* [ROCKO][PATCH 02/34] busybox: CVE-2017-16544
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 03/34] libsndfile1: CVE-2017-14245 CVE-2017-14246 Jagadeesh Krishnanjanappa
` (32 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
lineedit: do not tab-complete any strings which have control characters
function old new delta
add_match 41 68 +27
Affects busybox <= 1.27.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../busybox/busybox/CVE-2017-16544.patch | 44 ++++++++++++++++++++++
meta/recipes-core/busybox/busybox_1.24.1.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2017-16544.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2017-16544.patch b/meta/recipes-core/busybox/busybox/CVE-2017-16544.patch
new file mode 100644
index 0000000..8038886
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2017-16544.patch
@@ -0,0 +1,44 @@
+From c3797d40a1c57352192c6106cc0f435e7d9c11e8 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Tue, 7 Nov 2017 18:09:29 +0100
+Subject: lineedit: do not tab-complete any strings which have control
+ characters
+
+function old new delta
+add_match 41 68 +27
+
+CVE: CVE-2017-16544
+Upstream-Status: Backport from v1.28.0
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ libbb/lineedit.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/libbb/lineedit.c b/libbb/lineedit.c
+index c0e35bb..56e8140 100644
+--- a/libbb/lineedit.c
++++ b/libbb/lineedit.c
+@@ -645,6 +645,18 @@ static void free_tab_completion_data(void)
+
+ static void add_match(char *matched)
+ {
++ unsigned char *p = (unsigned char*)matched;
++ while (*p) {
++ /* ESC attack fix: drop any string with control chars */
++ if (*p < ' '
++ || (!ENABLE_UNICODE_SUPPORT && *p >= 0x7f)
++ || (ENABLE_UNICODE_SUPPORT && *p == 0x7f)
++ ) {
++ free(matched);
++ return;
++ }
++ p++;
++ }
+ matches = xrealloc_vector(matches, 4, num_matches);
+ matches[num_matches] = matched;
+ num_matches++;
+--
+cgit v0.12
+
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index 1c85808..a2c0aa3 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -61,6 +61,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://busybox-tar-add-IF_FEATURE_-checks.patch \
file://0001-iproute-support-scope-.-Closes-8561.patch \
file://0001-ip-fix-an-improper-optimization-req.r.rtm_scope-may-.patch \
+ file://CVE-2017-16544.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 03/34] libsndfile1: CVE-2017-14245 CVE-2017-14246
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 02/34] busybox: CVE-2017-16544 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 04/34] libvorbis: CVE-2017-14160 Jagadeesh Krishnanjanappa
` (31 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
sfe_copy_data_fp: check value of "max" variable for being normal
and check elements of the data[] array for being finite.
Both checks use functions provided by the <math.h> header as declared
by the C99 standard.
Fixes #317
CVE-2017-14245
CVE-2017-14246
Affects libsndfile1 = 1.0.28
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../libsndfile1/CVE-2017-14245-14246.patch | 121 +++++++++++++++++++++
.../libsndfile/libsndfile1_1.0.28.bb | 1 +
2 files changed, 122 insertions(+)
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
new file mode 100644
index 0000000..07c7d13
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14245-14246.patch
@@ -0,0 +1,121 @@
+From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Wed, 27 Sep 2017 14:46:17 +0200
+Subject: [PATCH] sfe_copy_data_fp: check value of "max" variable for being
+ normal
+
+and check elements of the data[] array for being finite.
+
+Both checks use functions provided by the <math.h> header as declared
+by the C99 standard.
+
+Fixes #317
+CVE: CVE-2017-14245
+CVE: CVE-2017-14246
+
+Upstream-Status: Backport [https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258]
+
+Signed-off-by: Fabian Greffrath <fabian@greffrath.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ programs/common.c | 20 ++++++++++++++++----
+ programs/common.h | 2 +-
+ programs/sndfile-convert.c | 6 +++++-
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+diff --git a/programs/common.c b/programs/common.c
+index a21e62c..a249a58 100644
+--- a/programs/common.c
++++ b/programs/common.c
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <ctype.h>
+ #include <stdint.h>
++#include <math.h>
+
+ #include <sndfile.h>
+
+@@ -45,7 +46,7 @@
+
+ #define MIN(x, y) ((x) < (y) ? (x) : (y))
+
+-void
++int
+ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
+ { static double data [BUFFER_LEN], max ;
+ sf_count_t frames, readcount, k ;
+@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+ readcount = frames ;
+
+ sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
++ if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
++ return 1 ;
+
+ if (!normalize && max < 1.0)
+ { while (readcount > 0)
+@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+ while (readcount > 0)
+ { readcount = sf_readf_double (infile, data, frames) ;
+ for (k = 0 ; k < readcount * channels ; k++)
+- data [k] /= max ;
++ { data [k] /= max ;
++
++ if (!isfinite (data [k])) /* infinite or NaN */
++ return 1;
++ }
+ sf_writef_double (outfile, data, readcount) ;
+ } ;
+ } ;
+
+- return ;
++ return 0 ;
+ } /* sfe_copy_data_fp */
+
+ void
+@@ -252,7 +259,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in
+
+ /* If the input file is not the same as the output file, copy the data. */
+ if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
+- sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
++ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
++ { printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
++ error_code = 1 ;
++ goto cleanup_exit ;
++ } ;
++ }
+ else
+ sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+ } ;
+diff --git a/programs/common.h b/programs/common.h
+index eda2d7d..986277e 100644
+--- a/programs/common.h
++++ b/programs/common.h
+@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
+
+ void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
+
+-void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
++int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+
+ void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
+
+diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
+index dff7f79..e6de593 100644
+--- a/programs/sndfile-convert.c
++++ b/programs/sndfile-convert.c
+@@ -335,7 +335,11 @@ main (int argc, char * argv [])
+ || (outfileminor == SF_FORMAT_DOUBLE) || (outfileminor == SF_FORMAT_FLOAT)
+ || (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
+ || (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
+- sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
++ { if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
++ { printf ("Error : Not able to decode input file %s.\n", infilename) ;
++ return 1 ;
++ } ;
++ }
+ else
+ sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 281ac82..c6f2a46 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -10,6 +10,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-8361-8365.patch \
file://CVE-2017-8362.patch \
file://CVE-2017-8363.patch \
+ file://CVE-2017-14245-14246.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 04/34] libvorbis: CVE-2017-14160
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 02/34] busybox: CVE-2017-16544 Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 03/34] libsndfile1: CVE-2017-14245 CVE-2017-14246 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 05/34] rpm: CVE-2017-7501 Jagadeesh Krishnanjanappa
` (30 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
CVE-2017-14160: fix bounds check on very low sample rates.
Affects libvorbis = 1.3.5
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../libvorbis/libvorbis/CVE-2017-14160.patch | 33 ++++++++++++++++++++++
.../libvorbis/libvorbis_1.3.5.bb | 2 ++
2 files changed, 35 insertions(+)
create mode 100644 meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch
new file mode 100644
index 0000000..5f304aa
--- /dev/null
+++ b/meta/recipes-multimedia/libvorbis/libvorbis/CVE-2017-14160.patch
@@ -0,0 +1,33 @@
+From 018ca26dece618457dd13585cad52941193c4a25 Mon Sep 17 00:00:00 2001
+From: Thomas Daede <daede003@umn.edu>
+Date: Wed, 9 May 2018 14:56:59 -0700
+Subject: [PATCH] CVE-2017-14160: fix bounds check on very low sample rates.
+
+CVE: CVE-2017-14160
+CVE: CVE-2018-10393
+Upstream-Status: Backport [https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25]
+
+Signed-off-by: Thomas Daede <daede003@umn.edu>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ lib/psy.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1..1310123 100644
+--- a/lib/psy.c
++++ b/lib/psy.c
+@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
+ for (i = 0, x = 0.f;; i++, x += 1.f) {
+
+ lo = b[i] >> 16;
+- if( lo>=0 ) break;
+ hi = b[i] & 0xffff;
++ if( lo>=0 ) break;
++ if( hi>=n ) break;
+
+ tN = N[hi] + N[-lo];
+ tX = X[hi] - X[-lo];
+--
+2.7.4
+
diff --git a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
index 20f887c..1a49e59 100644
--- a/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
+++ b/meta/recipes-multimedia/libvorbis/libvorbis_1.3.5.bb
@@ -9,12 +9,14 @@ LICENSE = "BSD"
LIC_FILES_CHKSUM = "file://COPYING;md5=7d2c487d2fc7dd3e3c7c465a5b7f6217 \
file://include/vorbis/vorbisenc.h;beginline=1;endline=11;md5=d1c1d138863d6315131193d4046d81cb"
DEPENDS = "libogg"
+PR = "r1"
SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.xz \
file://0001-configure-Check-for-clang.patch \
file://CVE-2017-14633.patch \
file://CVE-2017-14632.patch \
file://CVE-2018-5146.patch \
+ file://CVE-2017-14160.patch \
"
SRC_URI[md5sum] = "28cb28097c07a735d6af56e598e1c90f"
SRC_URI[sha256sum] = "54f94a9527ff0a88477be0a71c0bab09a4c3febe0ed878b24824906cd4b0e1d1"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 05/34] rpm: CVE-2017-7501
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (2 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 04/34] libvorbis: CVE-2017-14160 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 06/34] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (29 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
Open newly created files with O_EXCL to prevent symlink tricks.
When reopening hardlinks for writing the actual content, use append
mode instead. This is compatible with the write-only permissions but
is not destructive in case we got redirected to somebody elses file,
verify the target before actually writing anything.
As these are files with the temporary suffix, errors mean a local
user with sufficient privileges to break the installation of the package
anyway is trying to goof us on purpose, don't bother trying to mend it
(we couldn't fix the hardlink case anyhow) but just bail out.
Based on a patch by Florian Festi.
Affects rpm < 4.13.0.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../recipes-devtools/rpm/files/CVE-2017-7501.patch | 106 +++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_git.bb | 1 +
2 files changed, 107 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/files/CVE-2017-7501.patch
diff --git a/meta/recipes-devtools/rpm/files/CVE-2017-7501.patch b/meta/recipes-devtools/rpm/files/CVE-2017-7501.patch
new file mode 100644
index 0000000..fb299d9
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2017-7501.patch
@@ -0,0 +1,106 @@
+From 404ef011c300207cdb1e531670384564aae04bdc Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 19 Sep 2017 14:46:36 +0300
+Subject: [PATCH] Don't follow symlinks on file creation (CVE-2017-7501)
+
+Open newly created files with O_EXCL to prevent symlink tricks.
+When reopening hardlinks for writing the actual content, use append
+mode instead. This is compatible with the write-only permissions but
+is not destructive in case we got redirected to somebody elses file,
+verify the target before actually writing anything.
+
+As these are files with the temporary suffix, errors mean a local
+user with sufficient privileges to break the installation of the package
+anyway is trying to goof us on purpose, don't bother trying to mend it
+(we couldn't fix the hardlink case anyhow) but just bail out.
+
+Based on a patch by Florian Festi.
+
+CVE: CVE-2017-7501
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc]
+
+Signed-off-by: Panu Matilainen <pmatilai@redhat.com>
+Signed-off-by: Florian Festi <ffesti@redhat.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ lib/fsm.c | 29 +++++++++++++++++++++++------
+ 1 file changed, 23 insertions(+), 6 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 553774b..e0e9d03 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -206,11 +206,22 @@ static int fsmSetFCaps(const char *path, const char *captxt)
+ return rc;
+ }
+
++/* Check dest is the same, empty and regular file with writeonly permissions */
++static int linkSane(FD_t wfd, const char *dest)
++{
++ struct stat sb, lsb;
++
++ return (fstat(Fileno(wfd), &sb) == 0 && sb.st_size == 0 &&
++ (sb.st_mode & ~S_IFMT) == S_IWUSR &&
++ lstat(dest, &lsb) == 0 && S_ISREG(lsb.st_mode) &&
++ sb.st_dev == lsb.st_dev && sb.st_ino == lsb.st_ino);
++}
++
+ /** \ingroup payload
+ * Create file from payload stream.
+ * @return 0 on success
+ */
+-static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int nodigest, int nocontent)
++static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int exclusive, int nodigest, int nocontent)
+ {
+ FD_t wfd = NULL;
+ int rc = 0;
+@@ -218,8 +229,14 @@ static int expandRegular(rpmfi fi, const char *dest, rpmpsm psm, int nodigest, i
+ /* Create the file with 0200 permissions (write by owner). */
+ {
+ mode_t old_umask = umask(0577);
+- wfd = Fopen(dest, "w.ufdio");
++ wfd = Fopen(dest, exclusive ? "wx.ufdio" : "a.ufdio");
+ umask(old_umask);
++
++ /* If reopening, make sure the file is what we expect */
++ if (!exclusive && wfd != NULL && !linkSane(wfd, dest)) {
++ rc = RPMERR_OPEN_FAILED;
++ goto exit;
++ }
+ }
+ if (Ferror(wfd)) {
+ rc = RPMERR_OPEN_FAILED;
+@@ -248,7 +265,7 @@ static int fsmMkfile(rpmfi fi, const char *dest, rpmfiles files,
+ /* Create first hardlinked file empty */
+ if (*firsthardlink < 0) {
+ *firsthardlink = rpmfiFX(fi);
+- rc = expandRegular(fi, dest, psm, nodigest, 1);
++ rc = expandRegular(fi, dest, psm, 1, nodigest, 1);
+ } else {
+ /* Create hard links for others */
+ char *fn = rpmfilesFN(files, *firsthardlink);
+@@ -263,10 +280,10 @@ static int fsmMkfile(rpmfi fi, const char *dest, rpmfiles files,
+ existing) file with content */
+ if (numHardlinks<=1) {
+ if (!rc)
+- rc = expandRegular(fi, dest, psm, nodigest, 0);
++ rc = expandRegular(fi, dest, psm, 1, nodigest, 0);
+ } else if (rpmfiArchiveHasContent(fi)) {
+ if (!rc)
+- rc = expandRegular(fi, dest, psm, nodigest, 0);
++ rc = expandRegular(fi, dest, psm, 0, nodigest, 0);
+ *firsthardlink = -1;
+ } else {
+ *setmeta = 0;
+@@ -939,7 +956,7 @@ int rpmPackageFilesInstall(rpmts ts, rpmte te, rpmfiles files,
+ /* we skip the hard linked file containing the content */
+ /* write the content to the first used instead */
+ char *fn = rpmfilesFN(files, firsthardlink);
+- rc = expandRegular(fi, fn, psm, nodigest, 0);
++ rc = expandRegular(fi, fn, psm, 0, nodigest, 0);
+ firsthardlink = -1;
+ free(fn);
+ }
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/rpm/rpm_git.bb b/meta/recipes-devtools/rpm/rpm_git.bb
index 7866314..bec0630 100644
--- a/meta/recipes-devtools/rpm/rpm_git.bb
+++ b/meta/recipes-devtools/rpm/rpm_git.bb
@@ -43,6 +43,7 @@ SRC_URI = "git://github.com/rpm-software-management/rpm \
file://0003-rpmstrpool.c-make-operations-over-string-pools-threa.patch \
file://0004-build-pack.c-remove-static-local-variables-from-buil.patch \
file://0001-perl-disable-auto-reqs.patch \
+ file://CVE-2017-7501.patch \
"
UPSTREAM_VERSION_UNKNOWN = "1"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 06/34] coreutils: CVE-2017-18018
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (3 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 05/34] rpm: CVE-2017-7501 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 07/34] gdk-pixbuf: CVE-2017-1000422 Jagadeesh Krishnanjanappa
` (28 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
CVE-2017-18018-1:
doc: clarify chown/chgrp --dereference defaults
* doc/coreutils.texi: the documentation for the --dereference
flag of chown/chgrp states that it is the default mode of
operation. Document that this is only the case when operating
non-recursively.
CVE-2017-18018-2:
doc: warn about following symlinks recursively in chown/chgrp
In both chown and chgrp (which shares its code with chown), operating
on symlinks recursively has a window of vulnerability where the
destination user or group can change the target of the operation.
Warn about combining the --dereference, --recursive, and -L flags.
* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
(node chown invocation): Add it to --dereference and -L.
(node chgrp invocation): Likewise.
Affects coreutils <= 8.29
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../coreutils/coreutils/CVE-2017-18018-1.patch | 40 +++++++++++
.../coreutils/coreutils/CVE-2017-18018-2.patch | 83 ++++++++++++++++++++++
meta/recipes-core/coreutils/coreutils_8.27.bb | 2 +
3 files changed, 125 insertions(+)
create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
new file mode 100644
index 0000000..6f31eba
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
@@ -0,0 +1,40 @@
+From 7597cfa482e42a00a69fb9577ee523762980a9a2 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 28 Dec 2017 15:52:42 -0500
+Subject: doc: clarify chown/chgrp --dereference defaults
+
+* doc/coreutils.texi: the documentation for the --dereference
+ flag of chown/chgrp states that it is the default mode of
+ operation. Document that this is only the case when operating
+ non-recursively.
+
+CVE: CVE-2017-18018
+Upstream-Status: Backport from v8.30
+
+Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ doc/coreutils.texi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff -Naurp coreutils-8.27_org/doc/coreutils.texi coreutils-8.27/doc/coreutils.texi
+--- coreutils-8.27_org/doc/coreutils.texi 2018-07-22 21:09:50.128736692 -0700
++++ coreutils-8.27/doc/coreutils.texi 2018-07-22 21:12:59.972219770 -0700
+@@ -10952,7 +10952,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
++This is the default when not operating recursively.
+
+ @item -h
+ @itemx --no-dereference
+@@ -11082,7 +11082,7 @@ changed.
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
++This is the default when not operating recursively.
+
+ @item -h
+ @itemx --no-dereference
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
new file mode 100644
index 0000000..c8f5f54
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
@@ -0,0 +1,83 @@
+From bc2fd9796403e03bb757b064d44c22fab92e6842 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 4 Jan 2018 11:38:21 -0500
+Subject: doc: warn about following symlinks recursively in chown/chgrp
+
+In both chown and chgrp (which shares its code with chown), operating
+on symlinks recursively has a window of vulnerability where the
+destination user or group can change the target of the operation.
+Warn about combining the --dereference, --recursive, and -L flags.
+
+* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
+(node chown invocation): Add it to --dereference and -L.
+(node chgrp invocation): Likewise.
+
+See also: CVE-2017-18018
+CVE: CVE-2017-18018
+Upstream-Status: Backport from v8.30
+
+Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ doc/coreutils.texi | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index 6bb9f09..9f5f95b 100644
+--- a/doc/coreutils.texi
++++ b/doc/coreutils.texi
+@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.
+ In a recursive traversal, traverse every symbolic link to a directory
+ that is encountered.
+ @end macro
++
++@c Append the following warning to -L where appropriate (e.g. chown).
++@macro warnOptDerefWithRec
++
++Combining this dereferencing option with the @option{--recursive} option
++may create a security risk:
++During the traversal of the directory tree, an attacker may be able to
++introduce a symlink to an arbitrary target; when the tool reaches that,
++the operation will be performed on the target of that symlink,
++possibly allowing the attacker to escalate privileges.
++
++@end macro
++
+ @choptL
+
+ @macro choptP
+@@ -10995,6 +11008,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
++@warnOptDerefWithRec
+
+ @item -h
+ @itemx --no-dereference
+@@ -11051,6 +11065,7 @@ Recursively change ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+
+ @choptL
++@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+
+ @choptP
+@@ -11125,6 +11140,7 @@ changed.
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
++@warnOptDerefWithRec
+
+ @item -h
+ @itemx --no-dereference
+@@ -11180,6 +11196,7 @@ Recursively change the group ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+
+ @choptL
++@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+
+ @choptP
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-core/coreutils/coreutils_8.27.bb b/meta/recipes-core/coreutils/coreutils_8.27.bb
index ea8740a..922ea8c 100644
--- a/meta/recipes-core/coreutils/coreutils_8.27.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.27.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz;name=tarball \
file://0001-uname-report-processor-and-hardware-correctly.patch \
file://disable-ls-output-quoting.patch \
file://0001-local.mk-fix-cross-compiling-problem.patch \
+ file://CVE-2017-18018-1.patch \
+ file://CVE-2017-18018-2.patch \
"
SRC_URI[tarball.md5sum] = "502795792c212932365e077946d353ae"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 07/34] gdk-pixbuf: CVE-2017-1000422
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (4 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 06/34] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 08/34] util-linux: CVE-2018-7738 Jagadeesh Krishnanjanappa
` (27 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
io-gif: Fail quickly when image dimensions are too big
Fail quickly when the dimensions would create an image that's bigger
than MAXINT bytes long.
See https://bugzilla.gnome.org/show_bug.cgi?id=765094
https://bugzilla.gnome.org/show_bug.cgi?id=785973
Affects gdk-pixbuf <= 2.36.8
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch | 65 ++++++++++++++++++++++
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb | 1 +
2 files changed, 66 insertions(+)
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch
new file mode 100644
index 0000000..0638c99
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch
@@ -0,0 +1,65 @@
+From 0012e066ba37439d402ce46afbc1311530a4ec61 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Wed, 23 Aug 2017 18:02:41 +0200
+Subject: [PATCH] io-gif: Fail quickly when image dimensions are too big
+
+Fail quickly when the dimensions would create an image that's bigger
+than MAXINT bytes long.
+
+See https://bugzilla.gnome.org/show_bug.cgi?id=765094
+
+https://bugzilla.gnome.org/show_bug.cgi?id=785973
+
+CVE: CVE-2017-1000422
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/0012e06]
+
+Signed-off-by: Bastien Nocera <hadess@hadess.net>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ gdk-pixbuf/io-gif.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index 057960c..ef10017 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -851,13 +851,29 @@ gif_get_lzw (GifContext *context)
+ pixels[2] = 0;
+ pixels[3] = 0;
+ }
+- } else
+- context->frame->pixbuf =
+- gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+- TRUE,
+- 8,
+- context->frame_len,
+- context->frame_height);
++ } else {
++ int rowstride;
++ guint64 len;
++
++ rowstride = gdk_pixbuf_calculate_rowstride (GDK_COLORSPACE_RGB,
++ TRUE,
++ 8,
++ context->frame_len,
++ context->frame_height);
++ if (rowstride > 0 &&
++ g_uint64_checked_mul (&len, rowstride, context->frame_height) &&
++ len <= G_MAXINT) {
++ context->frame->pixbuf =
++ gdk_pixbuf_new (GDK_COLORSPACE_RGB,
++ TRUE,
++ 8,
++ context->frame_len,
++ context->frame_height);
++ } else {
++ context->frame->pixbuf = NULL;
++ }
++ }
++
+ if (!context->frame->pixbuf) {
+ g_free (context->frame);
+ g_set_error_literal (context->error,
+--
+2.7.4
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb
index 8c35904..cf06a85 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://fatal-loader.patch \
file://0001-Work-around-thumbnailer-cross-compile-failure.patch \
file://0001-queryloaders-Make-output-more-reproducible.patch \
+ file://CVE-2017-1000422.patch \
"
SRC_URI[md5sum] = "e0aaa0061eb12667b32b27472230b962"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 08/34] util-linux: CVE-2018-7738
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (5 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 07/34] gdk-pixbuf: CVE-2017-1000422 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 09/34] python: CVE-2018-1000030 Jagadeesh Krishnanjanappa
` (26 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
bash-completion: (umount) use findmnt, escape a space in paths
# mount /dev/sdc1 /mnt/test/foo\ bar
# umount <tab>
has to return "/mnt/test/foo\ bar".
Changes:
* don't use mount | awk output, we have findmnt
* force compgen use \n as entries separator
Affects util-linux < 2.32-rc1
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../util-linux/util-linux/CVE-2018-7738.patch | 49 ++++++++++++++++++++++
meta/recipes-core/util-linux/util-linux_2.30.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2018-7738.patch
diff --git a/meta/recipes-core/util-linux/util-linux/CVE-2018-7738.patch b/meta/recipes-core/util-linux/util-linux/CVE-2018-7738.patch
new file mode 100644
index 0000000..7322b9c
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/CVE-2018-7738.patch
@@ -0,0 +1,49 @@
+From 75f03badd7ed9f1dd951863d75e756883d3acc55 Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Thu, 16 Nov 2017 16:27:32 +0100
+Subject: [PATCH] bash-completion: (umount) use findmnt, escape a space in
+ paths
+
+ # mount /dev/sdc1 /mnt/test/foo\ bar
+ # umount <tab>
+
+has to return "/mnt/test/foo\ bar".
+
+Changes:
+
+ * don't use mount | awk output, we have findmnt
+ * force compgen use \n as entries separator
+
+Addresses: https://github.com/karelzak/util-linux/issues/539
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2018-7738
+Upstream-Status: Backport [https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ bash-completion/umount | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/bash-completion/umount b/bash-completion/umount
+index d76cb9fff..98c90d61a 100644
+--- a/bash-completion/umount
++++ b/bash-completion/umount
+@@ -40,9 +40,10 @@ _umount_module()
+ return 0
+ ;;
+ esac
+- local DEVS_MPOINTS
+- DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
+- COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
+- return 0
++
++ local oldifs=$IFS
++ IFS=$'\n'
++ COMPREPLY=( $( compgen -W '$(findmnt -lno TARGET | sed "s/\([[:blank:]]\)/\\\\\1/g")' -- "$cur" ) )
++ IFS=$oldifs
+ }
+ complete -F _umount_module umount
+--
+2.13.3
+
diff --git a/meta/recipes-core/util-linux/util-linux_2.30.bb b/meta/recipes-core/util-linux/util-linux_2.30.bb
index 6b309b5..a6d23d8 100644
--- a/meta/recipes-core/util-linux/util-linux_2.30.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.30.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://configure-sbindir.patch \
file://run-ptest \
file://display_testname_for_subtest.patch \
file://avoid_parallel_tests.patch \
+ file://CVE-2018-7738.patch \
"
SRC_URI[md5sum] = "eaa3429150268027908a1b8ae6ee9a62"
SRC_URI[sha256sum] = "c208a4ff6906cb7f57940aa5bc3a6eed146e50a7cc0a092f52ef2ab65057a08d"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 09/34] python: CVE-2018-1000030
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (6 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 08/34] util-linux: CVE-2018-7738 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 10/34] perl: CVE-2018-6798 Jagadeesh Krishnanjanappa
` (25 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
* CVE-2018-1000030-1
[2.7] bpo-31530: Stop crashes when iterating over a file on multiple threads
* CVE-2018-1000030-2
Multiple threads iterating over a file can corrupt the file's internal readahead
buffer resulting in crashes. To fix this, cache buffer state thread-locally for
the duration of a file_iternext call and only update the file's internal state
after reading completes.
No attempt is made to define or provide "reasonable" semantics for iterating
over a file on multiple threads. (Non-crashing) races are still
present. Duplicated, corrupt, and missing data will happen.
This was originally fixed by 6401e56, which
raised an exception from seek() and next() when concurrent operations were
detected. Alas, this simpler solution breaks legitimate use cases such as
capturing the standard streams when multiple threads are logging.
Affects python <= 2.7.17
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
meta/recipes-devtools/python/python.inc | 5 +-
.../python/python/CVE-2018-1000030-1.patch | 138 ++++++++++
.../python/python/CVE-2018-1000030-2.patch | 306 +++++++++++++++++++++
3 files changed, 448 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
create mode 100644 meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index b40f551..03ae5de 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -7,7 +7,10 @@ INC_PR = "r1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=6b60258130e4ed10d3101517eb5b9385"
-SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz"
+PR .= ".1"
+SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+ file://CVE-2018-1000030-1.patch \
+ file://CVE-2018-1000030-2.patch"
SRC_URI[md5sum] = "53b43534153bb2a0363f08bae8b9d990"
SRC_URI[sha256sum] = "35d543986882f78261f97787fd3e06274bfa6df29fac9b4a94f73930ff98f731"
diff --git a/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
new file mode 100644
index 0000000..c2933cf
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
@@ -0,0 +1,138 @@
+From 6401e5671781eb217ee1afb4603cc0d1b0367ae6 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 10 Nov 2017 12:58:55 +0200
+Subject: [PATCH] [2.7] bpo-31530: Stop crashes when iterating over a file on
+ multiple threads. (#3672)
+
+CVE: CVE-2018-1000030
+Upstream-Status: Backport [https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ Lib/test/test_file2k.py | 32 ++++++++++++++++++++++
+ .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | 4 +++
+ Objects/fileobject.c | 19 +++++++++++--
+ 3 files changed, 52 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+
+diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py
+index e39ef7042e..d8966e034e 100644
+--- a/Lib/test/test_file2k.py
++++ b/Lib/test/test_file2k.py
+@@ -652,6 +652,38 @@ class FileThreadingTests(unittest.TestCase):
+ self.f.writelines('')
+ self._test_close_open_io(io_func)
+
++ def test_iteration_torture(self):
++ # bpo-31530: Crash when concurrently iterate over a file.
++ with open(self.filename, "wb") as fp:
++ for i in xrange(2**20):
++ fp.write(b"0"*50 + b"\n")
++ with open(self.filename, "rb") as f:
++ def iterate():
++ try:
++ for l in f:
++ pass
++ except IOError:
++ pass
++ self._run_workers(iterate, 10)
++
++ def test_iteration_seek(self):
++ # bpo-31530: Crash when concurrently seek and iterate over a file.
++ with open(self.filename, "wb") as fp:
++ for i in xrange(10000):
++ fp.write(b"0"*50 + b"\n")
++ with open(self.filename, "rb") as f:
++ it = iter([1] + [0]*10) # one thread reads, others seek
++ def iterate():
++ try:
++ if next(it):
++ for l in f:
++ pass
++ else:
++ for i in range(100):
++ f.seek(i*100, 0)
++ except IOError:
++ pass
++ self._run_workers(iterate, 10)
+
+ @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.')
+ class TestFileSignalEINTR(unittest.TestCase):
+diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+new file mode 100644
+index 0000000000..a6cb6c9e9b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+@@ -0,0 +1,4 @@
++Fixed crashes when iterating over a file on multiple threads.
++seek() and next() methods of file objects now raise an exception during
++concurrent operation on the same file object.
++A lock can be used to prevent the error.
+diff --git a/Objects/fileobject.c b/Objects/fileobject.c
+index 7e07a5376f..2f63c374d1 100644
+--- a/Objects/fileobject.c
++++ b/Objects/fileobject.c
+@@ -430,7 +430,7 @@ close_the_file(PyFileObject *f)
+ if (Py_REFCNT(f) > 0) {
+ PyErr_SetString(PyExc_IOError,
+ "close() called during concurrent "
+- "operation on the same file object.");
++ "operation on the same file object");
+ } else {
+ /* This should not happen unless someone is
+ * carelessly playing with the PyFileObject
+@@ -438,7 +438,7 @@ close_the_file(PyFileObject *f)
+ * pointer. */
+ PyErr_SetString(PyExc_SystemError,
+ "PyFileObject locking error in "
+- "destructor (refcnt <= 0 at close).");
++ "destructor (refcnt <= 0 at close)");
+ }
+ return NULL;
+ }
+@@ -762,6 +762,12 @@ file_seek(PyFileObject *f, PyObject *args)
+
+ if (f->f_fp == NULL)
+ return err_closed();
++ if (f->unlocked_count > 0) {
++ PyErr_SetString(PyExc_IOError,
++ "seek() called during concurrent "
++ "operation on the same file object");
++ return NULL;
++ }
+ drop_readahead(f);
+ whence = 0;
+ if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence))
+@@ -2238,6 +2244,7 @@ readahead(PyFileObject *f, Py_ssize_t bufsize)
+ {
+ Py_ssize_t chunksize;
+
++ assert(f->unlocked_count == 0);
+ if (f->f_buf != NULL) {
+ if( (f->f_bufend - f->f_bufptr) >= 1)
+ return 0;
+@@ -2279,6 +2286,12 @@ readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize)
+ char *buf;
+ Py_ssize_t len;
+
++ if (f->unlocked_count > 0) {
++ PyErr_SetString(PyExc_IOError,
++ "next() called during concurrent "
++ "operation on the same file object");
++ return NULL;
++ }
+ if (f->f_buf == NULL)
+ if (readahead(f, bufsize) < 0)
+ return NULL;
+@@ -2692,7 +2705,7 @@ int PyObject_AsFileDescriptor(PyObject *o)
+ }
+ else {
+ PyErr_SetString(PyExc_TypeError,
+- "argument must be an int, or have a fileno() method.");
++ "argument must be an int, or have a fileno() method");
+ return -1;
+ }
+
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch b/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch
new file mode 100644
index 0000000..9b7713b
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch
@@ -0,0 +1,306 @@
+From dbf52e02f18dac6f5f0a64f78932f3dc6efc056b Mon Sep 17 00:00:00 2001
+From: Benjamin Peterson <benjamin@python.org>
+Date: Tue, 2 Jan 2018 09:25:41 -0800
+Subject: [PATCH] bpo-31530: fix crash when multiple threads iterate over a
+ file, round 2 (#5060)
+
+Multiple threads iterating over a file can corrupt the file's internal readahead
+buffer resulting in crashes. To fix this, cache buffer state thread-locally for
+the duration of a file_iternext call and only update the file's internal state
+after reading completes.
+
+No attempt is made to define or provide "reasonable" semantics for iterating
+over a file on multiple threads. (Non-crashing) races are still
+present. Duplicated, corrupt, and missing data will happen.
+
+This was originally fixed by 6401e5671781eb217ee1afb4603cc0d1b0367ae6, which
+raised an exception from seek() and next() when concurrent operations were
+detected. Alas, this simpler solution breaks legitimate use cases such as
+capturing the standard streams when multiple threads are logging.
+
+CVE: CVE-2018-1000030
+Upstream-Status: Backport [https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+
+---
+ Lib/test/test_file2k.py | 27 ++---
+ .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | 3 -
+ Objects/fileobject.c | 118 ++++++++++++---------
+ 3 files changed, 78 insertions(+), 70 deletions(-)
+
+diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py
+index d8966e034e..c73e8d8dc4 100644
+--- a/Lib/test/test_file2k.py
++++ b/Lib/test/test_file2k.py
+@@ -653,18 +653,15 @@ class FileThreadingTests(unittest.TestCase):
+ self._test_close_open_io(io_func)
+
+ def test_iteration_torture(self):
+- # bpo-31530: Crash when concurrently iterate over a file.
++ # bpo-31530
+ with open(self.filename, "wb") as fp:
+ for i in xrange(2**20):
+ fp.write(b"0"*50 + b"\n")
+ with open(self.filename, "rb") as f:
+- def iterate():
+- try:
+- for l in f:
+- pass
+- except IOError:
++ def it():
++ for l in f:
+ pass
+- self._run_workers(iterate, 10)
++ self._run_workers(it, 10)
+
+ def test_iteration_seek(self):
+ # bpo-31530: Crash when concurrently seek and iterate over a file.
+@@ -674,17 +671,15 @@ class FileThreadingTests(unittest.TestCase):
+ with open(self.filename, "rb") as f:
+ it = iter([1] + [0]*10) # one thread reads, others seek
+ def iterate():
+- try:
+- if next(it):
+- for l in f:
+- pass
+- else:
+- for i in range(100):
+- f.seek(i*100, 0)
+- except IOError:
+- pass
++ if next(it):
++ for l in f:
++ pass
++ else:
++ for i in xrange(100):
++ f.seek(i*100, 0)
+ self._run_workers(iterate, 10)
+
++
+ @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.')
+ class TestFileSignalEINTR(unittest.TestCase):
+ def _test_reading(self, data_to_write, read_and_verify_code, method_name,
+diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+index a6cb6c9e9b..beb09b5ae6 100644
+--- a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
++++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+@@ -1,4 +1 @@
+ Fixed crashes when iterating over a file on multiple threads.
+-seek() and next() methods of file objects now raise an exception during
+-concurrent operation on the same file object.
+-A lock can be used to prevent the error.
+diff --git a/Objects/fileobject.c b/Objects/fileobject.c
+index 8d1c5812f0..270b28264a 100644
+--- a/Objects/fileobject.c
++++ b/Objects/fileobject.c
+@@ -609,7 +609,12 @@ err_iterbuffered(void)
+ return NULL;
+ }
+
+-static void drop_readahead(PyFileObject *);
++static void
++drop_file_readahead(PyFileObject *f)
++{
++ PyMem_FREE(f->f_buf);
++ f->f_buf = NULL;
++}
+
+ /* Methods */
+
+@@ -632,7 +637,7 @@ file_dealloc(PyFileObject *f)
+ Py_XDECREF(f->f_mode);
+ Py_XDECREF(f->f_encoding);
+ Py_XDECREF(f->f_errors);
+- drop_readahead(f);
++ drop_file_readahead(f);
+ Py_TYPE(f)->tp_free((PyObject *)f);
+ }
+
+@@ -767,13 +772,7 @@ file_seek(PyFileObject *f, PyObject *args)
+
+ if (f->f_fp == NULL)
+ return err_closed();
+- if (f->unlocked_count > 0) {
+- PyErr_SetString(PyExc_IOError,
+- "seek() called during concurrent "
+- "operation on the same file object");
+- return NULL;
+- }
+- drop_readahead(f);
++ drop_file_readahead(f);
+ whence = 0;
+ if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence))
+ return NULL;
+@@ -2242,12 +2241,16 @@ static PyGetSetDef file_getsetlist[] = {
+ {0},
+ };
+
++typedef struct {
++ char *buf, *bufptr, *bufend;
++} readaheadbuffer;
++
+ static void
+-drop_readahead(PyFileObject *f)
++drop_readaheadbuffer(readaheadbuffer *rab)
+ {
+- if (f->f_buf != NULL) {
+- PyMem_Free(f->f_buf);
+- f->f_buf = NULL;
++ if (rab->buf != NULL) {
++ PyMem_FREE(rab->buf);
++ rab->buf = NULL;
+ }
+ }
+
+@@ -2255,36 +2258,34 @@ drop_readahead(PyFileObject *f)
+ (unless at EOF) and no more than bufsize. Returns negative value on
+ error, will set MemoryError if bufsize bytes cannot be allocated. */
+ static int
+-readahead(PyFileObject *f, Py_ssize_t bufsize)
++readahead(PyFileObject *f, readaheadbuffer *rab, Py_ssize_t bufsize)
+ {
+ Py_ssize_t chunksize;
+
+- assert(f->unlocked_count == 0);
+- if (f->f_buf != NULL) {
+- if( (f->f_bufend - f->f_bufptr) >= 1)
++ if (rab->buf != NULL) {
++ if ((rab->bufend - rab->bufptr) >= 1)
+ return 0;
+ else
+- drop_readahead(f);
++ drop_readaheadbuffer(rab);
+ }
+- if ((f->f_buf = (char *)PyMem_Malloc(bufsize)) == NULL) {
++ if ((rab->buf = PyMem_MALLOC(bufsize)) == NULL) {
+ PyErr_NoMemory();
+ return -1;
+ }
+ FILE_BEGIN_ALLOW_THREADS(f)
+ errno = 0;
+- chunksize = Py_UniversalNewlineFread(
+- f->f_buf, bufsize, f->f_fp, (PyObject *)f);
++ chunksize = Py_UniversalNewlineFread(rab->buf, bufsize, f->f_fp, (PyObject *)f);
+ FILE_END_ALLOW_THREADS(f)
+ if (chunksize == 0) {
+ if (ferror(f->f_fp)) {
+ PyErr_SetFromErrno(PyExc_IOError);
+ clearerr(f->f_fp);
+- drop_readahead(f);
++ drop_readaheadbuffer(rab);
+ return -1;
+ }
+ }
+- f->f_bufptr = f->f_buf;
+- f->f_bufend = f->f_buf + chunksize;
++ rab->bufptr = rab->buf;
++ rab->bufend = rab->buf + chunksize;
+ return 0;
+ }
+
+@@ -2294,51 +2295,43 @@ readahead(PyFileObject *f, Py_ssize_t bufsize)
+ logarithmic buffer growth to about 50 even when reading a 1gb line. */
+
+ static PyStringObject *
+-readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize)
++readahead_get_line_skip(PyFileObject *f, readaheadbuffer *rab, Py_ssize_t skip, Py_ssize_t bufsize)
+ {
+ PyStringObject* s;
+ char *bufptr;
+ char *buf;
+ Py_ssize_t len;
+
+- if (f->unlocked_count > 0) {
+- PyErr_SetString(PyExc_IOError,
+- "next() called during concurrent "
+- "operation on the same file object");
+- return NULL;
+- }
+- if (f->f_buf == NULL)
+- if (readahead(f, bufsize) < 0)
++ if (rab->buf == NULL)
++ if (readahead(f, rab, bufsize) < 0)
+ return NULL;
+
+- len = f->f_bufend - f->f_bufptr;
++ len = rab->bufend - rab->bufptr;
+ if (len == 0)
+- return (PyStringObject *)
+- PyString_FromStringAndSize(NULL, skip);
+- bufptr = (char *)memchr(f->f_bufptr, '\n', len);
++ return (PyStringObject *)PyString_FromStringAndSize(NULL, skip);
++ bufptr = (char *)memchr(rab->bufptr, '\n', len);
+ if (bufptr != NULL) {
+ bufptr++; /* Count the '\n' */
+- len = bufptr - f->f_bufptr;
+- s = (PyStringObject *)
+- PyString_FromStringAndSize(NULL, skip + len);
++ len = bufptr - rab->bufptr;
++ s = (PyStringObject *)PyString_FromStringAndSize(NULL, skip + len);
+ if (s == NULL)
+ return NULL;
+- memcpy(PyString_AS_STRING(s) + skip, f->f_bufptr, len);
+- f->f_bufptr = bufptr;
+- if (bufptr == f->f_bufend)
+- drop_readahead(f);
++ memcpy(PyString_AS_STRING(s) + skip, rab->bufptr, len);
++ rab->bufptr = bufptr;
++ if (bufptr == rab->bufend)
++ drop_readaheadbuffer(rab);
+ } else {
+- bufptr = f->f_bufptr;
+- buf = f->f_buf;
+- f->f_buf = NULL; /* Force new readahead buffer */
++ bufptr = rab->bufptr;
++ buf = rab->buf;
++ rab->buf = NULL; /* Force new readahead buffer */
+ assert(len <= PY_SSIZE_T_MAX - skip);
+- s = readahead_get_line_skip(f, skip + len, bufsize + (bufsize>>2));
++ s = readahead_get_line_skip(f, rab, skip + len, bufsize + (bufsize>>2));
+ if (s == NULL) {
+- PyMem_Free(buf);
++ PyMem_FREE(buf);
+ return NULL;
+ }
+ memcpy(PyString_AS_STRING(s) + skip, bufptr, len);
+- PyMem_Free(buf);
++ PyMem_FREE(buf);
+ }
+ return s;
+ }
+@@ -2356,7 +2349,30 @@ file_iternext(PyFileObject *f)
+ if (!f->readable)
+ return err_mode("reading");
+
+- l = readahead_get_line_skip(f, 0, READAHEAD_BUFSIZE);
++ {
++ /*
++ Multiple threads can enter this method while the GIL is released
++ during file read and wreak havoc on the file object's readahead
++ buffer. To avoid dealing with cross-thread coordination issues, we
++ cache the file buffer state locally and only set it back on the file
++ object when we're done.
++ */
++ readaheadbuffer rab = {f->f_buf, f->f_bufptr, f->f_bufend};
++ f->f_buf = NULL;
++ l = readahead_get_line_skip(f, &rab, 0, READAHEAD_BUFSIZE);
++ /*
++ Make sure the file's internal read buffer is cleared out. This will
++ only do anything if some other thread interleaved with us during
++ readahead. We want to drop any changeling buffer, so we don't leak
++ memory. We may lose data, but that's what you get for reading the same
++ file object in multiple threads.
++ */
++ drop_file_readahead(f);
++ f->f_buf = rab.buf;
++ f->f_bufptr = rab.bufptr;
++ f->f_bufend = rab.bufend;
++ }
++
+ if (l == NULL || PyString_GET_SIZE(l) == 0) {
+ Py_XDECREF(l);
+ return NULL;
+--
+2.13.3
+
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 10/34] perl: CVE-2018-6798
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (7 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 09/34] python: CVE-2018-1000030 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 11/34] curl: CVE-2018-1000300 Jagadeesh Krishnanjanappa
` (24 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
* CVE-2018-6798-1
The proximal cause is several instances in regexec.c of the code
assuming that the input was valid UTF-8, whereas the input was too short
for what the start byte claimed it would be.
I grepped through the core for any other similar uses, and did not find
any.
(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)
* CVE-2018-6798-2
The first patch for 132063 prevented the buffer read overflow when
dumping the warning but didn't fix the underlying problem.
The next change treats the supplied buffer correctly, preventing the
non-UTF-8 SV from being treated as UTF-8, preventing the warning.
(cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f)
Affects perl >= 5.22 && perl <= 5.26
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../perl/perl/CVE-2018-6798-1.patch | 130 +++++++++++++++++++++
.../perl/perl/CVE-2018-6798-2.patch | 37 ++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 2 +
3 files changed, 169 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
new file mode 100644
index 0000000..3477162
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
@@ -0,0 +1,130 @@
+From 0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Tue, 6 Feb 2018 14:50:48 -0700
+Subject: [PATCH] [perl #132063]: Heap buffer overflow
+
+The proximal cause is several instances in regexec.c of the code
+assuming that the input was valid UTF-8, whereas the input was too short
+for what the start byte claimed it would be.
+
+I grepped through the core for any other similar uses, and did not find
+any.
+
+(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)
+
+CVE: CVE-2018-6798
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/patch/0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ regexec.c | 29 ++++++++++++++++-------------
+ t/lib/warnings/regexec | 7 +++++++
+ 2 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/regexec.c b/regexec.c
+index 5735b997fd..ea432c39d3 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -1466,7 +1466,9 @@ Perl_re_intuit_start(pTHX_
+ ? trie_utf8_fold \
+ : trie_latin_utf8_fold)))
+
+-#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
++/* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is
++ * 'foldbuf+sizeof(foldbuf)' */
++#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uc_end, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
+ STMT_START { \
+ STRLEN skiplen; \
+ U8 flags = FOLD_FLAGS_FULL; \
+@@ -1474,7 +1476,7 @@ STMT_START {
+ case trie_flu8: \
+ _CHECK_AND_WARN_PROBLEMATIC_LOCALE; \
+ if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) { \
+- _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc + UTF8SKIP(uc)); \
++ _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc); \
+ } \
+ goto do_trie_utf8_fold; \
+ case trie_utf8_exactfa_fold: \
+@@ -1483,7 +1485,7 @@ STMT_START {
+ case trie_utf8_fold: \
+ do_trie_utf8_fold: \
+ if ( foldlen>0 ) { \
+- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
+ foldlen -= len; \
+ uscan += len; \
+ len=0; \
+@@ -1500,7 +1502,7 @@ STMT_START {
+ /* FALLTHROUGH */ \
+ case trie_latin_utf8_fold: \
+ if ( foldlen>0 ) { \
+- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
+ foldlen -= len; \
+ uscan += len; \
+ len=0; \
+@@ -1519,7 +1521,7 @@ STMT_START {
+ } \
+ /* FALLTHROUGH */ \
+ case trie_utf8: \
+- uvc = utf8n_to_uvchr( (const U8*) uc, UTF8_MAXLEN, &len, uniflags ); \
++ uvc = utf8n_to_uvchr( (const U8*) uc, uc_end - uc, &len, uniflags ); \
+ break; \
+ case trie_plain: \
+ uvc = (UV)*uc; \
+@@ -2599,10 +2601,10 @@ S_find_byclass(pTHX_ regexp * prog, const regnode *c, char *s,
+ }
+ points[pointpos++ % maxlen]= uc;
+ if (foldlen || uc < (U8*)strend) {
+- REXEC_TRIE_READ_CHAR(trie_type, trie,
+- widecharmap, uc,
+- uscan, len, uvc, charid, foldlen,
+- foldbuf, uniflags);
++ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
++ (U8 *) strend, uscan, len, uvc,
++ charid, foldlen, foldbuf,
++ uniflags);
+ DEBUG_TRIE_EXECUTE_r({
+ dump_exec_pos( (char *)uc, c, strend,
+ real_start, s, utf8_target, 0);
+@@ -5511,8 +5513,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
+ if ( base && (foldlen || uc < (U8*)(reginfo->strend))) {
+ I32 offset;
+ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
+- uscan, len, uvc, charid, foldlen,
+- foldbuf, uniflags);
++ (U8 *) reginfo->strend, uscan,
++ len, uvc, charid, foldlen,
++ foldbuf, uniflags);
+ charcount++;
+ if (foldlen>0)
+ ST.longfold = TRUE;
+@@ -5642,8 +5645,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
+ while (foldlen) {
+ if (!--chars)
+ break;
+- uvc = utf8n_to_uvchr(uscan, UTF8_MAXLEN, &len,
+- uniflags);
++ uvc = utf8n_to_uvchr(uscan, foldlen, &len,
++ uniflags);
+ uscan += len;
+ foldlen -= len;
+ }
+diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
+index 900dd6ee7f..6635142dea 100644
+--- a/t/lib/warnings/regexec
++++ b/t/lib/warnings/regexec
+@@ -260,3 +260,10 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
+ "k" =~ /(?[ \N{KELVIN SIGN} ])/i;
+ ":" =~ /(?[ \: ])/;
+ EXPECT
++########
++# NAME perl #132063, read beyond buffer end
++# OPTION fatal
++"\xff" =~ /(?il)\x{100}|\x{100}/;
++EXPECT
++Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
++Malformed UTF-8 character (fatal) at - line 2.
+--
+2.15.1-424-g9478a660812
+
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
new file mode 100644
index 0000000..fb9b41a
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
@@ -0,0 +1,37 @@
+From f65da1ca2eee74696d9c120e9d69af37b4fa1920 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Mon, 19 Feb 2018 15:11:42 +1100
+Subject: [PATCH] (perl #132063) we should no longer warn for this code
+
+The first patch for 132063 prevented the buffer read overflow when
+dumping the warning but didn't fix the underlying problem.
+
+The next change treats the supplied buffer correctly, preventing the
+non-UTF-8 SV from being treated as UTF-8, preventing the warning.
+
+(cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f)
+
+CVE: CVE-2018-6798
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f65da1ca2eee74696d9c120e9d69af37b4fa1920]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ t/lib/warnings/regexec | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
+index 6635142dea..c370ddc3c7 100644
+--- a/t/lib/warnings/regexec
++++ b/t/lib/warnings/regexec
+@@ -262,8 +262,5 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
+ EXPECT
+ ########
+ # NAME perl #132063, read beyond buffer end
+-# OPTION fatal
+ "\xff" =~ /(?il)\x{100}|\x{100}/;
+ EXPECT
+-Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
+-Malformed UTF-8 character (fatal) at - line 2.
+--
+2.15.1-424-g9478a660812
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index ac78dda..e696910 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -68,6 +68,8 @@ SRC_URI += " \
file://perl-5.26.1-guard_old_libcrypt_fix.patch \
file://CVE-2017-12883.patch \
file://CVE-2017-12837.patch \
+ file://CVE-2018-6798-1.patch \
+ file://CVE-2018-6798-2.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 11/34] curl: CVE-2018-1000300
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (8 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 10/34] perl: CVE-2018-6798 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 12/34] curl: CVE-2018-1000301 Jagadeesh Krishnanjanappa
` (23 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then
he
larger cache will be copied and overflow the new smaller heap based
buffer.
Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
Affects curl >= 7.54.1 && curl <= 7.59.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../curl/curl/CVE-2018-1000300.patch | 44 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.58.0.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-1000300.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2018-1000300.patch b/meta/recipes-support/curl/curl/CVE-2018-1000300.patch
new file mode 100644
index 0000000..893d45c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-1000300.patch
@@ -0,0 +1,44 @@
+From 0a79d714bd55779a3a223efb5c089d0ad7e128a8 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 23 Mar 2018 23:30:04 +0100
+Subject: [PATCH] pingpong: fix response cache memcpy overflow
+
+Response data for a handle with a large buffer might be cached and then
+used with the "closure" handle when it has a smaller buffer and then the
+larger cache will be copied and overflow the new smaller heap based
+buffer.
+
+Reported-by: Dario Weisser
+
+CVE: CVE-2018-1000300
+Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
+Upstream-Status: Backport [https://github.com/curl/curl-www/commit/3ee30b2b5e3836345ac510bc1674aa3a4272936e]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ lib/pingpong.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/pingpong.c b/lib/pingpong.c
+index 438856a99..ad370ee82 100644
+--- a/lib/pingpong.c
++++ b/lib/pingpong.c
+@@ -302,11 +302,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
+ *
+ * pp->cache_size is cast to ssize_t here. This should be safe, because
+ * it would have been populated with something of size int to begin
+ * with, even though its datatype may be larger than an int.
+ */
+- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));
++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
++ failf(data, "cached response data too big to handle");
++ return CURLE_RECV_ERROR;
++ }
+ memcpy(ptr, pp->cache, pp->cache_size);
+ gotbytes = (ssize_t)pp->cache_size;
+ free(pp->cache); /* free the cache */
+ pp->cache = NULL; /* clear the pointer */
+ pp->cache_size = 0; /* zero the size just in case */
+--
+2.17.0
+
diff --git a/meta/recipes-support/curl/curl_7.58.0.bb b/meta/recipes-support/curl/curl_7.58.0.bb
index d2d0180..fdfbb3d 100644
--- a/meta/recipes-support/curl/curl_7.58.0.bb
+++ b/meta/recipes-support/curl/curl_7.58.0.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=8;md5=3a34942f4ae3fbf1a303160714e66
SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
+ file://CVE-2018-1000300.patch \
"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 12/34] curl: CVE-2018-1000301
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (9 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 11/34] curl: CVE-2018-1000300 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 13/34] procps: CVE-2018-1124 Jagadeesh Krishnanjanappa
` (22 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
http: restore buffer pointer when bad response-line is parsed
... leaving the k->str could lead to buffer over-reads later on.
CVE: CVE-2018-1000301
Assisted-by: Max Dymond
Detected by OSS-Fuzz.
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
Affects curl >= 7.20.0 && curl <= 7.59.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../curl/curl/CVE-2018-1000301.patch | 54 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.58.0.bb | 1 +
2 files changed, 55 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-1000301.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2018-1000301.patch b/meta/recipes-support/curl/curl/CVE-2018-1000301.patch
new file mode 100644
index 0000000..f42178e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-1000301.patch
@@ -0,0 +1,54 @@
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+
+CVE: CVE-2018-1000301
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+
+Upstream-Status: Backport [https://github.com/curl/curl-www/commit/3ee30b2b5e3836345ac510bc1674aa3a4272936e]
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/http.c b/lib/http.c
+index 1a313b4fb..e080ae513 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -3012,10 +3012,12 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+ ssize_t *nread,
+ bool *stop_reading)
+ {
+ CURLcode result;
+ struct SingleRequest *k = &data->req;
++ ssize_t onread = *nread;
++ char *ostr = k->str;
+
+ /* header line within buffer loop */
+ do {
+ size_t rest_length;
+ size_t full_length;
+@@ -3076,11 +3078,13 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data,
+ /* since there's more, this is a partial bad header */
+ k->badheader = HEADER_PARTHEADER;
+ else {
+ /* this was all we read so it's all a bad header */
+ k->badheader = HEADER_ALLBAD;
+- *nread = (ssize_t)rest_length;
++ *nread = onread;
++ k->str = ostr;
++ return CURLE_OK;
+ }
+ break;
+ }
+ }
+
+--
+2.17.0
diff --git a/meta/recipes-support/curl/curl_7.58.0.bb b/meta/recipes-support/curl/curl_7.58.0.bb
index fdfbb3d..4376bb3 100644
--- a/meta/recipes-support/curl/curl_7.58.0.bb
+++ b/meta/recipes-support/curl/curl_7.58.0.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=8;md5=3a34942f4ae3fbf1a303160714e66
SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
file://CVE-2018-1000300.patch \
+ file://CVE-2018-1000301.patch \
"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 13/34] procps: CVE-2018-1124
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (10 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 12/34] curl: CVE-2018-1000301 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 14/34] gnupg: CVE-2018-12020 Jagadeesh Krishnanjanappa
` (21 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
proc/readproc.c: Fix bugs and overflows in file2strvec().
Note: this is by far the most important and complex patch of the whole
series, please review it carefully; thank you very much!
For this patch, we decided to keep the original function's design and
skeleton, to avoid regressions and behavior changes, while fixing the
various bugs and overflows. And like the "Harden file2str()" patch, this
patch does not fail when about to overflow, but truncates instead: there
is information available about this process, so return it to the caller;
also, we used INT_MAX as a limit, but a lower limit could be used.
The easy changes:
- Replace sprintf() with snprintf() (and check for truncation).
- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
do break instead of return: it simplifies the code (only one place to
handle errors), and also guarantees that in the while loop either n or
tot is > 0 (or both), even if n is reset to 0 when about to overflow.
- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
code, since we enter the while loop only if n >= 0.
- Rewrite the missing-null-terminator detection: in the original
function, if the size of the file is a multiple of 2047, a null-
terminator is appended even if the file is already null-terminated.
- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
to handle the first break of the while loop, and to guarantee that in
the rest of the function tot is > 0.
- Double-force ("belt and suspenders") the null-termination of rbuf:
this is (and was) essential to the correctness of the function.
- Replace the final "while" loop with a "for" loop that behaves just
like the preceding "for" loop: in the original function, this would
lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
would return the array {"",NULL} but should return {"","A",NULL}; and
if rbuf is |A|\0|B| (should never happen because rbuf should be null-
terminated), this would make room for two pointers in ret, but would
write three pointers to ret).
The hard changes:
- Prevent the integer overflow of tot in the while loop, but unlike
file2str(), file2strvec() cannot let tot grow until it almost reaches
INT_MAX, because it needs more space for the pointers: this is why we
introduced ARG_LEN, which also guarantees that we can add "align" and
a few sizeof(char*)s to tot without overflowing.
- Prevent the integer overflow of "tot + c + align": when INT_MAX is
(almost) reached, we write the maximal safe amount of pointers to ret
(ARG_LEN guarantees that there is always space for *ret = rbuf and the
NULL terminator).
Affects procps-ng < 3.3.15
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../procps/procps/CVE-2018-1124.patch | 176 +++++++++++++++++++++
meta/recipes-extended/procps/procps_3.3.12.bb | 1 +
2 files changed, 177 insertions(+)
create mode 100644 meta/recipes-extended/procps/procps/CVE-2018-1124.patch
diff --git a/meta/recipes-extended/procps/procps/CVE-2018-1124.patch b/meta/recipes-extended/procps/procps/CVE-2018-1124.patch
new file mode 100644
index 0000000..bc78faf
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/CVE-2018-1124.patch
@@ -0,0 +1,176 @@
+From bdd058a0e676d2f013027fcfb2b344c313112a50 Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Thu, 1 Jan 1970 00:00:00 +0000
+Subject: [PATCH 074/126] proc/readproc.c: Fix bugs and overflows in
+ file2strvec().
+
+Note: this is by far the most important and complex patch of the whole
+series, please review it carefully; thank you very much!
+
+For this patch, we decided to keep the original function's design and
+skeleton, to avoid regressions and behavior changes, while fixing the
+various bugs and overflows. And like the "Harden file2str()" patch, this
+patch does not fail when about to overflow, but truncates instead: there
+is information available about this process, so return it to the caller;
+also, we used INT_MAX as a limit, but a lower limit could be used.
+
+The easy changes:
+
+- Replace sprintf() with snprintf() (and check for truncation).
+
+- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
+ do break instead of return: it simplifies the code (only one place to
+ handle errors), and also guarantees that in the while loop either n or
+ tot is > 0 (or both), even if n is reset to 0 when about to overflow.
+
+- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
+ code, since we enter the while loop only if n >= 0.
+
+- Rewrite the missing-null-terminator detection: in the original
+ function, if the size of the file is a multiple of 2047, a null-
+ terminator is appended even if the file is already null-terminated.
+
+- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
+ originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
+ to handle the first break of the while loop, and to guarantee that in
+ the rest of the function tot is > 0.
+
+- Double-force ("belt and suspenders") the null-termination of rbuf:
+ this is (and was) essential to the correctness of the function.
+
+- Replace the final "while" loop with a "for" loop that behaves just
+ like the preceding "for" loop: in the original function, this would
+ lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
+ would return the array {"",NULL} but should return {"","A",NULL}; and
+ if rbuf is |A|\0|B| (should never happen because rbuf should be null-
+ terminated), this would make room for two pointers in ret, but would
+ write three pointers to ret).
+
+The hard changes:
+
+- Prevent the integer overflow of tot in the while loop, but unlike
+ file2str(), file2strvec() cannot let tot grow until it almost reaches
+ INT_MAX, because it needs more space for the pointers: this is why we
+ introduced ARG_LEN, which also guarantees that we can add "align" and
+ a few sizeof(char*)s to tot without overflowing.
+
+- Prevent the integer overflow of "tot + c + align": when INT_MAX is
+ (almost) reached, we write the maximal safe amount of pointers to ret
+ (ARG_LEN guarantees that there is always space for *ret = rbuf and the
+ NULL terminator).
+[carnil: backport for 3.3.9: Add include for limits.h and use of MAX_INT]
+
+CVE: CVE-2018-1124
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/commit/36c350f07c75aabf747fb833f52a234ae5781b20]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ proc/readproc.c | 53 ++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 32 insertions(+), 21 deletions(-)
+
+diff -Naurp procps-ng-3.3.12_org/proc/readproc.c procps-ng-3.3.12/proc/readproc.c
+--- procps-ng-3.3.12_org/proc/readproc.c 2016-07-09 14:49:25.825306872 -0700
++++ procps-ng-3.3.12/proc/readproc.c 2018-07-24 00:46:49.366202531 -0700
+@@ -37,6 +37,7 @@
+ #include <dirent.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <limits.h>
+ #ifdef WITH_SYSTEMD
+ #include <systemd/sd-login.h>
+ #endif
+--- a/proc/readproc.c
++++ b/proc/readproc.c
+@@ -600,11 +601,12 @@ static int file2str(const char *director
+
+ static char** file2strvec(const char* directory, const char* what) {
+ char buf[2048]; /* read buf bytes at a time */
+- char *p, *rbuf = 0, *endbuf, **q, **ret;
++ char *p, *rbuf = 0, *endbuf, **q, **ret, *strp;
+ int fd, tot = 0, n, c, end_of_file = 0;
+ int align;
+
+- sprintf(buf, "%s/%s", directory, what);
++ const int len = snprintf(buf, sizeof buf, "%s/%s", directory, what);
++ if(len <= 0 || (size_t)len >= sizeof buf) return NULL;
+ fd = open(buf, O_RDONLY, 0);
+ if(fd==-1) return NULL;
+
+@@ -612,18 +614,23 @@ static char** file2strvec(const char* di
+ while ((n = read(fd, buf, sizeof buf - 1)) >= 0) {
+ if (n < (int)(sizeof buf - 1))
+ end_of_file = 1;
+- if (n == 0 && rbuf == 0) {
+- close(fd);
+- return NULL; /* process died between our open and read */
++ if (n <= 0 && tot <= 0) { /* nothing read now, nothing read before */
++ break; /* process died between our open and read */
+ }
+- if (n < 0) {
+- if (rbuf)
+- free(rbuf);
+- close(fd);
+- return NULL; /* read error */
++ /* ARG_LEN is our guesstimated median length of a command-line argument
++ or environment variable (the minimum is 1, the maximum is 131072) */
++ #define ARG_LEN 64
++ if (tot >= INT_MAX / (ARG_LEN + (int)sizeof(char*)) * ARG_LEN - n) {
++ end_of_file = 1; /* integer overflow: null-terminate and break */
++ n = 0; /* but tot > 0 */
+ }
+- if (end_of_file && (n == 0 || buf[n-1]))/* last read char not null */
++ #undef ARG_LEN
++ if (end_of_file &&
++ ((n > 0 && buf[n-1] != '\0') || /* last read char not null */
++ (n <= 0 && rbuf[tot-1] != '\0'))) /* last read char not null */
+ buf[n++] = '\0'; /* so append null-terminator */
++
++ if (n <= 0) break; /* unneeded (end_of_file = 1) but avoid realloc */
+ rbuf = xrealloc(rbuf, tot + n); /* allocate more memory */
+ memcpy(rbuf + tot, buf, n); /* copy buffer into it */
+ tot += n; /* increment total byte ctr */
+@@ -631,29 +638,34 @@ static char** file2strvec(const char* di
+ break;
+ }
+ close(fd);
+- if (n <= 0 && !end_of_file) {
++ if (n < 0 || tot <= 0) { /* error, or nothing read */
+ if (rbuf) free(rbuf);
+ return NULL; /* read error */
+ }
++ rbuf[tot-1] = '\0'; /* belt and suspenders (the while loop did it, too) */
+ endbuf = rbuf + tot; /* count space for pointers */
+ align = (sizeof(char*)-1) - ((tot + sizeof(char*)-1) & (sizeof(char*)-1));
+- for (c = 0, p = rbuf; p < endbuf; p++) {
+- if (!*p || *p == '\n')
++ c = sizeof(char*); /* one extra for NULL term */
++ for (p = rbuf; p < endbuf; p++) {
++ if (!*p || *p == '\n') {
++ if (c >= INT_MAX - (tot + (int)sizeof(char*) + align)) break;
+ c += sizeof(char*);
++ }
+ if (*p == '\n')
+ *p = 0;
+ }
+- c += sizeof(char*); /* one extra for NULL term */
+
+ rbuf = xrealloc(rbuf, tot + c + align); /* make room for ptrs AT END */
+ endbuf = rbuf + tot; /* addr just past data buf */
+ q = ret = (char**) (endbuf+align); /* ==> free(*ret) to dealloc */
+- *q++ = p = rbuf; /* point ptrs to the strings */
+- endbuf--; /* do not traverse final NUL */
+- while (++p < endbuf)
+- if (!*p) /* NUL char implies that */
+- *q++ = p+1; /* next string -> next char */
+-
++ for (strp = p = rbuf; p < endbuf; p++) {
++ if (!*p) { /* NUL char implies that */
++ if (c < 2 * (int)sizeof(char*)) break;
++ c -= sizeof(char*);
++ *q++ = strp; /* point ptrs to the strings */
++ strp = p+1; /* next string -> next char */
++ }
++ }
+ *q = 0; /* null ptr list terminator */
+ return ret;
+ }
diff --git a/meta/recipes-extended/procps/procps_3.3.12.bb b/meta/recipes-extended/procps/procps_3.3.12.bb
index adabd75..a0c1bf4 100644
--- a/meta/recipes-extended/procps/procps_3.3.12.bb
+++ b/meta/recipes-extended/procps/procps_3.3.12.bb
@@ -14,6 +14,7 @@ inherit autotools gettext pkgconfig update-alternatives
SRC_URI = "http://downloads.sourceforge.net/project/procps-ng/Production/procps-ng-${PV}.tar.xz \
file://sysctl.conf \
+ file://CVE-2018-1124.patch \
"
SRC_URI[md5sum] = "957e42e8b193490b2111252e4a2b443c"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 14/34] gnupg: CVE-2018-12020
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (11 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 13/34] procps: CVE-2018-1124 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 15/34] curl: CVE-2018-0500 Jagadeesh Krishnanjanappa
` (20 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
gpg: Sanitize diagnostic with the original file name.
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic. The mention CVE is about using this to inject
status-fd lines into the stderr output. Other harm good as well be
done. Note that GPGME based applications are not affected because
GPGME does not fold status output into stderr.
CVE-id: CVE-2018-12020
GnuPG-bug-id: 4012
Affects gnupg < 2.2.8
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../gnupg/gnupg/CVE-2018-12020.patch | 47 ++++++++++++++++++++++
meta/recipes-support/gnupg/gnupg_2.2.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch b/meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch
new file mode 100644
index 0000000..14698db
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch
@@ -0,0 +1,47 @@
+From 13f135c7a252cc46cff96e75968d92b6dc8dce1b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Fri, 8 Jun 2018 10:45:21 +0200
+Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
+
+* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
+--
+
+This fixes a forgotten sanitation of user supplied data in a verbose
+mode diagnostic. The mention CVE is about using this to inject
+status-fd lines into the stderr output. Other harm good as well be
+done. Note that GPGME based applications are not affected because
+GPGME does not fold status output into stderr.
+
+CVE-id: CVE-2018-12020
+GnuPG-bug-id: 4012
+
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=13f135c7a252cc46cff96e75968d92b6dc8dce1b]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ g10/mainproc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/g10/mainproc.c b/g10/mainproc.c
+index d2ceec2fd..a9da08f74 100644
+--- a/g10/mainproc.c
++++ b/g10/mainproc.c
+@@ -851,7 +851,14 @@ proc_plaintext( CTX c, PACKET *pkt )
+ if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
+ log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
+ else if (opt.verbose)
+- log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
++ {
++ /* We don't use print_utf8_buffer because that would require a
++ * string change which we don't want in 2.2. It is also not
++ * clear whether the filename is always utf-8 encoded. */
++ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
++ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
++ xfree (tmp);
++ }
+
+ free_md_filter_context (&c->mfx);
+ if (gcry_md_open (&c->mfx.md, 0, 0))
+--
+2.13.3
+
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.0.bb b/meta/recipes-support/gnupg/gnupg_2.2.0.bb
index 0176ddd..962ae82 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.0.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.0.bb
@@ -14,6 +14,7 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0002-use-pkgconfig-instead-of-npth-config.patch \
file://0003-dirmngr-uses-libgpg-error.patch \
file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
+ file://CVE-2018-12020.patch \
"
SRC_URI[md5sum] = "789f16949fae2d003d387f49e9da4b74"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 15/34] curl: CVE-2018-0500
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (12 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 14/34] gnupg: CVE-2018-12020 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 16/34] Qemu CVE-2018-11806 slirp-heap-buffer-overflow Jagadeesh Krishnanjanappa
` (19 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
smtp: use the upload buffer size for scratch buffer malloc
... not the read buffer size, as that can be set smaller and thus cause
a buffer overflow! CVE-2018-0500
Reported-by: Peter Wu
Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
Affects curl >= 7.54.1 && curl <= 7.60.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
meta/recipes-support/curl/curl/CVE-2018-0500.patch | 39 ++++++++++++++++++++++
meta/recipes-support/curl/curl_7.58.0.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2018-0500.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2018-0500.patch b/meta/recipes-support/curl/curl/CVE-2018-0500.patch
new file mode 100644
index 0000000..4395a3c
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2018-0500.patch
@@ -0,0 +1,39 @@
+From ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 13 Jun 2018 12:24:40 +0200
+Subject: [PATCH] smtp: use the upload buffer size for scratch buffer malloc
+
+... not the read buffer size, as that can be set smaller and thus cause
+a buffer overflow! CVE-2018-0500
+
+Reported-by: Peter Wu
+Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
+
+CVE: CVE-2018-0500
+Upstream-Status: Backport [https://github.com/curl/curl/commit/ba1dbd78e5f1e.patch]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ lib/smtp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/smtp.c b/lib/smtp.c
+index e6872badb8..ecf10a41ac 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
+ if(!scratch || data->set.crlf) {
+ oldscratch = scratch;
+
+- scratch = newscratch = malloc(2 * data->set.buffer_size);
++ scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE);
+ if(!newscratch) {
+ failf(data, "Failed to alloc scratch buffer!");
+
+ return CURLE_OUT_OF_MEMORY;
+ }
+ }
++ DEBUGASSERT(UPLOAD_BUFSIZE >= nread);
+
+ /* Have we already sent part of the EOB? */
+ eob_sent = smtp->eob;
diff --git a/meta/recipes-support/curl/curl_7.58.0.bb b/meta/recipes-support/curl/curl_7.58.0.bb
index 4376bb3..7dc5381 100644
--- a/meta/recipes-support/curl/curl_7.58.0.bb
+++ b/meta/recipes-support/curl/curl_7.58.0.bb
@@ -9,6 +9,7 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://0001-replace-krb5-config-with-pkg-config.patch \
file://CVE-2018-1000300.patch \
file://CVE-2018-1000301.patch \
+ file://CVE-2018-0500.patch \
"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 16/34] Qemu CVE-2018-11806 slirp-heap-buffer-overflow
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (13 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 15/34] curl: CVE-2018-0500 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 17/34] qemu: CVE-2017-15119 Jagadeesh Krishnanjanappa
` (18 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
From: Jeremy Puhlman <jpuhlman@mvista.com>
slirp: correct size computation while concatenating mbuf
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Affects qemu < 3.0.0
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
---
...018-11806-QEMU-slirp-heap-buffer-overflow.patch | 69 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.10.0.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch
diff --git a/meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch b/meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch
new file mode 100644
index 0000000..6a518b4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch
@@ -0,0 +1,69 @@
+Upstream-status: Backport
+
+https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
+
+From dc21a9d2951f0a2a7e63633e2b5c68c54e4edc4b Mon Sep 17 00:00:00 2001
+From: Jeremy Puhlman <jpuhlman@mvista.com>
+Date: Thu, 14 Jun 2018 01:28:49 +0000
+Subject: [PATCH] CVE-2018-11806 QEMU: slirp: heap buffer overflow
+
+Subject: [Qemu-devel] [PATCH 1/2] slirp: correct size computation while concatenating mbuf
+Date: Tue, 5 Jun 2018 23:38:35 +0530
+From: Prasad J Pandit <address@hidden>
+
+While reassembling incoming fragmented datagrams, 'm_cat' routine
+extends the 'mbuf' buffer, if it has insufficient room. It computes
+a wrong buffer size, which leads to overwriting adjacent heap buffer
+area. Correct this size computation in m_cat.
+
+Reported-by: ZDI Disclosures <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ slirp/mbuf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
+---
+ slirp/mbuf.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/slirp/mbuf.c b/slirp/mbuf.c
+index 5ff2455..7fb4501 100644
+--- a/slirp/mbuf.c
++++ b/slirp/mbuf.c
+@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
+ * If there's no room, realloc
+ */
+ if (M_FREEROOM(m) < n->m_len)
+- m_inc(m,m->m_size+MINCSIZE);
++ m_inc(m, m->m_len + n->m_len);
+
+ memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
+ m->m_len += n->m_len;
+@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
+
+ if (m->m_flags & M_EXT) {
+ datasize = m->m_data - m->m_ext;
+- m->m_ext = g_realloc(m->m_ext, size);
++ m->m_ext = g_realloc(m->m_ext, size + datasize);
+ m->m_data = m->m_ext + datasize;
+ } else {
+ char *dat;
+ datasize = m->m_data - m->m_dat;
+- dat = g_malloc(size);
++ dat = g_malloc(size + datasize);
+ memcpy(dat, m->m_dat, m->m_size);
+
+ m->m_ext = dat;
+@@ -171,7 +171,7 @@ m_inc(struct mbuf *m, int size)
+ m->m_flags |= M_EXT;
+ }
+
+- m->m_size = size;
++ m->m_size = size + datasize;
+
+ }
+
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
index bdf6c21..89c68f2 100644
--- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
file://CVE-2017-14167.patch \
file://ppc_locking.patch \
file://memfd.patch \
+ file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 17/34] qemu: CVE-2017-15119
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (14 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 16/34] Qemu CVE-2018-11806 slirp-heap-buffer-overflow Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 18/34] pcmanfm: CVE-2017-8934 Jagadeesh Krishnanjanappa
` (17 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
nbd/server: CVE-2017-15119 Reject options larger than 32M
The NBD spec gives us permission to abruptly disconnect on clients
that send outrageously large option requests, rather than having
to spend the time reading to the end of the option. No real
option request requires that much data anyways; and meanwhile, we
already have the practice of abruptly dropping the connection on
any client that sends NBD_CMD_WRITE with a payload larger than 32M.
For comparison, nbdkit drops the connection on any request with
more than 4096 bytes; however, that limit is probably too low
(as the NBD spec states an export name can theoretically be up
to 4096 bytes, which means a valid NBD_OPT_INFO could be even
longer) - even if qemu doesn't permit exports longer than 256
bytes.
It could be argued that a malicious client trying to get us to
read nearly 4G of data on a bad request is a form of denial of
service. In particular, if the server requires TLS, but a client
that does not know the TLS credentials sends any option (other
than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated
payload of nearly 4G, then the server was keeping the connection
alive trying to read all the payload, tying up resources that it
would rather be spending on a client that can get past the TLS
handshake. Hence, this warranted a CVE.
Present since at least 2.5 when handling known options, and made
worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE
to handle unknown options.
Affects qemu < 2.11
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../qemu/qemu/CVE-2017-15119.patch | 63 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.10.0.bb | 1 +
2 files changed, 64 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2017-15119.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-15119.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-15119.patch
new file mode 100644
index 0000000..10da519
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-15119.patch
@@ -0,0 +1,63 @@
+From fdad35ef6c5839d50dfc14073364ac893afebc30 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 22 Nov 2017 16:25:16 -0600
+Subject: [PATCH] nbd/server: CVE-2017-15119 Reject options larger than 32M
+
+The NBD spec gives us permission to abruptly disconnect on clients
+that send outrageously large option requests, rather than having
+to spend the time reading to the end of the option. No real
+option request requires that much data anyways; and meanwhile, we
+already have the practice of abruptly dropping the connection on
+any client that sends NBD_CMD_WRITE with a payload larger than 32M.
+
+For comparison, nbdkit drops the connection on any request with
+more than 4096 bytes; however, that limit is probably too low
+(as the NBD spec states an export name can theoretically be up
+to 4096 bytes, which means a valid NBD_OPT_INFO could be even
+longer) - even if qemu doesn't permit exports longer than 256
+bytes.
+
+It could be argued that a malicious client trying to get us to
+read nearly 4G of data on a bad request is a form of denial of
+service. In particular, if the server requires TLS, but a client
+that does not know the TLS credentials sends any option (other
+than NBD_OPT_STARTTLS or NBD_OPT_EXPORT_NAME) with a stated
+payload of nearly 4G, then the server was keeping the connection
+alive trying to read all the payload, tying up resources that it
+would rather be spending on a client that can get past the TLS
+handshake. Hence, this warranted a CVE.
+
+Present since at least 2.5 when handling known options, and made
+worse in 2.6 when fixing support for NBD_FLAG_C_FIXED_NEWSTYLE
+to handle unknown options.
+
+CC: qemu-stable@nongnu.org
+CVE: CVE-2017-15119
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=fdad35ef6c5839d50dfc14073364ac893afebc30]
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ nbd/server.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/nbd/server.c b/nbd/server.c
+index 7d6801b427..a81801e3bc 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -673,6 +673,12 @@ static int nbd_negotiate_options(NBDClient *client, uint16_t myflags,
+ }
+ length = be32_to_cpu(length);
+
++ if (length > NBD_MAX_BUFFER_SIZE) {
++ error_setg(errp, "len (%" PRIu32" ) is larger than max len (%u)",
++ length, NBD_MAX_BUFFER_SIZE);
++ return -EINVAL;
++ }
++
+ trace_nbd_negotiate_options_check_option(option,
+ nbd_opt_lookup(option));
+ if (client->tlscreds &&
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
index 89c68f2..a3cfb7c 100644
--- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
file://ppc_locking.patch \
file://memfd.patch \
file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \
+ file://CVE-2017-15119.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 18/34] pcmanfm: CVE-2017-8934
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (15 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 17/34] qemu: CVE-2017-15119 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 19/34] openssh: CVE-2017-15906 Jagadeesh Krishnanjanappa
` (16 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
Fix potential access violation, use runtime user dir instead of tmp dir.
pcmanfm = 1.2.5
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../recipes-sato/pcmanfm/files/CVE-2017-8934.patch | 60 ++++++++++++++++++++++
meta/recipes-sato/pcmanfm/pcmanfm_1.2.5.bb | 3 +-
2 files changed, 62 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-sato/pcmanfm/files/CVE-2017-8934.patch
diff --git a/meta/recipes-sato/pcmanfm/files/CVE-2017-8934.patch b/meta/recipes-sato/pcmanfm/files/CVE-2017-8934.patch
new file mode 100644
index 0000000..ea34555
--- /dev/null
+++ b/meta/recipes-sato/pcmanfm/files/CVE-2017-8934.patch
@@ -0,0 +1,60 @@
+From bc8c3d871e9ecc67c47ff002b68cf049793faf08 Mon Sep 17 00:00:00 2001
+From: Andriy Grytsenko <andrej@rep.kiev.ua>
+Date: Sun, 14 May 2017 21:35:40 +0300
+Subject: [PATCH] Fix potential access violation, use runtime user dir instead
+ of tmp dir.
+
+CVE: CVE-2017-8934
+Upstream-Status: Backport [https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ NEWS | 4 ++++
+ src/single-inst.c | 7 ++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index 8c2049a..876f7f3 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,7 @@
++* Fixed potential access violation, use runtime user dir instead of tmp dir
++ for single instance socket.
++
++
+ Changes on 1.2.5 since 1.2.4:
+
+ * Removed options to Cut, Remove and Rename from context menu on mounted
+diff --git a/src/single-inst.c b/src/single-inst.c
+index 62c37b3..aaf84ab 100644
+--- a/src/single-inst.c
++++ b/src/single-inst.c
+@@ -2,7 +2,7 @@
+ * single-inst.c: simple IPC mechanism for single instance app
+ *
+ * Copyright 2010 Hong Jen Yee (PCMan) <pcman.tw@gmail.com>
+- * Copyright 2012 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
++ * Copyright 2012-2017 Andriy Grytsenko (LStranger) <andrej@rep.kiev.ua>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -404,11 +404,16 @@ static void get_socket_name(SingleInstData* data, char* buf, int len)
+ }
+ else
+ dpynum = 0;
++#if GLIB_CHECK_VERSION(2, 28, 0)
++ g_snprintf(buf, len, "%s/%s-socket-%s-%d", g_get_user_runtime_dir(),
++ data->prog_name, host ? host : "", dpynum);
++#else
+ g_snprintf(buf, len, "%s/.%s-socket-%s-%d-%s",
+ g_get_tmp_dir(),
+ data->prog_name,
+ host ? host : "",
+ dpynum,
+ g_get_user_name());
++#endif
+ }
+
+--
+2.13.3
+
diff --git a/meta/recipes-sato/pcmanfm/pcmanfm_1.2.5.bb b/meta/recipes-sato/pcmanfm/pcmanfm_1.2.5.bb
index 75ff773..0ab8a2e 100644
--- a/meta/recipes-sato/pcmanfm/pcmanfm_1.2.5.bb
+++ b/meta/recipes-sato/pcmanfm/pcmanfm_1.2.5.bb
@@ -17,7 +17,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/pcmanfm/pcmanfm-${PV}.tar.xz \
file://gnome-fs-regular.png \
file://gnome-mime-text-plain.png \
file://emblem-symbolic-link.png \
- file://no-desktop.patch"
+ file://no-desktop.patch \
+ file://CVE-2017-8934.patch"
SRC_URI[md5sum] = "b4d1f8ce08d87e4f27805a246fc51ac2"
SRC_URI[sha256sum] = "0c86cac028b705ff314c7464d814c2cf7ff604c17491c20aa204b1ef1a80ad67"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 19/34] openssh: CVE-2017-15906
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (16 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 18/34] pcmanfm: CVE-2017-8934 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 20/34] git: CVE-2017-15298 Jagadeesh Krishnanjanappa
` (15 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
disallow creation (of empty files) in read-only mode; reported by
Michal Zalewski, feedback & ok deraadt@
Affects openssh < 7.6
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../openssh/openssh/CVE-2017-15906.patch | 38 ++++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2017-15906.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2017-15906.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2017-15906.patch
new file mode 100644
index 0000000..3ad683d
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2017-15906.patch
@@ -0,0 +1,38 @@
+From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 4 Apr 2017 00:24:56 +0000
+Subject: [PATCH] disallow creation (of empty files) in read-only mode;
+ reported by Michal Zalewski, feedback & ok deraadt@
+
+CVE: CVE-2017-15906
+Upstream-Status: Backport [https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ usr.bin/ssh/sftp-server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c
+index 2510d234a3a..42249ebd60d 100644
+--- a/usr.bin/ssh/sftp-server.c
++++ b/usr.bin/ssh/sftp-server.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */
++/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */
+ /*
+ * Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
+ *
+@@ -683,8 +683,8 @@ process_open(u_int32_t id)
+ logit("open \"%s\" flags %s mode 0%o",
+ name, string_from_portable(pflags), mode);
+ if (readonly &&
+- ((flags & O_ACCMODE) == O_WRONLY ||
+- (flags & O_ACCMODE) == O_RDWR)) {
++ ((flags & O_ACCMODE) != O_RDONLY ||
++ (flags & (O_CREAT|O_TRUNC)) != 0)) {
+ verbose("Refusing open request in read-only mode");
+ status = SSH2_FX_PERMISSION_DENIED;
+ } else {
+--
+2.13.3
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
index 86ca6ff..395c21b 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://0001-openssh-Fix-syntax-error-on-x32.patch \
file://sshd_check_keys \
+ file://CVE-2017-15906.patch;striplevel=3 \
"
PAM_SRC_URI = "file://sshd"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 20/34] git: CVE-2017-15298
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (17 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 19/34] openssh: CVE-2017-15906 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:17 ` [ROCKO][PATCH 21/34] libsndfile1: CVE-2017-14634 Jagadeesh Krishnanjanappa
` (14 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
revision: quit pruning diff more quickly when possible
When the revision traversal machinery is given a pathspec,
we must compute the parent-diff for each commit to determine
which ones are TREESAME. We set the QUICK diff flag to avoid
looking at more entries than we need; we really just care
whether there are any changes at all.
But there is one case where we want to know a bit more: if
--remove-empty is set, we care about finding cases where the
change consists only of added entries (in which case we may
prune the parent in try_to_simplify_commit()). To cover that
case, our file_add_remove() callback does not quit the diff
upon seeing an added entry; it keeps looking for other types
of entries.
But this means when --remove-empty is not set (and it is not
by default), we compute more of the diff than is necessary.
You can see this in a pathological case where a commit adds
a very large number of entries, and we limit based on a
broad pathspec. E.g.:
perl -e '
chomp(my $blob = `git hash-object -w --stdin </dev/null`);
for my $a (1..1000) {
for my $b (1..1000) {
print "100644 $blob\t$a/$b\n";
}
}
' | git update-index --index-info
git commit -qm add
git rev-list HEAD -- .
This case takes about 100ms now, but after this patch only
needs 6ms. That's not a huge improvement, but it's easy to
get and it protects us against even more pathological cases
(e.g., going from 1 million to 10 million files would take
ten times as long with the current code, but not increase at
all after this patch).
This is reported to minorly speed-up pathspec limiting in
real world repositories (like the 100-million-file Windows
repository), but probably won't make a noticeable difference
outside of pathological setups.
This patch actually covers the case without --remove-empty,
and the case where we see only deletions. See the in-code
comment for details.
Note that we have to add a new member to the diff_options
struct so that our callback can see the value of
revs->remove_empty_trees. This callback parameter could be
passed to the "add_remove" and "change" callbacks, but
there's not much point. They already receive the
diff_options struct, and doing it this way avoids having to
update the function signature of the other callbacks
(arguably the format_callback and output_prefix functions
could benefit from the same simplification).
Affects git <= 2.14.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../git/files/CVE-2017-15298.patch | 132 +++++++++++++++++++++
meta/recipes-devtools/git/git.inc | 3 +-
2 files changed, 134 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/git/files/CVE-2017-15298.patch
diff --git a/meta/recipes-devtools/git/files/CVE-2017-15298.patch b/meta/recipes-devtools/git/files/CVE-2017-15298.patch
new file mode 100644
index 0000000..0d349dd
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2017-15298.patch
@@ -0,0 +1,132 @@
+From a937b37e766479c8e780b17cce9c4b252fd97e40 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Fri, 13 Oct 2017 11:27:45 -0400
+Subject: revision: quit pruning diff more quickly when possible
+
+When the revision traversal machinery is given a pathspec,
+we must compute the parent-diff for each commit to determine
+which ones are TREESAME. We set the QUICK diff flag to avoid
+looking at more entries than we need; we really just care
+whether there are any changes at all.
+
+But there is one case where we want to know a bit more: if
+--remove-empty is set, we care about finding cases where the
+change consists only of added entries (in which case we may
+prune the parent in try_to_simplify_commit()). To cover that
+case, our file_add_remove() callback does not quit the diff
+upon seeing an added entry; it keeps looking for other types
+of entries.
+
+But this means when --remove-empty is not set (and it is not
+by default), we compute more of the diff than is necessary.
+You can see this in a pathological case where a commit adds
+a very large number of entries, and we limit based on a
+broad pathspec. E.g.:
+
+ perl -e '
+ chomp(my $blob = `git hash-object -w --stdin </dev/null`);
+ for my $a (1..1000) {
+ for my $b (1..1000) {
+ print "100644 $blob\t$a/$b\n";
+ }
+ }
+ ' | git update-index --index-info
+ git commit -qm add
+
+ git rev-list HEAD -- .
+
+This case takes about 100ms now, but after this patch only
+needs 6ms. That's not a huge improvement, but it's easy to
+get and it protects us against even more pathological cases
+(e.g., going from 1 million to 10 million files would take
+ten times as long with the current code, but not increase at
+all after this patch).
+
+This is reported to minorly speed-up pathspec limiting in
+real world repositories (like the 100-million-file Windows
+repository), but probably won't make a noticeable difference
+outside of pathological setups.
+
+This patch actually covers the case without --remove-empty,
+and the case where we see only deletions. See the in-code
+comment for details.
+
+Note that we have to add a new member to the diff_options
+struct so that our callback can see the value of
+revs->remove_empty_trees. This callback parameter could be
+passed to the "add_remove" and "change" callbacks, but
+there's not much point. They already receive the
+diff_options struct, and doing it this way avoids having to
+update the function signature of the other callbacks
+(arguably the format_callback and output_prefix functions
+could benefit from the same simplification).
+
+CVE: CVE-2017-15298
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/git/git.git/commit/?id=a937b37e76]
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ diff.h | 1 +
+ revision.c | 16 +++++++++++++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/diff.h b/diff.h
+index e9ccb38c26..fe5c287a70 100644
+--- a/diff.h
++++ b/diff.h
+@@ -180,6 +180,7 @@ struct diff_options {
+ pathchange_fn_t pathchange;
+ change_fn_t change;
+ add_remove_fn_t add_remove;
++ void *change_fn_data;
+ diff_format_fn_t format_callback;
+ void *format_callback_data;
+ diff_prefix_fn_t output_prefix;
+diff --git a/revision.c b/revision.c
+index 771d079f6e..7c23ab7afe 100644
+--- a/revision.c
++++ b/revision.c
+@@ -394,8 +394,16 @@ static struct commit *one_relevant_parent(const struct rev_info *revs,
+ * if the whole diff is removal of old data, and otherwise
+ * REV_TREE_DIFFERENT (of course if the trees are the same we
+ * want REV_TREE_SAME).
+- * That means that once we get to REV_TREE_DIFFERENT, we do not
+- * have to look any further.
++ *
++ * The only time we care about the distinction is when
++ * remove_empty_trees is in effect, in which case we care only about
++ * whether the whole change is REV_TREE_NEW, or if there's another type
++ * of change. Which means we can stop the diff early in either of these
++ * cases:
++ *
++ * 1. We're not using remove_empty_trees at all.
++ *
++ * 2. We saw anything except REV_TREE_NEW.
+ */
+ static int tree_difference = REV_TREE_SAME;
+
+@@ -406,9 +414,10 @@ static void file_add_remove(struct diff_options *options,
+ const char *fullpath, unsigned dirty_submodule)
+ {
+ int diff = addremove == '+' ? REV_TREE_NEW : REV_TREE_OLD;
++ struct rev_info *revs = options->change_fn_data;
+
+ tree_difference |= diff;
+- if (tree_difference == REV_TREE_DIFFERENT)
++ if (!revs->remove_empty_trees || tree_difference != REV_TREE_NEW)
+ DIFF_OPT_SET(options, HAS_CHANGES);
+ }
+
+@@ -1346,6 +1355,7 @@ void init_revisions(struct rev_info *revs, const char *prefix)
+ DIFF_OPT_SET(&revs->pruning, QUICK);
+ revs->pruning.add_remove = file_add_remove;
+ revs->pruning.change = file_change;
++ revs->pruning.change_fn_data = revs;
+ revs->sort_order = REV_SORT_IN_GRAPH_ORDER;
+ revs->dense = 1;
+ revs->prefix = prefix;
+--
+cgit 1.2-0.3.lf.el7
+
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 9b4c128..1ffc41d 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -7,7 +7,8 @@ DEPENDS = "openssl curl zlib expat"
PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
- ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+ file://CVE-2017-15298.patch"
S = "${WORKDIR}/git-${PV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 21/34] libsndfile1: CVE-2017-14634
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (18 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 20/34] git: CVE-2017-15298 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:17 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 22/34] libarchive: CVE-2017-14503 Jagadeesh Krishnanjanappa
` (13 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:17 UTC (permalink / raw)
To: openembedded-core
double64_init: Check psf->sf.channels against upper bound
This prevents division by zero later in the code.
While the trivial case to catch this (i.e. sf.channels < 1) has already
been covered, a crafted file may report a number of channels that is
so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
miscalculated to zero (if this makes sense) in the determination of the
blockwidth. Since we only support a limited number of channels anyway,
make sure to check here as well.
CVE-2017-14634
Closes: #318
Affects libsndfile1 = 1.0.28
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../libsndfile/libsndfile1/CVE-2017-14634.patch | 42 ++++++++++++++++++++++
.../libsndfile/libsndfile1_1.0.28.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch
new file mode 100644
index 0000000..39b4ec1
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2017-14634.patch
@@ -0,0 +1,42 @@
+From 85c877d5072866aadbe8ed0c3e0590fbb5e16788 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Thu, 28 Sep 2017 12:15:04 +0200
+Subject: [PATCH] double64_init: Check psf->sf.channels against upper bound
+
+This prevents division by zero later in the code.
+
+While the trivial case to catch this (i.e. sf.channels < 1) has already
+been covered, a crafted file may report a number of channels that is
+so high (i.e. > INT_MAX/sizeof(double)) that it "somehow" gets
+miscalculated to zero (if this makes sense) in the determination of the
+blockwidth. Since we only support a limited number of channels anyway,
+make sure to check here as well.
+
+CVE: CVE-2017-14634
+
+Closes: https://github.com/erikd/libsndfile/issues/318
+
+Upstream-Status: Backport [https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788]
+
+Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/double64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/double64.c b/src/double64.c
+index b318ea8..78dfef7 100644
+--- a/src/double64.c
++++ b/src/double64.c
+@@ -91,7 +91,7 @@ int
+ double64_init (SF_PRIVATE *psf)
+ { static int double64_caps ;
+
+- if (psf->sf.channels < 1)
++ if (psf->sf.channels < 1 || psf->sf.channels > SF_MAX_CHANNELS)
+ { psf_log_printf (psf, "double64_init : internal error : channels = %d\n", psf->sf.channels) ;
+ return SFE_INTERNAL ;
+ } ;
+--
+2.13.3
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index c6f2a46..ed43b74 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -11,6 +11,7 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-8362.patch \
file://CVE-2017-8363.patch \
file://CVE-2017-14245-14246.patch \
+ file://CVE-2017-14634.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 22/34] libarchive: CVE-2017-14503
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (19 preceding siblings ...)
2018-08-22 11:17 ` [ROCKO][PATCH 21/34] libsndfile1: CVE-2017-14634 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 23/34] qemu: CVE-2017-18043 Jagadeesh Krishnanjanappa
` (12 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
Reject LHA archive entries with negative size.
Affects libarchive = 3.3.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../libarchive/libarchive/CVE-2017-14503.patch | 29 ++++++++++++++++++++++
.../libarchive/libarchive_3.3.2.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2017-14503.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2017-14503.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14503.patch
new file mode 100644
index 0000000..f82b096
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2017-14503.patch
@@ -0,0 +1,29 @@
+From 2c8c83b9731ff822fad6cc8c670ea5519c366a14 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Thu, 19 Jul 2018 21:14:53 +0200
+Subject: [PATCH] Reject LHA archive entries with negative size.
+
+---
+ libarchive/archive_read_support_format_lha.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
+index b8ef4ae1..95c99bb1 100644
+--- a/libarchive/archive_read_support_format_lha.c
++++ b/libarchive/archive_read_support_format_lha.c
+@@ -701,6 +701,12 @@ archive_read_format_lha_read_header(struct archive_read *a,
+ * Prepare variables used to read a file content.
+ */
+ lha->entry_bytes_remaining = lha->compsize;
++ if (lha->entry_bytes_remaining < 0) {
++ archive_set_error(&a->archive,
++ ARCHIVE_ERRNO_FILE_FORMAT,
++ "Invalid LHa entry size");
++ return (ARCHIVE_FATAL);
++ }
+ lha->entry_offset = 0;
+ lha->entry_crc_calculated = 0;
+
+--
+2.13.3
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
index 5daca27..3269716 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.3.2.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2017-14166.patch \
file://CVE-2017-14502.patch \
file://non-recursive-extract-and-list.patch \
+ file://CVE-2017-14503.patch \
"
SRC_URI[md5sum] = "4583bd6b2ebf7e0e8963d90879eb1b27"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 23/34] qemu: CVE-2017-18043
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (20 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 22/34] libarchive: CVE-2017-14503 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 24/34] qemu: CVE-2018-7550 Jagadeesh Krishnanjanappa
` (11 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
osdep: Fix ROUND_UP(64-bit, 32-bit)
When using bit-wise operations that exploit the power-of-two
nature of the second argument of ROUND_UP(), we still need to
ensure that the mask is as wide as the first argument (done
by using a ternary to force proper arithmetic promotion).
Unpatched, ROUND_UP(2ULL*1024*1024*1024*1024, 512U) produces 0,
instead of the intended 2TiB, because negation of an unsigned
32-bit quantity followed by widening to 64-bits does not
sign-extend the mask.
Broken since its introduction in commit 292c8e50 (v1.5.0).
Callers that passed the same width type to both macro parameters,
or that had other code to ensure the first parameter's maximum
runtime value did not exceed the second parameter's width, are
unaffected, but I did not audit to see which (if any) existing
clients of the macro could trigger incorrect behavior (I found
the bug while adding a new use of the macro).
While preparing the patch, checkpatch complained about poor
spacing, so I also fixed that here and in the nearby DIV_ROUND_UP.
Affects qemu < v2.11.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../qemu/qemu/CVE-2017-18043.patch | 63 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.10.0.bb | 1 +
2 files changed, 64 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch
new file mode 100644
index 0000000..955a24c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2017-18043.patch
@@ -0,0 +1,63 @@
+From 2098b073f398cd628c09c5a78537a6854e85830d Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 14 Sep 2017 08:49:23 -0500
+Subject: [PATCH] osdep: Fix ROUND_UP(64-bit, 32-bit)
+
+When using bit-wise operations that exploit the power-of-two
+nature of the second argument of ROUND_UP(), we still need to
+ensure that the mask is as wide as the first argument (done
+by using a ternary to force proper arithmetic promotion).
+Unpatched, ROUND_UP(2ULL*1024*1024*1024*1024, 512U) produces 0,
+instead of the intended 2TiB, because negation of an unsigned
+32-bit quantity followed by widening to 64-bits does not
+sign-extend the mask.
+
+Broken since its introduction in commit 292c8e50 (v1.5.0).
+Callers that passed the same width type to both macro parameters,
+or that had other code to ensure the first parameter's maximum
+runtime value did not exceed the second parameter's width, are
+unaffected, but I did not audit to see which (if any) existing
+clients of the macro could trigger incorrect behavior (I found
+the bug while adding a new use of the macro).
+
+While preparing the patch, checkpatch complained about poor
+spacing, so I also fixed that here and in the nearby DIV_ROUND_UP.
+
+CVE: CVE-2017-18043
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2098b073f398cd628c09c5a78537a6854]
+
+CC: qemu-trivial@nongnu.org
+CC: qemu-stable@nongnu.org
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ include/qemu/osdep.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
+index 72b75bf044..9dd318a7dd 100644
+--- a/include/qemu/osdep.h
++++ b/include/qemu/osdep.h
+@@ -205,13 +205,13 @@ extern int daemon(int, int);
+
+ /* Round number up to multiple. Requires that d be a power of 2 (see
+ * QEMU_ALIGN_UP for a safer but slower version on arbitrary
+- * numbers) */
++ * numbers); works even if d is a smaller type than n. */
+ #ifndef ROUND_UP
+-#define ROUND_UP(n,d) (((n) + (d) - 1) & -(d))
++#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d)))
+ #endif
+
+ #ifndef DIV_ROUND_UP
+-#define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))
++#define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))
+ #endif
+
+ /*
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
index a3cfb7c..48b8675 100644
--- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
@@ -32,6 +32,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
file://memfd.patch \
file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \
file://CVE-2017-15119.patch \
+ file://CVE-2017-18043.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 24/34] qemu: CVE-2018-7550
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (21 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 23/34] qemu: CVE-2017-18043 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 25/34] qemu: CVE-2018-12617 Jagadeesh Krishnanjanappa
` (10 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
multiboot: bss_end_addr can be zero
The multiboot spec
(https://www.gnu.org/software/grub/manual/multiboot/),
section 3.1.3, allows for bss_end_addr to be zero.
A zero bss_end_addr signifies there is no .bss section.
Affects qemu < v2.12.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../recipes-devtools/qemu/qemu/CVE-2018-7550.patch | 62 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.10.0.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch
new file mode 100644
index 0000000..9923d12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch
@@ -0,0 +1,62 @@
+From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001
+From: Jack Schwartz <jack.schwartz@oracle.com>
+Date: Thu, 21 Dec 2017 09:25:15 -0800
+Subject: [PATCH] multiboot: bss_end_addr can be zero
+
+The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/),
+section 3.1.3, allows for bss_end_addr to be zero.
+
+A zero bss_end_addr signifies there is no .bss section.
+
+CVE: CVE-2018-7550
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8]
+
+Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jack Schwartz <jack.schwartz@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ hw/i386/multiboot.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
+index 46d9c68bf5..bb8d8e4629 100644
+--- a/hw/i386/multiboot.c
++++ b/hw/i386/multiboot.c
+@@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg,
+ mh_entry_addr = ldl_p(header+i+28);
+
+ if (mh_load_end_addr) {
+- if (mh_bss_end_addr < mh_load_addr) {
+- fprintf(stderr, "invalid mh_bss_end_addr address\n");
+- exit(1);
+- }
+- mb_kernel_size = mh_bss_end_addr - mh_load_addr;
+-
+ if (mh_load_end_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_load_end_addr address\n");
+ exit(1);
+@@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg,
+ fprintf(stderr, "invalid kernel_file_size\n");
+ exit(1);
+ }
+- mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
+- mb_load_size = mb_kernel_size;
++ mb_load_size = kernel_file_size - mb_kernel_text_offset;
++ }
++ if (mh_bss_end_addr) {
++ if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) {
++ fprintf(stderr, "invalid mh_bss_end_addr address\n");
++ exit(1);
++ }
++ mb_kernel_size = mh_bss_end_addr - mh_load_addr;
++ } else {
++ mb_kernel_size = mb_load_size;
+ }
+
+ /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE.
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
index 48b8675..5b88154 100644
--- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \
file://CVE-2017-15119.patch \
file://CVE-2017-18043.patch \
+ file://CVE-2018-7550.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 25/34] qemu: CVE-2018-12617
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (22 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 24/34] qemu: CVE-2018-7550 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 26/34] shadow: CVE-2018-7169 Jagadeesh Krishnanjanappa
` (9 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
qga: check bytes count read by guest-file-read
While reading file content via 'guest-file-read' command,
'qmp_guest_file_read' routine allocates buffer of count+1
bytes. It could overflow for large values of 'count'.
Add check to avoid it.
Affects qemu < v3.0.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../qemu/qemu/CVE-2018-12617.patch | 53 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.10.0.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch
new file mode 100644
index 0000000..c89f189
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch
@@ -0,0 +1,53 @@
+From 141b197408ab398c4f474ac1a728ab316e921f2b Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 13 Jun 2018 11:46:57 +0530
+Subject: [PATCH] qga: check bytes count read by guest-file-read
+
+While reading file content via 'guest-file-read' command,
+'qmp_guest_file_read' routine allocates buffer of count+1
+bytes. It could overflow for large values of 'count'.
+Add check to avoid it.
+
+Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+CVE: CVE-2018-12617
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=141b197408ab398c4f474ac1a728ab316e921f2b]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ qga/commands-posix.c | 2 +-
+ qga/commands-win32.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/qga/commands-posix.c b/qga/commands-posix.c
+index 594d21ef3e..9284e71666 100644
+--- a/qga/commands-posix.c
++++ b/qga/commands-posix.c
+@@ -458,7 +458,7 @@ struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+
+ if (!has_count) {
+ count = QGA_READ_COUNT_DEFAULT;
+- } else if (count < 0) {
++ } else if (count < 0 || count >= UINT32_MAX) {
+ error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
+ count);
+ return NULL;
+diff --git a/qga/commands-win32.c b/qga/commands-win32.c
+index 70ee5379f6..73f31fa8c2 100644
+--- a/qga/commands-win32.c
++++ b/qga/commands-win32.c
+@@ -318,7 +318,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+ }
+ if (!has_count) {
+ count = QGA_READ_COUNT_DEFAULT;
+- } else if (count < 0) {
++ } else if (count < 0 || count >= UINT32_MAX) {
+ error_setg(errp, "value '%" PRId64
+ "' is invalid for argument count", count);
+ return NULL;
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.10.0.bb b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
index 5b88154..57d5106 100644
--- a/meta/recipes-devtools/qemu/qemu_2.10.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.10.0.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
file://CVE-2017-15119.patch \
file://CVE-2017-18043.patch \
file://CVE-2018-7550.patch \
+ file://CVE-2018-12617.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 26/34] shadow: CVE-2018-7169
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (23 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 25/34] qemu: CVE-2018-12617 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 27/34] perl: CVE-2018-6797 Jagadeesh Krishnanjanappa
` (8 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.
This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).
We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Affects shadow <= 4.5
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../shadow/files/CVE-2018-7169.patch | 186 +++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 187 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/CVE-2018-7169.patch
diff --git a/meta/recipes-extended/shadow/files/CVE-2018-7169.patch b/meta/recipes-extended/shadow/files/CVE-2018-7169.patch
new file mode 100644
index 0000000..36887d4
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2018-7169.patch
@@ -0,0 +1,186 @@
+From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0]
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+ */
+ const char *Prog;
+
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ /* An empty range is invalid */
+ if (range->count == 0)
+ return false;
+
+- /* Test /etc/subgid */
+- if (have_sub_gids(pw->pw_name, range->lower, range->count))
++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++ *allow_setgroups = true;
+ return true;
++ }
+
+- /* Allow a process to map it's own gid */
+- if ((range->count == 1) && (pw->pw_gid == range->lower))
++ /* Allow a process to map its own gid. */
++ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++ /* noop -- if setgroups is enabled already we won't disable it. */
+ return true;
++ }
+
+ return false;
+ }
+
+ static void verify_ranges(struct passwd *pw, int ranges,
+- struct map_range *mappings)
++ struct map_range *mappings, bool *allow_setgroups)
+ {
+ struct map_range *mapping;
+ int idx;
+
+ mapping = mappings;
+ for (idx = 0; idx < ranges; idx++, mapping++) {
+- if (!verify_range(pw, mapping)) {
++ if (!verify_range(pw, mapping, allow_setgroups)) {
+ fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ Prog,
+ mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+ exit(EXIT_FAILURE);
+ }
+
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++ int setgroups_fd;
++ char *policy, policy_buffer[4096];
++
++ /*
++ * Default is "deny", and any "allow" will out-rank a "deny". We don't
++ * forcefully write an "allow" here because the process we are writing
++ * mappings for may have already set themselves to "deny" (and "allow"
++ * is the default anyway). So allow_setgroups == true is a noop.
++ */
++ policy = "deny\n";
++ if (allow_setgroups)
++ return;
++
++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++ if (setgroups_fd < 0) {
++ /*
++ * If it's an ENOENT then we are on too old a kernel for the setgroups
++ * code to exist. Emit a warning and bail on this.
++ */
++ if (ENOENT == errno) {
++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++ goto out;
++ }
++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++
++ /*
++ * Check whether the policy is already what we want. /proc/self/setgroups
++ * is write-once, so attempting to write after it's already written to will
++ * fail.
++ */
++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ if (!strncmp(policy_buffer, policy, strlen(policy)))
++ goto out;
++
++ /* Write the policy. */
++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ if (dprintf(setgroups_fd, "%s", policy) < 0) {
++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++ Prog,
++ policy,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++
++out:
++ close(setgroups_fd);
++}
++
+ /*
+ * newgidmap - Set the gid_map for the specified process
+ */
+@@ -103,6 +172,7 @@ int main(int argc, char **argv)
+ struct stat st;
+ struct passwd *pw;
+ int written;
++ bool allow_setgroups = false;
+
+ Prog = Basename (argv[0]);
+
+@@ -145,7 +215,7 @@ int main(int argc, char **argv)
+ (unsigned long) getuid ()));
+ return EXIT_FAILURE;
+ }
+-
++
+ /* Get the effective uid and effective gid of the target process */
+ if (fstat(proc_dir_fd, &st) < 0) {
+ fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -177,8 +247,9 @@ int main(int argc, char **argv)
+ if (!mappings)
+ usage();
+
+- verify_ranges(pw, ranges, mappings);
++ verify_ranges(pw, ranges, mappings, &allow_setgroups);
+
++ write_setgroups(proc_dir_fd, allow_setgroups);
+ write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ sub_gid_close();
+
+--
+2.13.3
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index ccae091..c172ae3 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -20,6 +20,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
file://0001-useradd-copy-extended-attributes-of-home.patch \
file://0001-shadow-CVE-2017-12424 \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
+ file://CVE-2018-7169.patch \
"
SRC_URI_append_class-target = " \
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 27/34] perl: CVE-2018-6797
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (24 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 26/34] shadow: CVE-2018-7169 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 28/34] perl: CVE-2018-6913 Jagadeesh Krishnanjanappa
` (7 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
(perl #132227) restart a node if we change to uni rules within the node and encounter...
This could lead to a buffer overflow.
(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d)
Affects perl >= 5.18 && perl <= 5.26
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../recipes-devtools/perl/perl/CVE-2018-6797.patch | 45 ++++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6797.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch
new file mode 100644
index 0000000..b56ebd3
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch
@@ -0,0 +1,45 @@
+From abe1e6c568b96bcb382dfa4f61c56d1ab001ea51 Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Fri, 2 Feb 2018 15:14:27 -0700
+Subject: [PATCH] (perl #132227) restart a node if we change to uni rules
+ within the node and encounter a sharp S
+
+This could lead to a buffer overflow.
+
+(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d)
+
+CVE: CVE-2018-6797
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/abe1e6c568b96bcb382dfa4f61c56d1ab001ea51]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ regcomp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/regcomp.c b/regcomp.c
+index 3b9550b10d..a7dee9a09e 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -13543,6 +13543,18 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+ * /u. This includes the multi-char fold SHARP S to
+ * 'ss' */
+ if (UNLIKELY(ender == LATIN_SMALL_LETTER_SHARP_S)) {
++
++ /* If the node started out having uni rules, we
++ * wouldn't have gotten here. So this means
++ * something in the middle has changed it, but
++ * didn't think it needed to reparse. But this
++ * sharp s now does indicate the need for
++ * reparsing. */
++ if (RExC_uni_semantics) {
++ p = oldp;
++ goto loopdone;
++ }
++
+ RExC_seen_unfolded_sharp_s = 1;
+ maybe_exactfu = FALSE;
+ }
+--
+2.15.1-424-g9478a660812
+
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index e696910..dafd268 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -70,6 +70,7 @@ SRC_URI += " \
file://CVE-2017-12837.patch \
file://CVE-2018-6798-1.patch \
file://CVE-2018-6798-2.patch \
+ file://CVE-2018-6797.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 28/34] perl: CVE-2018-6913
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (25 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 27/34] perl: CVE-2018-6797 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 29/34] wget: CVE-2018-0494 Jagadeesh Krishnanjanappa
` (6 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
(perl #131844) fix various space calculation issues in
pp_pack.c
- for the originally reported case, if the start/cur pointer is in the
top 75% of the address space the add (cur) + glen addition would
overflow, resulting in the condition failing incorrectly.
- the addition of the existing space used to the space needed could
overflow, resulting in too small an allocation and a buffer overflow.
- the scaling for UTF8 could overflow.
- the multiply to calculate the space needed for many items could
overflow.
For the first case, do a space calculation without making new pointers.
For the other cases, detect the overflow and croak if there's an
overflow.
Originally this used Size_t_MAX as the maximum size of a memory
allocation, but for -DDEBUGGING builds realloc() throws a panic for
allocations over half the address space in size, changing the error
reported for the allocation.
For non-DEBUGGING builds the Size_t_MAX limit has the small chance
of finding a system that has 3GB of contiguous space available, and
allocating that space, which could be a denial of servce in some cases.
Unfortunately changing the limit to half the address space means that
the exact case with the original issue can no longer occur, so the
test is no longer testing against the address + length issue that
caused the original problem, since the allocation is failing earlier.
One option would be to change the test so the size request by pack is
just under 2GB, but this has a higher (but still low) probability that
the system has the address space available, and will actually try to
allocate the memory, so let's not do that.
Note: changed
plan tests => 14713;
to
plan tests => 14712;
in a/t/op/pack.t
to apply this patch on perl 5.24.1.
Affects perl < 5.26.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../recipes-devtools/perl/perl/CVE-2018-6913.patch | 153 +++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 154 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
new file mode 100644
index 0000000..5df47dc
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
@@ -0,0 +1,153 @@
+From f17fed5006177dce8ac48229c424a2da0d6ba492 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 8 Aug 2017 09:32:58 +1000
+Subject: [PATCH] (perl #131844) fix various space calculation issues in
+ pp_pack.c
+
+- for the originally reported case, if the start/cur pointer is in the
+ top 75% of the address space the add (cur) + glen addition would
+ overflow, resulting in the condition failing incorrectly.
+
+- the addition of the existing space used to the space needed could
+ overflow, resulting in too small an allocation and a buffer overflow.
+
+- the scaling for UTF8 could overflow.
+
+- the multiply to calculate the space needed for many items could
+ overflow.
+
+For the first case, do a space calculation without making new pointers.
+
+For the other cases, detect the overflow and croak if there's an
+overflow.
+
+Originally this used Size_t_MAX as the maximum size of a memory
+allocation, but for -DDEBUGGING builds realloc() throws a panic for
+allocations over half the address space in size, changing the error
+reported for the allocation.
+
+For non-DEBUGGING builds the Size_t_MAX limit has the small chance
+of finding a system that has 3GB of contiguous space available, and
+allocating that space, which could be a denial of servce in some cases.
+
+Unfortunately changing the limit to half the address space means that
+the exact case with the original issue can no longer occur, so the
+test is no longer testing against the address + length issue that
+caused the original problem, since the allocation is failing earlier.
+
+One option would be to change the test so the size request by pack is
+just under 2GB, but this has a higher (but still low) probability that
+the system has the address space available, and will actually try to
+allocate the memory, so let's not do that.
+
+Note: changed
+plan tests => 14713;
+to
+plan tests => 14712;
+in a/t/op/pack.t
+to apply this patch on perl 5.24.1.
+
+CVE: CVE-2018-6913
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f17fed5006177dce8ac48229c424a2da0d6ba492]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ pp_pack.c | 25 +++++++++++++++++++++----
+ t/op/pack.t | 24 +++++++++++++++++++++++-
+ 2 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/pp_pack.c b/pp_pack.c
+index 8937d6d715..5e9cc64301 100644
+--- a/pp_pack.c
++++ b/pp_pack.c
+@@ -357,11 +357,28 @@ STMT_START { \
+ } \
+ } STMT_END
+
++#define SAFE_UTF8_EXPAND(var) \
++STMT_START { \
++ if ((var) > SSize_t_MAX / UTF8_EXPAND) \
++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++ (var) = (var) * UTF8_EXPAND; \
++} STMT_END
++
++#define GROWING2(utf8, cat, start, cur, item_size, item_count) \
++STMT_START { \
++ if (SSize_t_MAX / (item_size) < (item_count)) \
++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++ GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \
++} STMT_END
++
+ #define GROWING(utf8, cat, start, cur, in_len) \
+ STMT_START { \
+ STRLEN glen = (in_len); \
+- if (utf8) glen *= UTF8_EXPAND; \
+- if ((cur) + glen >= (start) + SvLEN(cat)) { \
++ STRLEN catcur = (STRLEN)((cur) - (start)); \
++ if (utf8) SAFE_UTF8_EXPAND(glen); \
++ if (SSize_t_MAX - glen < catcur) \
++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++ if (catcur + glen >= SvLEN(cat)) { \
+ (start) = sv_exp_grow(cat, glen); \
+ (cur) = (start) + SvCUR(cat); \
+ } \
+@@ -371,7 +388,7 @@ STMT_START { \
+ STMT_START { \
+ const STRLEN glen = (in_len); \
+ STRLEN gl = glen; \
+- if (utf8) gl *= UTF8_EXPAND; \
++ if (utf8) SAFE_UTF8_EXPAND(gl); \
+ if ((cur) + gl >= (start) + SvLEN(cat)) { \
+ *cur = '\0'; \
+ SvCUR_set((cat), (cur) - (start)); \
+@@ -2131,7 +2148,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist )
+ if (props && !(props & PACK_SIZE_UNPREDICTABLE)) {
+ /* We can process this letter. */
+ STRLEN size = props & PACK_SIZE_MASK;
+- GROWING(utf8, cat, start, cur, (STRLEN) len * size);
++ GROWING2(utf8, cat, start, cur, size, (STRLEN)len);
+ }
+ }
+
+diff --git a/t/op/pack.t b/t/op/pack.t
+index 664aaaf1b0..cf0e286509 100644
+--- a/t/op/pack.t
++++ b/t/op/pack.t
+@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
+ my $no_signedness = $] > 5.009 ? '' :
+ "Signed/unsigned pack modifiers not available on this perl";
+
+-plan tests => 14712;
++plan tests => 14717;
+
+ use strict;
+ use warnings qw(FATAL all);
+@@ -2059,3 +2059,25 @@ print pack("ucW", "0000", 0, 140737488355327) eq "\$,#`P,```\n\0\x{7fffffffffff}
+ ? "ok\n" : "not ok\n";
+ EOS
+ }
++
++SKIP:
++{
++ # [perl #131844] pointer addition overflow
++ $Config{ptrsize} == 4
++ or skip "[perl #131844] need 32-bit build for this test", 4;
++ # prevent ASAN just crashing on the allocation failure
++ local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS};
++ $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1";
++ fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 },
++ "pointer addition overflow");
++
++ # integer (STRLEN) overflow from addition of glen to current length
++ fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 },
++ "integer overflow calculating allocation (addition)");
++
++ fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 },
++ "integer overflow calculating allocation (utf8)");
++
++ fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
++ "integer overflow calculating allocation (multiply)");
++}
+--
+2.15.1-424-g9478a660812
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index dafd268..aec30c8 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -71,6 +71,7 @@ SRC_URI += " \
file://CVE-2018-6798-1.patch \
file://CVE-2018-6798-2.patch \
file://CVE-2018-6797.patch \
+ file://CVE-2018-6913.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 29/34] wget: CVE-2018-0494
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (26 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 28/34] perl: CVE-2018-6913 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 30/34] flac: CVE-2017-6888 Jagadeesh Krishnanjanappa
` (5 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
Fix cookie injection (CVE-2018-0494)
* src/http.c (resp_new): Replace \r\n by space in continuation lines
Fixes #53763
"Malicious website can write arbitrary cookie entries to cookie jar"
HTTP header parsing left the \r\n from continuation line intact.
The Set-Cookie code didn't check and could be tricked to write
\r\n into the cookie jar, allowing a server to generate cookies at will.
Affects wget < 1.19.5
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../0001-Fix-cookie-injection-CVE-2018-0494.patch | 68 ++++++++++++++++++++++
meta/recipes-extended/wget/wget_1.19.1.bb | 1 +
2 files changed, 69 insertions(+)
create mode 100644 meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch
diff --git a/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch b/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch
new file mode 100644
index 0000000..ac163e6
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/0001-Fix-cookie-injection-CVE-2018-0494.patch
@@ -0,0 +1,68 @@
+From 1fc9c95ec144499e69dc8ec76dbe07799d7d82cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Fri, 27 Apr 2018 10:41:56 +0200
+Subject: [PATCH] Fix cookie injection (CVE-2018-0494)
+
+* src/http.c (resp_new): Replace \r\n by space in continuation lines
+
+Fixes #53763
+ "Malicious website can write arbitrary cookie entries to cookie jar"
+
+HTTP header parsing left the \r\n from continuation line intact.
+The Set-Cookie code didn't check and could be tricked to write
+\r\n into the cookie jar, allowing a server to generate cookies at will.
+
+CVE: CVE-2018-0494
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=1fc9c95ec144499e69dc8ec76dbe07799d7d82cd]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/http.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/src/http.c b/src/http.c
+index c8960f11..77bdbbed 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -613,9 +613,9 @@ struct response {
+ resp_header_*. */
+
+ static struct response *
+-resp_new (const char *head)
++resp_new (char *head)
+ {
+- const char *hdr;
++ char *hdr;
+ int count, size;
+
+ struct response *resp = xnew0 (struct response);
+@@ -644,15 +644,23 @@ resp_new (const char *head)
+ break;
+
+ /* Find the end of HDR, including continuations. */
+- do
++ for (;;)
+ {
+- const char *end = strchr (hdr, '\n');
++ char *end = strchr (hdr, '\n');
++
+ if (end)
+ hdr = end + 1;
+ else
+ hdr += strlen (hdr);
++
++ if (*hdr != ' ' && *hdr != '\t')
++ break;
++
++ // continuation, transform \r and \n into spaces
++ *end = ' ';
++ if (end > head && end[-1] == '\r')
++ end[-1] = ' ';
+ }
+- while (*hdr == ' ' || *hdr == '\t');
+ }
+ DO_REALLOC (resp->headers, size, count + 1, const char *);
+ resp->headers[count] = NULL;
+--
+2.13.3
+
diff --git a/meta/recipes-extended/wget/wget_1.19.1.bb b/meta/recipes-extended/wget/wget_1.19.1.bb
index 78bde95..3c484ce 100644
--- a/meta/recipes-extended/wget/wget_1.19.1.bb
+++ b/meta/recipes-extended/wget/wget_1.19.1.bb
@@ -1,6 +1,7 @@
SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://CVE-2017-6508.patch \
+ file://0001-Fix-cookie-injection-CVE-2018-0494.patch \
"
SRC_URI[md5sum] = "87cea36b7161fd43e3fd51a4e8b89689"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 30/34] flac: CVE-2017-6888
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (27 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 29/34] wget: CVE-2018-0494 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 31/34] git: CVE-2018-11235 Jagadeesh Krishnanjanappa
` (4 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
stream_decoder.c: Fix a memory leak
Leak reported by Secunia Research.
Affects flac = 1.3.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../flac/files/CVE-2017-6888.patch | 31 ++++++++++++++++++++++
meta/recipes-multimedia/flac/flac_1.3.2.bb | 3 ++-
2 files changed, 33 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/flac/files/CVE-2017-6888.patch
diff --git a/meta/recipes-multimedia/flac/files/CVE-2017-6888.patch b/meta/recipes-multimedia/flac/files/CVE-2017-6888.patch
new file mode 100644
index 0000000..389ab96
--- /dev/null
+++ b/meta/recipes-multimedia/flac/files/CVE-2017-6888.patch
@@ -0,0 +1,31 @@
+From 4f47b63e9c971e6391590caf00a0f2a5ed612e67 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Sat, 8 Apr 2017 18:34:49 +1000
+Subject: [PATCH] stream_decoder.c: Fix a memory leak
+
+Leak reported by Secunia Research.
+CVE: CVE-2017-6888
+Upstream-Status: Backport [https://git.xiph.org/?p=flac.git;a=commitdiff;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/libFLAC/stream_decoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libFLAC/stream_decoder.c b/src/libFLAC/stream_decoder.c
+index 14d5fe7f..a5527511 100644
+--- a/src/libFLAC/stream_decoder.c
++++ b/src/libFLAC/stream_decoder.c
+@@ -1753,6 +1753,9 @@ FLAC__bool read_metadata_vorbiscomment_(FLAC__StreamDecoder *decoder, FLAC__Stre
+ }
+ memset (obj->comments[i].entry, 0, obj->comments[i].length) ;
+ if (!FLAC__bitreader_read_byte_block_aligned_no_crc(decoder->private_->input, obj->comments[i].entry, obj->comments[i].length)) {
++ /* Current i-th entry is bad, so we delete it. */
++ free (obj->comments[i].entry) ;
++ obj->comments[i].entry = NULL ;
+ obj->num_comments = i;
+ goto skip;
+ }
+--
+2.13.3
+
diff --git a/meta/recipes-multimedia/flac/flac_1.3.2.bb b/meta/recipes-multimedia/flac/flac_1.3.2.bb
index 8315ab5..028a429 100644
--- a/meta/recipes-multimedia/flac/flac_1.3.2.bb
+++ b/meta/recipes-multimedia/flac/flac_1.3.2.bb
@@ -14,7 +14,8 @@ LIC_FILES_CHKSUM = "file://COPYING.FDL;md5=ad1419ecc56e060eccf8184a87c4285f \
file://include/FLAC/all.h;beginline=65;endline=70;md5=64474f2b22e9e77b28d8b8b25c983a48"
DEPENDS = "libogg"
-SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz"
+SRC_URI = "http://downloads.xiph.org/releases/flac/${BP}.tar.xz \
+ file://CVE-2017-6888.patch"
SRC_URI[md5sum] = "454f1bfa3f93cc708098d7890d0499bd"
SRC_URI[sha256sum] = "91cfc3ed61dc40f47f050a109b08610667d73477af6ef36dcad31c31a4a8d53f"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 31/34] git: CVE-2018-11235
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (28 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 30/34] flac: CVE-2017-6888 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 32/34] openssl: CVE-2018-0732 Jagadeesh Krishnanjanappa
` (3 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:
1. What should the allowed syntax be?
It's tempting to reuse verify_path(), since submodule
names typically come from in-repo paths. But there are
two reasons not to:
a. It's technically more strict than what we need, as
we really care only about breaking out of the
$GIT_DIR/modules/ hierarchy. E.g., having a
submodule named "foo/.git" isn't actually
dangerous, and it's possible that somebody has
manually given such a funny name.
b. Since we'll eventually use this checking logic in
fsck to prevent downstream repositories, it should
be consistent across platforms. Because
verify_path() relies on is_dir_sep(), it wouldn't
block "foo\..\bar" on a non-Windows machine.
2. Where should we enforce it? These days most of the
.gitmodules reads go through submodule-config.c, so
I've put it there in the reading step. That should
cover all of the C code.
We also construct the name for "git submodule add"
inside the git-submodule.sh script. This is probably
not a big deal for security since the name is coming
from the user anyway, but it would be polite to remind
them if the name they pick is invalid (and we need to
expose the name-checker to the shell anyway for our
test scripts).
This patch issues a warning when reading .gitmodules
and just ignores the related config entry completely.
This will generally end up producing a sensible error,
as it works the same as a .gitmodules file which is
missing a submodule entry (so "submodule update" will
barf, but "git clone --recurse-submodules" will print
an error but not abort the clone.
There is one minor oddity, which is that we print the
warning once per malformed config key (since that's how
the config subsystem gives us the entries). So in the
new test, for example, the user would see three
warnings. That's OK, since the intent is that this case
should never come up outside of malicious repositories
(and then it might even benefit the user to see the
message multiple times).
Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.
Affects: git < 2.13.7 and git < 2.14.4 and git < 2.15.2 and git < 2.16.4 and
git < 2.17.1
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../git/files/CVE-2018-11235.patch | 288 +++++++++++++++++++++
meta/recipes-devtools/git/git.inc | 3 +-
2 files changed, 290 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/git/files/CVE-2018-11235.patch
diff --git a/meta/recipes-devtools/git/files/CVE-2018-11235.patch b/meta/recipes-devtools/git/files/CVE-2018-11235.patch
new file mode 100644
index 0000000..b774d2f
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2018-11235.patch
@@ -0,0 +1,288 @@
+From 0383bbb9015898cbc79abd7b64316484d7713b44 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Mon, 30 Apr 2018 03:25:25 -0400
+Subject: [PATCH] submodule-config: verify submodule names as paths
+
+Submodule "names" come from the untrusted .gitmodules file,
+but we blindly append them to $GIT_DIR/modules to create our
+on-disk repo paths. This means you can do bad things by
+putting "../" into the name (among other things).
+
+Let's sanity-check these names to avoid building a path that
+can be exploited. There are two main decisions:
+
+ 1. What should the allowed syntax be?
+
+ It's tempting to reuse verify_path(), since submodule
+ names typically come from in-repo paths. But there are
+ two reasons not to:
+
+ a. It's technically more strict than what we need, as
+ we really care only about breaking out of the
+ $GIT_DIR/modules/ hierarchy. E.g., having a
+ submodule named "foo/.git" isn't actually
+ dangerous, and it's possible that somebody has
+ manually given such a funny name.
+
+ b. Since we'll eventually use this checking logic in
+ fsck to prevent downstream repositories, it should
+ be consistent across platforms. Because
+ verify_path() relies on is_dir_sep(), it wouldn't
+ block "foo\..\bar" on a non-Windows machine.
+
+ 2. Where should we enforce it? These days most of the
+ .gitmodules reads go through submodule-config.c, so
+ I've put it there in the reading step. That should
+ cover all of the C code.
+
+ We also construct the name for "git submodule add"
+ inside the git-submodule.sh script. This is probably
+ not a big deal for security since the name is coming
+ from the user anyway, but it would be polite to remind
+ them if the name they pick is invalid (and we need to
+ expose the name-checker to the shell anyway for our
+ test scripts).
+
+ This patch issues a warning when reading .gitmodules
+ and just ignores the related config entry completely.
+ This will generally end up producing a sensible error,
+ as it works the same as a .gitmodules file which is
+ missing a submodule entry (so "submodule update" will
+ barf, but "git clone --recurse-submodules" will print
+ an error but not abort the clone.
+
+ There is one minor oddity, which is that we print the
+ warning once per malformed config key (since that's how
+ the config subsystem gives us the entries). So in the
+ new test, for example, the user would see three
+ warnings. That's OK, since the intent is that this case
+ should never come up outside of malicious repositories
+ (and then it might even benefit the user to see the
+ message multiple times).
+
+Credit for finding this vulnerability and the proof of
+concept from which the test script was adapted goes to
+Etienne Stalmans.
+
+CVE: CVE-2018-11235
+Upstream-Status: Backport [https://github.com/gitster/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44#diff-1772b951776d1647ca31a2256f7fe88f]
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ builtin/submodule--helper.c | 24 ++++++++++++++
+ git-submodule.sh | 5 +++
+ submodule-config.c | 31 ++++++++++++++++++
+ submodule-config.h | 7 +++++
+ t/t7415-submodule-names.sh | 76 +++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 143 insertions(+)
+ create mode 100755 t/t7415-submodule-names.sh
+
+diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
+index cbb17a902..b4b4d29d8 100644
+--- a/builtin/submodule--helper.c
++++ b/builtin/submodule--helper.c
+@@ -1195,6 +1195,29 @@ static int is_active(int argc, const char **argv, const char *prefix)
+ return !is_submodule_initialized(argv[1]);
+ }
+
++/*
++ * Exit non-zero if any of the submodule names given on the command line is
++ * invalid. If no names are given, filter stdin to print only valid names
++ * (which is primarily intended for testing).
++ */
++static int check_name(int argc, const char **argv, const char *prefix)
++{
++ if (argc > 1) {
++ while (*++argv) {
++ if (check_submodule_name(*argv) < 0)
++ return 1;
++ }
++ } else {
++ struct strbuf buf = STRBUF_INIT;
++ while (strbuf_getline(&buf, stdin) != EOF) {
++ if (!check_submodule_name(buf.buf))
++ printf("%s\n", buf.buf);
++ }
++ strbuf_release(&buf);
++ }
++ return 0;
++}
++
+ #define SUPPORT_SUPER_PREFIX (1<<0)
+
+ struct cmd_struct {
+@@ -1216,6 +1239,7 @@ static struct cmd_struct commands[] = {
+ {"push-check", push_check, 0},
+ {"absorb-git-dirs", absorb_git_dirs, SUPPORT_SUPER_PREFIX},
+ {"is-active", is_active, 0},
++ {"check-name", check_name, 0},
+ };
+
+ int cmd_submodule__helper(int argc, const char **argv, const char *prefix)
+diff --git a/git-submodule.sh b/git-submodule.sh
+index c0d0e9a4c..92750b9e2 100755
+--- a/git-submodule.sh
++++ b/git-submodule.sh
+@@ -228,6 +228,11 @@ Use -f if you really want to add it." >&2
+ sm_name="$sm_path"
+ fi
+
++ if ! git submodule--helper check-name "$sm_name"
++ then
++ die "$(eval_gettext "'$sm_name' is not a valid submodule name")"
++ fi
++
+ # perhaps the path exists and is already a git repo, else clone it
+ if test -e "$sm_path"
+ then
+diff --git a/submodule-config.c b/submodule-config.c
+index 4f58491dd..de54351c6 100644
+--- a/submodule-config.c
++++ b/submodule-config.c
+@@ -163,6 +163,31 @@ static struct submodule *cache_lookup_name(struct submodule_cache *cache,
+ return NULL;
+ }
+
++int check_submodule_name(const char *name)
++{
++ /* Disallow empty names */
++ if (!*name)
++ return -1;
++
++ /*
++ * Look for '..' as a path component. Check both '/' and '\\' as
++ * separators rather than is_dir_sep(), because we want the name rules
++ * to be consistent across platforms.
++ */
++ goto in_component; /* always start inside component */
++ while (*name) {
++ char c = *name++;
++ if (c == '/' || c == '\\') {
++in_component:
++ if (name[0] == '.' && name[1] == '.' &&
++ (!name[2] || name[2] == '/' || name[2] == '\\'))
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
+ static int name_and_item_from_var(const char *var, struct strbuf *name,
+ struct strbuf *item)
+ {
+@@ -174,6 +199,12 @@ static int name_and_item_from_var(const char *var, struct strbuf *name,
+ return 0;
+
+ strbuf_add(name, subsection, subsection_len);
++ if (check_submodule_name(name->buf) < 0) {
++ warning(_("ignoring suspicious submodule name: %s"), name->buf);
++ strbuf_release(name);
++ return 0;
++ }
++
+ strbuf_addstr(item, key);
+
+ return 1;
+diff --git a/submodule-config.h b/submodule-config.h
+index d434ecdb4..103cc79dd 100644
+--- a/submodule-config.h
++++ b/submodule-config.h
+@@ -35,4 +35,11 @@ extern int gitmodule_sha1_from_commit(const unsigned char *commit_sha1,
+ struct strbuf *rev);
+ extern void submodule_free(void);
+
++/*
++ * Returns 0 if the name is syntactically acceptable as a submodule "name"
++ * (e.g., that may be found in the subsection of a .gitmodules file) and -1
++ * otherwise.
++ */
++int check_submodule_name(const char *name);
++
+ #endif /* SUBMODULE_CONFIG_H */
+diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
+new file mode 100755
+index 000000000..75fa071c6
+--- /dev/null
++++ b/t/t7415-submodule-names.sh
+@@ -0,0 +1,76 @@
++#!/bin/sh
++
++test_description='check handling of .. in submodule names
++
++Exercise the name-checking function on a variety of names, and then give a
++real-world setup that confirms we catch this in practice.
++'
++. ./test-lib.sh
++
++test_expect_success 'check names' '
++ cat >expect <<-\EOF &&
++ valid
++ valid/with/paths
++ EOF
++
++ git submodule--helper check-name >actual <<-\EOF &&
++ valid
++ valid/with/paths
++
++ ../foo
++ /../foo
++ ..\foo
++ \..\foo
++ foo/..
++ foo/../
++ foo\..
++ foo\..\
++ foo/../bar
++ EOF
++
++ test_cmp expect actual
++'
++
++test_expect_success 'create innocent subrepo' '
++ git init innocent &&
++ git -C innocent commit --allow-empty -m foo
++'
++
++test_expect_success 'submodule add refuses invalid names' '
++ test_must_fail \
++ git submodule add --name ../../modules/evil "$PWD/innocent" evil
++'
++
++test_expect_success 'add evil submodule' '
++ git submodule add "$PWD/innocent" evil &&
++
++ mkdir modules &&
++ cp -r .git/modules/evil modules &&
++ write_script modules/evil/hooks/post-checkout <<-\EOF &&
++ echo >&2 "RUNNING POST CHECKOUT"
++ EOF
++
++ git config -f .gitmodules submodule.evil.update checkout &&
++ git config -f .gitmodules --rename-section \
++ submodule.evil submodule.../../modules/evil &&
++ git add modules &&
++ git commit -am evil
++'
++
++# This step seems like it shouldn't be necessary, since the payload is
++# contained entirely in the evil submodule. But due to the vagaries of the
++# submodule code, checking out the evil module will fail unless ".git/modules"
++# exists. Adding another submodule (with a name that sorts before "evil") is an
++# easy way to make sure this is the case in the victim clone.
++test_expect_success 'add other submodule' '
++ git submodule add "$PWD/innocent" another-module &&
++ git add another-module &&
++ git commit -am another
++'
++
++test_expect_success 'clone evil superproject' '
++ git clone --recurse-submodules . victim >output 2>&1 &&
++ ! grep "RUNNING POST CHECKOUT" output
++'
++
++test_done
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index 1ffc41d..d668277 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -8,7 +8,8 @@ PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
- file://CVE-2017-15298.patch"
+ file://CVE-2017-15298.patch \
+ file://CVE-2018-11235.patch"
S = "${WORKDIR}/git-${PV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 32/34] openssl: CVE-2018-0732
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (29 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 31/34] git: CVE-2018-11235 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 33/34] perl: CVE-2018-12015 Jagadeesh Krishnanjanappa
` (2 subsequent siblings)
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
Reject excessively large primes in DH key generation.
CVE-2018-0732
Affects openssl 1.0.2 to 1.0.2o
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../openssl/openssl-1.0.2o/CVE-2018-0732.patch | 47 ++++++++++++++++++++++
.../recipes-connectivity/openssl/openssl_1.0.2o.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.2o/CVE-2018-0732.patch
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2o/CVE-2018-0732.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2o/CVE-2018-0732.patch
new file mode 100644
index 0000000..2796b05
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.2o/CVE-2018-0732.patch
@@ -0,0 +1,47 @@
+From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
+From: Guido Vranken <guidovranken@gmail.com>
+Date: Mon, 11 Jun 2018 19:38:54 +0200
+Subject: [PATCH] Reject excessively large primes in DH key generation.
+
+CVE-2018-0732
+
+Signed-off-by: Guido Vranken <guidovranken@gmail.com>
+
+(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6457)
+
+CVE: CVE-2018-0732
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ crypto/dh/dh_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 387558f146..f235e0d682 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
+ int ok = 0;
+ int generate_new_key = 0;
+ unsigned l;
+- BN_CTX *ctx;
++ BN_CTX *ctx = NULL;
+ BN_MONT_CTX *mont = NULL;
+ BIGNUM *pub_key = NULL, *priv_key = NULL;
+
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
++ return 0;
++ }
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+--
+2.13.3
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2o.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2o.bb
index 413ebf3..57912a1 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.0.2o.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.0.2o.bb
@@ -41,6 +41,7 @@ SRC_URI += "file://find.pl;subdir=openssl-${PV}/util/ \
file://Use-SHA256-not-MD5-as-default-digest.patch \
file://0001-Fix-build-with-clang-using-external-assembler.patch \
file://0001-openssl-force-soft-link-to-avoid-rare-race.patch \
+ file://CVE-2018-0732.patch \
"
SRC_URI_append_class-target = "\
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 33/34] perl: CVE-2018-12015
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (30 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 32/34] openssl: CVE-2018-0732 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:18 ` [ROCKO][PATCH 34/34] libgcrypt: CVE-2018-0495 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` ✗ patchtest: failure for "[ROCKO] sqlite3: CVE-2017-1528..." and 33 more Patchwork
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
Remove existing files before overwriting them
Archive should extract only the latest same-named entry.
Extracted regular file should not be writtent into existing block
device (or any other one).
https://rt.cpan.org/Ticket/Display.html?id=125523
Affects perl <= 5.26.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../perl/perl/CVE-2018-12015.patch | 48 ++++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-12015.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch b/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch
new file mode 100644
index 0000000..a2b0109
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch
@@ -0,0 +1,48 @@
+From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Jun 2018 11:45:40 +0100
+Subject: [PATCH] [PATCH] Remove existing files before overwriting them
+
+Archive should extract only the latest same-named entry.
+Extracted regular file should not be writtent into existing block
+device (or any other one).
+
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+CVE: CVE-2018-12015
+Upstream-Status: Backport [https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5]
+
+Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ lib/Archive/Tar.pm | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+ return;
+ }
+
++ ### If a file system already contains a block device with the same name as
++ ### the being extracted regular file, we would write the file's content
++ ### to the block device. So remove the existing file (block device) now.
++ ### If an archive contains multiple same-named entries, the last one
++ ### should replace the previous ones. So remove the old file now.
++ ### If the old entry is a symlink to a file outside of the CWD, the new
++ ### entry would create a file there. This is CVE-2018-12015
++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++ if (-l $full || -e _) {
++ if (!unlink $full) {
++ $self->_error( qq[Could not remove old file '$full': $!] );
++ return;
++ }
++ }
+ if( length $entry->type && $entry->is_file ) {
+ my $fh = IO::File->new;
+ $fh->open( $full, '>' ) or (
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index aec30c8..8dfe34a 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -72,6 +72,7 @@ SRC_URI += " \
file://CVE-2018-6798-2.patch \
file://CVE-2018-6797.patch \
file://CVE-2018-6913.patch \
+ file://CVE-2018-12015.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* [ROCKO][PATCH 34/34] libgcrypt: CVE-2018-0495
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (31 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 33/34] perl: CVE-2018-12015 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:18 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` ✗ patchtest: failure for "[ROCKO] sqlite3: CVE-2017-1528..." and 33 more Patchwork
33 siblings, 0 replies; 35+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:18 UTC (permalink / raw)
To: openembedded-core
ecc: Add blinding for ECDSA.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
randomized nonce B.
--
CVE-id: CVE-2018-0495
Affects libgcrypt < 1.7.10 and libgcrypt < 1.8.3
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
.../libgcrypt/files/CVE-2018-0495.patch | 76 ++++++++++++++++++++++
meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb | 1 +
2 files changed, 77 insertions(+)
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch b/meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch
new file mode 100644
index 0000000..c16bd3a
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch
@@ -0,0 +1,76 @@
+From 9010d1576e278a4274ad3f4aa15776c28f6ba965 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 13 Jun 2018 15:28:58 +0900
+Subject: [PATCH] ecc: Add blinding for ECDSA.
+
+* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
+randomized nonce B.
+
+--
+
+Reported-by: Keegan Ryan <Keegan.Ryan@nccgroup.trust>
+CVE-id: CVE-2018-0495
+
+Upstream-Status: Backport [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965]
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ cipher/ecc-ecdsa.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
+index 1484830b..140e8c09 100644
+--- a/cipher/ecc-ecdsa.c
++++ b/cipher/ecc-ecdsa.c
+@@ -50,6 +50,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ const void *abuf;
+ unsigned int abits, qbits;
+ mpi_ec_t ctx;
++ gcry_mpi_t b; /* Random number needed for blinding. */
++ gcry_mpi_t bi; /* multiplicative inverse of B. */
+
+ if (DBG_CIPHER)
+ log_mpidump ("ecdsa sign hash ", input );
+@@ -61,6 +63,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ if (rc)
+ return rc;
+
++ b = mpi_snew (qbits);
++ bi = mpi_snew (qbits);
++ do
++ {
++ _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
++ mpi_mod (b, b, skey->E.n);
++ }
++ while (!mpi_invm (bi, b, skey->E.n));
++
+ k = NULL;
+ dr = mpi_alloc (0);
+ sum = mpi_alloc (0);
+@@ -115,8 +126,11 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ }
+ while (!mpi_cmp_ui (r, 0));
+
+- mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n */
+- mpi_addm (sum, hash, dr, skey->E.n); /* sum = hash + (d*r) mod n */
++ mpi_mulm (dr, b, skey->d, skey->E.n);
++ mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n (blinded with b) */
++ mpi_mulm (sum, b, hash, skey->E.n);
++ mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n (blinded with b) */
++ mpi_mulm (sum, bi, sum, skey->E.n); /* undo blinding by b^-1 */
+ mpi_invm (k_1, k, skey->E.n); /* k_1 = k^(-1) mod n */
+ mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */
+ }
+@@ -129,6 +143,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ }
+
+ leave:
++ mpi_free (b);
++ mpi_free (bi);
+ _gcry_mpi_ec_free (ctx);
+ point_free (&I);
+ mpi_free (x);
+--
+2.13.3
+
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb
index 02982f0..3d189f5 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.0.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.gz \
file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \
file://0005-ecc-Add-input-validation-for-X25519.patch \
file://0006-Fix-building-AArch32-CE-implementations-when-target-.patch \
+ file://CVE-2018-0495.patch \
"
SRC_URI[md5sum] = "110ce4352f9ea6f560bdc6c5644ae93c"
SRC_URI[sha256sum] = "f6e470b7f2d3a703e8747f05a8c19d9e10e26ebf2d5f3d71ff75a40f504e12ee"
--
2.7.4
^ permalink raw reply related [flat|nested] 35+ messages in thread* ✗ patchtest: failure for "[ROCKO] sqlite3: CVE-2017-1528..." and 33 more
2018-08-22 11:17 [ROCKO][PATCH 01/34] sqlite3: CVE-2017-15286 Jagadeesh Krishnanjanappa
` (32 preceding siblings ...)
2018-08-22 11:18 ` [ROCKO][PATCH 34/34] libgcrypt: CVE-2018-0495 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Patchwork
33 siblings, 0 replies; 35+ messages in thread
From: Patchwork @ 2018-08-22 11:41 UTC (permalink / raw)
To: Jagadeesh Krishnanjanappa; +Cc: openembedded-core
== Series Details ==
Series: "[ROCKO] sqlite3: CVE-2017-1528..." and 33 more
Revision: 1
URL : https://patchwork.openembedded.org/series/13659/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Patch [ROCKO,16/34] Qemu CVE-2018-11806 slirp-heap-buffer-overflow
Issue Shortlog does not follow expected format [test_shortlog_format]
Suggested fix Commit shortlog (first line of commit message) should follow the format "<target>: <summary>"
* Patch [ROCKO,32/34] openssl: CVE-2018-0732
Issue Missing or incorrectly formatted CVE tag in included patch file [test_cve_tag_format]
Suggested fix Correct or include the CVE tag on cve patch with format: "CVE: CVE-YYYY-XXXX"
* Issue A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence]
Suggested fix Sign off the added patch file (meta/recipes-extended/libarchive/libarchive/CVE-2017-14503.patch)
* Issue Upstream-Status is in incorrect format [test_upstream_status_presence_format]
Suggested fix Fix Upstream-Status format in 0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch
Current Upstream-status: Backport
Standard format Upstream-Status: <Valid status>
Valid status Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 35+ messages in thread