
.../openssl/openssl/CVE-2023-50781-5.patch | 284 ++++++++
.../openssl/openssl/CVE-2023-50781-6.patch | 57 ++
.../openssl/openssl_3.0.17.bb | 8 +-
.../glib-2.0/glib-2.0/CVE-2025-7039-01.patch | 40 ++
.../glib-2.0/glib-2.0/CVE-2025-7039-02.patch | 43 ++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 2 +
.../dpkg/dpkg/CVE-2025-6297.patch | 125 ++++
meta/recipes-devtools/dpkg/dpkg_1.21.4.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 3 +
...2025-5918.patch => CVE-2025-5918-01.patch} | 0
.../libarchive/CVE-2025-5918-02.patch | 51 ++
.../libarchive/libarchive_3.6.2.bb | 3 +-
.../xserver-xorg/CVE-2025-49178.patch | 49 ++
.../xserver-xorg/CVE-2025-49179.patch | 67 ++
.../xserver-xorg/CVE-2025-49180-1.patch | 44 ++
.../xserver-xorg/CVE-2025-49180-2.patch | 52 ++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 4 +
.../CVE-2025-47807.patch | 49 ++
.../gstreamer1.0-plugins-base_1.20.7.bb | 1 +
23 files changed, 2339 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-02.patch
create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2025-6297.patch
rename meta/recipes-extended/libarchive/libarchive/{CVE-2025-5918.patch => CVE-2025-5918-01.patch} (100%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-02.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch
--
2.43.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-09-03 16:14 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2025-09-03 16:14 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, September 5
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2309
The following changes since commit 36cf6bb39df081b27306d27b20155995b73e1a01:
Revert "sqlite3: patch CVE-2025-7458" (2025-09-01 08:18:45 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Deepak Rathore (1):
default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue
Kyungjik Min (1):
pulseaudio: Add audio group explicitly
Mingli Yu (1):
vim: not adjust script pathnames for native scripts either
Peter Marko (2):
vim: upgrade 9.1.1198 -> 9.1.1652
sudo: remove devtool FIXME comment
Praveen Kumar (1):
git: fix CVE-2025-48384
Yogita Urade (3):
tiff: fix CVE-2024-13978
tiff: fix CVE-2025-8534
tiff: fix CVE-2025-8851
meta-selftest/files/static-group | 1 +
.../distro/include/default-distrovars.inc | 2 +-
meta/lib/oeqa/sdk/buildtools-cases/https.py | 4 +-
.../git/git/CVE-2025-48384.patch | 85 +++++++++++++++++++
meta/recipes-devtools/git/git_2.35.7.bb | 1 +
meta/recipes-extended/sudo/sudo_1.9.17p1.bb | 52 ------------
.../libtiff/tiff/CVE-2024-13978.patch | 47 ++++++++++
.../libtiff/tiff/CVE-2025-8534.patch | 60 +++++++++++++
.../libtiff/tiff/CVE-2025-8851.patch | 71 ++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 +
.../pulseaudio/pulseaudio.inc | 2 +-
...src-Makefile-improve-reproducibility.patch | 10 +--
.../vim/files/disable_acl_header_check.patch | 12 +--
.../vim/files/no-path-adjust.patch | 35 +++++---
meta/recipes-support/vim/vim.inc | 7 +-
15 files changed, 308 insertions(+), 84 deletions(-)
create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48384.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch
--
2.43.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-11-25 20:54 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2025-11-25 20:54 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, November 27
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2776
The following changes since commit ff72b41a3f0bf1820405b8782f0d125cd10e3406:
oe-build-perf-report: relax metadata matching rules (2025-11-19 08:28:19 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Divya Chellam (3):
ruby: fix CVE-2024-35176
ruby: fix CVE-2024-39908
ruby: fix CVE-2024-41123
Gyorgy Sarvari (1):
flac: patch seeking bug
Peter Marko (3):
libarchive: patch 3.8.3 security issue 1
libarchive: patch 3.8.3 security issue 2
libarchive: patch CVE-2025-60753
Praveen Kumar (1):
python3: fix CVE-2025-6075
Vijay Anusuri (1):
python3-idna: Fix CVE-2024-3651
.../python/python3-idna/CVE-2024-3651.patch | 2484 +++++++++++++++++
.../python/python3-idna_3.3.bb | 2 +
.../python/python3/CVE-2025-6075.patch | 364 +++
.../python/python3_3.10.19.bb | 1 +
.../ruby/ruby/CVE-2024-35176.patch | 112 +
.../ruby/ruby/CVE-2024-39908-0001.patch | 46 +
.../ruby/ruby/CVE-2024-39908-0002.patch | 130 +
.../ruby/ruby/CVE-2024-39908-0003.patch | 46 +
.../ruby/ruby/CVE-2024-39908-0004.patch | 76 +
.../ruby/ruby/CVE-2024-39908-0005.patch | 87 +
.../ruby/ruby/CVE-2024-39908-0006.patch | 44 +
.../ruby/ruby/CVE-2024-39908-0007.patch | 44 +
.../ruby/ruby/CVE-2024-39908-0008.patch | 44 +
.../ruby/ruby/CVE-2024-39908-0009.patch | 36 +
.../ruby/ruby/CVE-2024-39908-0010.patch | 53 +
.../ruby/ruby/CVE-2024-39908-0011.patch | 35 +
.../ruby/ruby/CVE-2024-39908-0012.patch | 36 +
.../ruby/ruby/CVE-2024-41123-0001.patch | 44 +
.../ruby/ruby/CVE-2024-41123-0002.patch | 37 +
.../ruby/ruby/CVE-2024-41123-0003.patch | 55 +
.../ruby/ruby/CVE-2024-41123-0004.patch | 163 ++
.../ruby/ruby/CVE-2024-41123-0005.patch | 111 +
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 18 +
...ax-path-length-metadata-writing-2243.patch | 30 +
...request-2696-from-al3xtjames-mkstemp.patch | 28 +
...st-2749-from-KlaraSystems-des-tempdi.patch | 183 ++
...st-2753-from-KlaraSystems-des-temp-f.patch | 190 ++
...-request-2768-from-Commandoss-master.patch | 28 +
.../libarchive/CVE-2025-60753.patch | 76 +
.../libarchive/libarchive_3.6.2.bb | 6 +
.../flac/files/0001-Fix-seeking-bug.patch | 34 +
meta/recipes-multimedia/flac/flac_1.3.4.bb | 3 +-
32 files changed, 4645 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/python/python3-idna/CVE-2024-3651.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-35176.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0002.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0003.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0004.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0005.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Fix-max-path-length-metadata-writing-2243.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch
create mode 100644 meta/recipes-multimedia/flac/files/0001-Fix-seeking-bug.patch
--
2.43.0
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2025-11-25 20:55 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-03 3:46 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 1/9] nghttp2: fix CVE-2023-44487 Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 2/9] xwayland: fix CVE-2023-6816 CVE-2024-0408/0409 Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 3/9] expat: fix CVE-2023-52425 Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 4/9] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 5/9] qemu: Fix for CVE-2023-6683 Steve Sakoman
2024-04-03 3:46 ` [OE-core][kirkstone 6/9] tiff: fix CVE-2023-52356 CVE-2023-6277 Steve Sakoman
2024-04-03 3:47 ` [OE-core][kirkstone 7/9] python3-urllib3: update to v1.26.18 Steve Sakoman
2024-04-03 3:47 ` [OE-core][kirkstone 8/9] gcc: Backport sanitizer fix for 32-bit ALSR Steve Sakoman
2024-04-03 3:47 ` [OE-core][kirkstone 9/9] common-licenses: Backport missing license Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-11-25 20:54 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2025-09-03 16:14 Steve Sakoman
2025-08-26 13:44 Steve Sakoman
2025-08-19 20:49 Steve Sakoman
2025-07-04 15:28 Steve Sakoman
2024-12-17 20:54 Steve Sakoman
2024-06-22 11:57 Steve Sakoman
2024-03-07 23:37 Steve Sakoman
2023-06-20 15:37 Steve Sakoman
2023-01-17 14:08 Steve Sakoman
2022-11-13 14:12 Steve Sakoman
2022-05-23 13:59 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.