[PATCH 0/4][Part III] wr-misc patches

[PATCH 0/4][Part III] wr-misc patches

[Hongxu Jia]

WindRiver patches was sent for YP compliance.

There are total 22 patches, and separate them into 4 parts,
each part is individual which means there is no dependence
between them.

//Hongxu

The following changes since commit 8c3eb5ee4582b6f6d489549290937657f37fc19e:

  packagegroup-toolset-native: Update after ocf-linux -> cryptodev-linux change (2014-03-27 19:53:30 +0000)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib hongxu/wr-misc-patches-3
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=hongxu/wr-misc-patches-3

Baogen Shang (2):
  libarchive: fix CVE-2013-0211
  libtiff: fix CVE-2013-4244

yanjun.zhu (2):
  nss-3.15.1: fix CVE-2013-1741
  nss-3.15.1: fix CVE-2013-5605

 .../libarchive/libarchive-CVE-2013-0211.patch      | 38 +++++++++
 .../libarchive/libarchive_3.1.2.bb                 |  1 +
 .../libtiff/files/libtiff-CVE-2013-4244.patch      | 19 +++++
 meta/recipes-multimedia/libtiff/tiff_4.0.3.bb      |  3 +-
 .../nss/files/nss-3.15.1-fix-CVE-2013-1741.patch   | 92 ++++++++++++++++++++++
 .../nss/files/nss-3.15.1-fix-CVE-2013-5605.patch   | 18 +++++
 meta/recipes-support/nss/nss.inc                   |  2 +
 7 files changed, 172 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2013-0211.patch
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch
 create mode 100644 meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
 create mode 100644 meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch

-- 
1.8.1.2

[PATCH 1/4] libarchive: fix CVE-2013-0211

[Hongxu Jia]

From: Baogen Shang <baogen.shang@windriver.com>

CVE description:
Integer signedness error in the archive_write_zip_data function in
archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running
on 64-bit machines, allows context-dependent attackers to cause a denial of
service (crash) via unspecified vectors, which triggers an improper conversion
between unsigned and signed types, leading to a buffer overflow.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0211
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Jeff Polk <jeff.polk@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../libarchive/libarchive-CVE-2013-0211.patch      | 38 ++++++++++++++++++++++
 .../libarchive/libarchive_3.1.2.bb                 |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2013-0211.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2013-0211.patch b/meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2013-0211.patch
new file mode 100644
index 0000000..126f80e
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2013-0211.patch
@@ -0,0 +1,38 @@
+From 2f55d6bd308ea61975558c2469ae349dba297e89 Mon Sep 17 00:00:00 2001
+From: Robert Yang <liezhi.yang@windriver.com>
+Date: Sat, 22 Feb 2014 14:35:59 +0800
+Subject: [PATCH] Fix CVE-2013-0211
+
+This patch comes from:https://github.com/libarchive/libarchive/commit/22531545514043e04633e1c015c7540b9de9dbe4
+
+Upstream-Status: Backport
+
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+
+Update the patch because of uprev on 20140222
+
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+---
+ libarchive/archive_write.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index a3d1a33..a323588 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -671,8 +671,12 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ 	struct archive_write *a = (struct archive_write *)_a;
++	const size_t max_write = INT_MAX;
+ 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ 	    ARCHIVE_STATE_DATA, "archive_write_data");
++	/* In particular, this catches attempts to pass negative values. */
++	if (s > max_write)
++		s = max_write;
+ 	archive_clear_error(&a->archive);
+ 	return ((a->format_write_data)(a, buff, s));
+ }
+-- 
+1.8.2.1
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
index 2556dc8..d5599e0 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
@@ -26,6 +26,7 @@ PACKAGECONFIG[libxml2] = "--with-xml2,--without-xml2,libxml2,"
 PACKAGECONFIG[expat] = "--with-expat,--without-expat,expat,"
 
 SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+           file://libarchive-CVE-2013-0211.patch \
            "
 
 SRC_URI[md5sum] = "efad5a503f66329bb9d2f4308b5de98a"
-- 
1.8.1.2

[PATCH 2/4] libtiff: fix CVE-2013-4244

[Hongxu Jia]

From: Baogen Shang <baogen.shang@windriver.com>

cve description:
The LZW decompressor in the gif2tiff tool in libtiff 4.0.3 and earlier
allows context-dependent attackers to cause a denial of service
(out-of-bounds write and crash) or possibly execute arbitrary code via
a crafted GIF image.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4244
Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../libtiff/files/libtiff-CVE-2013-4244.patch         | 19 +++++++++++++++++++
 meta/recipes-multimedia/libtiff/tiff_4.0.3.bb         |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch

diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch
new file mode 100644
index 0000000..1a66830
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2013-4244.patch
@@ -0,0 +1,19 @@
+This patch comes from: https://github.com/vadz/libtiff/commit/ce6841d9e41d621ba23cf18b190ee6a23b2cc833
+
+Upstream-Status: Backport
+
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+--- a/tools/gif2tiff.c	2013-12-17 16:46:02.160814995 +0800
++++ b/tools/gif2tiff.c	2013-12-17 16:52:25.140814949 +0800
+@@ -406,6 +406,11 @@
+         return 0;
+     }
+     if (oldcode == -1) {
++    if (code >= clear) {
++        fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
++        return 0;
++	}
++
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
index 9cb8edf..fb9e0bf 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.3.bb
@@ -7,7 +7,8 @@ SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
            file://libtiff-CVE-2013-1960.patch \
            file://libtiff-CVE-2013-4232.patch \
-           file://libtiff-CVE-2013-4243.patch"
+           file://libtiff-CVE-2013-4243.patch \
+           file://libtiff-CVE-2013-4244.patch"
 
 SRC_URI[md5sum] = "051c1068e6a0627f461948c365290410"
 SRC_URI[sha256sum] = "ea1aebe282319537fb2d4d7805f478dd4e0e05c33d0928baba76a7c963684872"
-- 
1.8.1.2

[PATCH 3/4] nss-3.15.1: fix CVE-2013-1741

[Hongxu Jia]

From: "yanjun.zhu" <yanjun.zhu@windriver.com>

Integer overflow in Mozilla Network Security Services (NSS)
3.15 before 3.15.3 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via a
large size value.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../nss/files/nss-3.15.1-fix-CVE-2013-1741.patch   | 92 ++++++++++++++++++++++
 meta/recipes-support/nss/nss.inc                   |  1 +
 2 files changed, 93 insertions(+)
 create mode 100644 meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch

diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
new file mode 100644
index 0000000..21da0c0
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
@@ -0,0 +1,92 @@
+Upstream-Status: backport
+yanjun.zhu <yanjun.zhu@windriver.com>
+--- a/nss/lib/util/secport.c
++++ b/nss/lib/util/secport.c
+@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
+ PORTCharConversionFunc ucs2Utf8ConvertFunc;
+ PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
+ 
++/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
++ * use the PRUint32 type for the size parameter. Before we pass a size_t or
++ * unsigned long size to these functions, we need to ensure it is <= half of
++ * the maximum PRUint32 value to avoid truncation and catch a negative size.
++ */
++#define MAX_SIZE (PR_UINT32_MAX >> 1)
++
+ void *
+ PORT_Alloc(size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
++    if (bytes <= MAX_SIZE) {
++	/* Always allocate a non-zero amount of bytes */
++	rv = PR_Malloc(bytes ? bytes : 1);
++    }
+     if (!rv) {
+ 	++port_allocFailures;
+ 	PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
+ void *
+ PORT_Realloc(void *oldptr, size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    rv = (void *)PR_Realloc(oldptr, bytes);
++    if (bytes <= MAX_SIZE) {
++	rv = PR_Realloc(oldptr, bytes);
++    }
+     if (!rv) {
+ 	++port_allocFailures;
+ 	PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
+ void *
+ PORT_ZAlloc(size_t bytes)
+ {
+-    void *rv;
++    void *rv = NULL;
+ 
+-    /* Always allocate a non-zero amount of bytes */
+-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
++    if (bytes <= MAX_SIZE) {
++	/* Always allocate a non-zero amount of bytes */
++	rv = PR_Calloc(1, bytes ? bytes : 1);
++    }
+     if (!rv) {
+ 	++port_allocFailures;
+ 	PORT_SetError(SEC_ERROR_NO_MEMORY);
+@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
+ {
+     PORTArenaPool *pool;
+     
++    if (chunksize > MAX_SIZE) {
++	PORT_SetError(SEC_ERROR_NO_MEMORY);
++	return NULL;
++    }
+     pool = PORT_ZNew(PORTArenaPool);
+     if (!pool) {
+ 	return NULL;
+@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
+     return(&pool->arena);
+ }
+ 
+-#define MAX_SIZE 0x7fffffffUL
+-
+ void *
+ PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
+ {
+@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void 
+     PORTArenaPool *pool = (PORTArenaPool *)arena;
+     PORT_Assert(newsize >= oldsize);
+     
++    if (newsize > MAX_SIZE) {
++	PORT_SetError(SEC_ERROR_NO_MEMORY);
++	return NULL;
++    }
++
+     if (ARENAPOOL_MAGIC == pool->magic ) {
+ 	PZ_Lock(pool->lock);
+ 	/* Do we do a THREADMARK check here? */
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index a6aeed8..6364562 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -16,6 +16,7 @@ SRC_URI = "\
     file://nss-fix-support-cross-compiling.patch \
     file://nss-no-rpath-for-cross-compiling.patch \
     file://nss-fix-incorrect-shebang-of-perl.patch \
+    file://nss-3.15.1-fix-CVE-2013-1741.patch \
 "
 SRC_URI_append_class-target = "\
     file://nss.pc.in \
-- 
1.8.1.2

[PATCH 4/4] nss-3.15.1: fix CVE-2013-5605

[Hongxu Jia]

From: "yanjun.zhu" <yanjun.zhu@windriver.com>

Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and
3.15 before 3.15.3 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via
invalid handshake packets.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5605
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 .../nss/files/nss-3.15.1-fix-CVE-2013-5605.patch       | 18 ++++++++++++++++++
 meta/recipes-support/nss/nss.inc                       |  1 +
 2 files changed, 19 insertions(+)
 create mode 100644 meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch

diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch
new file mode 100644
index 0000000..7203d02
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch
@@ -0,0 +1,18 @@
+signed-off-by: Ryan Sleevi <ryan.sleevi@gmail.com>
+Upstream-Status: Backport
+reference:https://hg.mozilla.org/projects/nss/rev/e79a09364b5e
+
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -781,6 +781,11 @@ static SECStatus
+ Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
+ 	    const unsigned char *input, int inputLen)
+ {
++    if (inputLen > maxOutputLen) {
++        *outputLen = 0;  /* Match PK11_CipherOp in setting outputLen */
++        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
++        return SECFailure;
++    }
+     *outputLen = inputLen;
+     if (input != output)
+ 	PORT_Memcpy(output, input, inputLen);
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index 6364562..404decc 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -17,6 +17,7 @@ SRC_URI = "\
     file://nss-no-rpath-for-cross-compiling.patch \
     file://nss-fix-incorrect-shebang-of-perl.patch \
     file://nss-3.15.1-fix-CVE-2013-1741.patch \
+    file://nss-3.15.1-fix-CVE-2013-5605.patch \
 "
 SRC_URI_append_class-target = "\
     file://nss.pc.in \
-- 
1.8.1.2

Re: [PATCH 1/4] libarchive: fix CVE-2013-0211

[Khem Raj]

On Fri, Mar 28, 2014 at 2:43 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> ++      const size_t max_write = INT_MAX;

I think INT_MAX is a mismatch here size_t may not be defined 'unsigned
int' on all kind of architectures.

Re: [PATCH 1/4] libarchive: fix CVE-2013-0211

[Hongxu Jia]

On 04/01/2014 01:30 PM, Khem Raj wrote:
> On Fri, Mar 28, 2014 at 2:43 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> ++      const size_t max_write = INT_MAX;
> I think INT_MAX is a mismatch here size_t may not be defined 'unsigned
> int' on all kind of architectures.

How about test the size of size_t and assigned the related MAX value:

const size_t max_write = (sizeof(size_t) >= 
sizeof(int))?INT_MAX:(sizeof(size_t) == sizeof(short))?SHRT_MAX:CHAR_MAX;

//Hongxu

Re: [PATCH 1/4] libarchive: fix CVE-2013-0211

[Khem Raj]

On Tue, Apr 1, 2014 at 12:40 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> On 04/01/2014 01:30 PM, Khem Raj wrote:
>>
>> On Fri, Mar 28, 2014 at 2:43 AM, Hongxu Jia <hongxu.jia@windriver.com>
>> wrote:
>>>
>>> ++      const size_t max_write = INT_MAX;
>>
>> I think INT_MAX is a mismatch here size_t may not be defined 'unsigned
>> int' on all kind of architectures.
>
>
> How about test the size of size_t and assigned the related MAX value:
>
> const size_t max_write = (sizeof(size_t) >=
> sizeof(int))?INT_MAX:(sizeof(size_t) == sizeof(short))?SHRT_MAX:CHAR_MAX;
>

you could use something like (size_t)-1 to denote SIZE_MAX

> //Hongxu
>

Re: [PATCH 1/4] libarchive: fix CVE-2013-0211

[Hongxu Jia]

On 04/01/2014 10:57 PM, Khem Raj wrote:
>> How about test the size of size_t and assigned the related MAX value:
>> >
>> >const size_t max_write = (sizeof(size_t) >=
>> >sizeof(int))?INT_MAX:(sizeof(size_t) == sizeof(short))?SHRT_MAX:CHAR_MAX;
>> >
> you could use something like (size_t)-1 to denote SIZE_MAX
>

Sounds good, I will do that in V2.

//Hongxu