* [PATCH 01/25] neard: fix the install path in init scripts
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 02/25] tzcode: update to 2015d Armin Kuster
` (24 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Cristian Iorga <cristian.iorga@intel.com>
The neard make scripts will place the daemon executable
in /usr/lib/neard/nfc/neard. Change the path accordingly
in init scripts.
Fixes [YOCTO #7390].
(From OE-Core rev: bd277f3a46e7fc764cc55c5354d2136fcfddc3c1)
Signed-off-by: Cristian Iorga <cristian.iorga@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-connectivity/neard/neard.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-connectivity/neard/neard.inc b/meta/recipes-connectivity/neard/neard.inc
index e714cad..983a022 100644
--- a/meta/recipes-connectivity/neard/neard.inc
+++ b/meta/recipes-connectivity/neard/neard.inc
@@ -21,7 +21,7 @@ do_install() {
do_install_append() {
if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/init.d/
- sed "s:@installpath@:${libexecdir}:" ${WORKDIR}/neard.in \
+ sed "s:@installpath@:${libexecdir}/nfc:" ${WORKDIR}/neard.in \
> ${D}${sysconfdir}/init.d/neard
chmod 0755 ${D}${sysconfdir}/init.d/neard
fi
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 02/25] tzcode: update to 2015d
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
2015-07-18 15:16 ` [PATCH 01/25] neard: fix the install path in init scripts Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 03/25] tzdata: " Armin Kuster
` (23 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
Changes affecting code
zic has some minor performance improvements.
(From OE-Core rev: 3ab7e247b0662a1791169f16424abec426885f80)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-extended/tzcode/tzcode-native_2015d.bb | 11 +++++++++++
1 file changed, 11 insertions(+)
create mode 100644 meta/recipes-extended/tzcode/tzcode-native_2015d.bb
diff --git a/meta/recipes-extended/tzcode/tzcode-native_2015d.bb b/meta/recipes-extended/tzcode/tzcode-native_2015d.bb
new file mode 100644
index 0000000..44a9f03
--- /dev/null
+++ b/meta/recipes-extended/tzcode/tzcode-native_2015d.bb
@@ -0,0 +1,11 @@
+# note that we allow for us to use data later than our code version
+#
+SRC_URI =" ftp://ftp.iana.org/tz/releases/tzcode${PV}.tar.gz;name=tzcode \
+ ftp://ftp.iana.org/tz/releases/tzdata2015d.tar.gz;name=tzdata"
+
+SRC_URI[tzcode.md5sum] = "4008a3abc025a398697b2587c48258b9"
+SRC_URI[tzcode.sha256sum] = "221af54ec5c42eaf0101159ffe1256a883d1c14c46228d42774c656a56317128"
+SRC_URI[tzdata.md5sum] = "b595bdc4474b8fc1a15cffc67c66025b"
+SRC_URI[tzdata.sha256sum] = "8b9f5008277f09e251e97dba7813f56168d691115bda90ade4638d72f296d531"
+
+require tzcode-native.inc
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 03/25] tzdata: update to 2015d
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
2015-07-18 15:16 ` [PATCH 01/25] neard: fix the install path in init scripts Armin Kuster
2015-07-18 15:16 ` [PATCH 02/25] tzcode: update to 2015d Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 04/25] curl: several security fixes Armin Kuster
` (22 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
Changes affecting future time stamps
Egypt will not observe DST in 2015 and will consider canceling it
permanently. For now, assume no DST indefinitely.
(Thanks to Ahmed Nazmy and Tim Parenti.)
Changes affecting past time stamps
America/Whitehorse switched from UTC-9 to UTC-8 on 1967-05-28, not
1966-07-01. Also, Yukon's time zone history is documented better.
(Thanks to Brian Inglis and Dennis Ferguson.)
Change affecting past and future time zone abbreviations
The abbreviations for Hawaii-Aleutian standard and daylight times
have been changed from HAST/HADT to HST/HDT, as per US Government
Printing Office style. This affects only America/Adak since 1983,
as America/Honolulu was already using the new style.
(From OE-Core rev: b9f366ab4e0a9cad69b631f402b9afa02d40f667)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-extended/tzdata/tzdata_2015d.bb | 6 ++++++
1 file changed, 6 insertions(+)
create mode 100644 meta/recipes-extended/tzdata/tzdata_2015d.bb
diff --git a/meta/recipes-extended/tzdata/tzdata_2015d.bb b/meta/recipes-extended/tzdata/tzdata_2015d.bb
new file mode 100644
index 0000000..d8e5f24
--- /dev/null
+++ b/meta/recipes-extended/tzdata/tzdata_2015d.bb
@@ -0,0 +1,6 @@
+SRC_URI = "ftp://ftp.iana.org/tz/releases/tzdata${PV}.tar.gz;name=tzdata"
+
+SRC_URI[tzdata.md5sum] = "b595bdc4474b8fc1a15cffc67c66025b"
+SRC_URI[tzdata.sha256sum] = "8b9f5008277f09e251e97dba7813f56168d691115bda90ade4638d72f296d531"
+
+require tzdata.inc
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 04/25] curl: several security fixes
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (2 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 03/25] tzdata: " Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 05/25] curl: add a few missing " Armin Kuster
` (21 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: "Maxin B. John" <maxin.john@enea.com>
Fixes below listed bugs:
1. CVE-2015-3143
2. CVE-2015-3144
3. CVE-2015-3145
Dropped: 4. CVE-2015-3148
SPNEGO was introduced in 7.39 so this version not affected
Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-support/curl/curl/CVE-2015-3143.patch | 38 ++++++++++++
meta/recipes-support/curl/curl/CVE-2015-3144.patch | 45 ++++++++++++++
meta/recipes-support/curl/curl/CVE-2015-3145.patch | 70 ++++++++++++++++++++++
3 files changed, 153 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3143.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3144.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3145.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3143.patch b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
new file mode 100644
index 0000000..745e945
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3143.patch
@@ -0,0 +1,38 @@
+From d7d1bc8f08eea1a85ab0d794bc1561659462d937 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 13:26:46 +0200
+Subject: [PATCH] ConnectionExists: for NTLM re-use, require credentials to
+ match
+
+Upstream-Status: Backport
+
+CVE-2015-3143
+
+Bug: http://curl.haxx.se/docs/adv_20150422A.html
+Reported-by: Paras Sethia
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 018bb88..ee3d176 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3207,11 +3207,11 @@ ConnectionExists(struct SessionHandle *data,
+ strcmp(check->localdev, needle->localdev))
+ continue;
+ }
+
+ if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) ||
+- wantNTLMhttp) {
++ (wantNTLMhttp || check->ntlm.state != NTLMSTATE_NONE)) {
+ /* This protocol requires credentials per connection or is HTTP+NTLM,
+ so verify that we're using the same name and password as well */
+ if(!strequal(needle->user, check->user) ||
+ !strequal(needle->passwd, check->passwd)) {
+ /* one of them was different */
+--
+2.1.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3144.patch b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
new file mode 100644
index 0000000..ca6d744
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3144.patch
@@ -0,0 +1,45 @@
+From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 23:52:04 +0200
+Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport
+
+If a URL is given with a zero-length host name, like in "http://:80" or
+just ":80", `fix_hostname()` will index the host name pointer with a -1
+offset (as it blindly assumes a non-zero length) and both read and
+assign that address.
+
+CVE-2015-3144
+
+Bug: http://curl.haxx.se/docs/adv_20150422D.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index ee3d176..f033dbc 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data,
+
+ /* set the name we use to display the host name */
+ host->dispname = host->name;
+
+ len = strlen(host->name);
+- if(host->name[len-1] == '.')
++ if(len && (host->name[len-1] == '.'))
+ /* strip off a single trailing dot if present, primarily for SNI but
+ there's no use for it */
+ host->name[len-1]=0;
+
+ if(!is_ASCII_name(host->name)) {
+--
+2.1.4
+
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3145.patch b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
new file mode 100644
index 0000000..15a9982
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3145.patch
@@ -0,0 +1,70 @@
+From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 16 Apr 2015 16:37:40 +0200
+Subject: [PATCH] cookie: cookie parser out of boundary memory access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream-Status: Backport
+
+The internal libcurl function called sanitize_cookie_path() that cleans
+up the path element as given to it from a remote site or when read from
+a file, did not properly validate the input. If given a path that
+consisted of a single double-quote, libcurl would index a newly
+allocated memory area with index -1 and assign a zero to it, thus
+destroying heap memory it wasn't supposed to.
+
+CVE-2015-3145
+
+Bug: http://curl.haxx.se/docs/adv_20150422C.html
+Reported-by: Hanno Böck
+Signed-off-by: Daniel Stenberg <daniel@haxx.se>
+Signed-off-by: Maxin B. John <maxin.john@enea.com>
+---
+ lib/cookie.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/lib/cookie.c b/lib/cookie.c
+index 0864f6b..0127926 100644
+--- a/lib/cookie.c
++++ b/lib/cookie.c
+@@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path)
+ char *new_path = strdup(cookie_path);
+ if(!new_path)
+ return NULL;
+
+ /* some stupid site sends path attribute with '"'. */
++ len = strlen(new_path);
+ if(new_path[0] == '\"') {
+- memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
++ memmove((void *)new_path, (const void *)(new_path + 1), len);
++ len--;
+ }
+- if(new_path[strlen(new_path) - 1] == '\"') {
+- new_path[strlen(new_path) - 1] = 0x0;
++ if(len && (new_path[len - 1] == '\"')) {
++ new_path[len - 1] = 0x0;
++ len--;
+ }
+
+ /* RFC6265 5.2.4 The Path Attribute */
+ if(new_path[0] != '/') {
+ /* Let cookie-path be the default-path. */
+@@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path)
+ new_path = strdup("/");
+ return new_path;
+ }
+
+ /* convert /hoge/ to /hoge */
+- len = strlen(new_path);
+- if(1 < len && new_path[len - 1] == '/') {
++ if(len && new_path[len - 1] == '/') {
+ new_path[len - 1] = 0x0;
+ }
+
+ return new_path;
+ }
+--
+2.1.4
+
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 05/25] curl: add a few missing security fixes
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (3 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 04/25] curl: several security fixes Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 06/25] squashfs-tools: build and install unsquashfs as well Armin Kuster
` (20 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
CVE-2014-3707
CVE-2014-8150
CVE-2015-3153
not affected by: CVE-2014-8151
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-support/curl/curl/CVE-2014-3707.patch | 416 +++++++++++++++++++++
meta/recipes-support/curl/curl/CVE-2014-8150.patch | 29 ++
meta/recipes-support/curl/curl/CVE-2015-3153.patch | 90 +++++
meta/recipes-support/curl/curl_7.37.1.bb | 6 +
4 files changed, 541 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2014-3707.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2014-8150.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2015-3153.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2014-3707.patch b/meta/recipes-support/curl/curl/CVE-2014-3707.patch
new file mode 100644
index 0000000..7ff38a6
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-3707.patch
@@ -0,0 +1,416 @@
+From 3696fc1ba79d9b34660c44150be5e93ecf87dd9e Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 17 Oct 2014 12:59:32 +0200
+Subject: [PATCH] curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of
+ bounds
+
+When duplicating a handle, the data to post was duplicated using
+strdup() when it could be binary and contain zeroes and it was not even
+zero terminated! This caused read out of bounds crashes/segfaults.
+
+Since the lib/strdup.c file no longer is easily shared with the curl
+tool with this change, it now uses its own version instead.
+
+Bug: http://curl.haxx.se/docs/adv_20141105.html
+CVE: CVE-2014-3707
+Reported-By: Symeon Paraschoudis
+---
+ lib/formdata.c | 52 +++++++++-------------------------------------------
+ lib/strdup.c | 32 +++++++++++++++++++++++++++-----
+ lib/strdup.h | 3 ++-
+ lib/url.c | 22 +++++++++++++++++-----
+ lib/urldata.h | 11 +++++++++--
+ src/Makefile.inc | 4 ++--
+ src/tool_setup.h | 5 ++---
+ src/tool_strdup.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++
+ src/tool_strdup.h | 30 ++++++++++++++++++++++++++++++
+ 9 files changed, 145 insertions(+), 61 deletions(-)
+ create mode 100644 src/tool_strdup.c
+ create mode 100644 src/tool_strdup.h
+
+Index: curl-7.37.1/lib/formdata.c
+===================================================================
+--- curl-7.37.1.orig/lib/formdata.c
++++ curl-7.37.1/lib/formdata.c
+@@ -36,6 +36,7 @@
+ #include "strequal.h"
+ #include "curl_memory.h"
+ #include "sendf.h"
++#include "strdup.h"
+
+ #define _MPRINTF_REPLACE /* use our functions only */
+ #include <curl/mprintf.h>
+@@ -214,46 +215,6 @@ static const char *ContentTypeForFilenam
+
+ /***************************************************************************
+ *
+- * memdup()
+- *
+- * Copies the 'source' data to a newly allocated buffer buffer (that is
+- * returned). Uses buffer_length if not null, else uses strlen to determine
+- * the length of the buffer to be copied
+- *
+- * Returns the new pointer or NULL on failure.
+- *
+- ***************************************************************************/
+-static char *memdup(const char *src, size_t buffer_length)
+-{
+- size_t length;
+- bool add = FALSE;
+- char *buffer;
+-
+- if(buffer_length)
+- length = buffer_length;
+- else if(src) {
+- length = strlen(src);
+- add = TRUE;
+- }
+- else
+- /* no length and a NULL src pointer! */
+- return strdup("");
+-
+- buffer = malloc(length+add);
+- if(!buffer)
+- return NULL; /* fail */
+-
+- memcpy(buffer, src, length);
+-
+- /* if length unknown do null termination */
+- if(add)
+- buffer[length] = '\0';
+-
+- return buffer;
+-}
+-
+-/***************************************************************************
+- *
+ * FormAdd()
+ *
+ * Stores a formpost parameter and builds the appropriate linked list.
+@@ -682,9 +643,12 @@ CURLFORMcode FormAdd(struct curl_httppos
+ (form == first_form) ) {
+ /* Note that there's small risk that form->name is NULL here if the
+ app passed in a bad combo, so we better check for that first. */
+- if(form->name)
++ if(form->name) {
+ /* copy name (without strdup; possibly contains null characters) */
+- form->name = memdup(form->name, form->namelength);
++ form->name = Curl_memdup(form->name, form->namelength?
++ form->namelength:
++ strlen(form->name)+1);
++ }
+ if(!form->name) {
+ return_value = CURL_FORMADD_MEMORY;
+ break;
+@@ -695,7 +659,7 @@ CURLFORMcode FormAdd(struct curl_httppos
+ HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER |
+ HTTPPOST_CALLBACK)) ) {
+ /* copy value (without strdup; possibly contains null characters) */
+- form->value = memdup(form->value, form->contentslength);
++ form->value = Curl_memdup(form->value, form->contentslength);
+ if(!form->value) {
+ return_value = CURL_FORMADD_MEMORY;
+ break;
+Index: curl-7.37.1/lib/strdup.c
+===================================================================
+--- curl-7.37.1.orig/lib/strdup.c
++++ curl-7.37.1/lib/strdup.c
+@@ -5,7 +5,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -19,12 +19,12 @@
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+-/*
+- * This file is 'mem-include-scan' clean. See test 1132.
+- */
+ #include "curl_setup.h"
+-
+ #include "strdup.h"
++#include "curl_memory.h"
++
++/* The last #include file should be: */
++#include "memdebug.h"
+
+ #ifndef HAVE_STRDUP
+ char *curlx_strdup(const char *str)
+@@ -50,3 +50,25 @@ char *curlx_strdup(const char *str)
+
+ }
+ #endif
++
++/***************************************************************************
++ *
++ * Curl_memdup(source, length)
++ *
++ * Copies the 'source' data to a newly allocated buffer (that is
++ * returned). Copies 'length' bytes.
++ *
++ * Returns the new pointer or NULL on failure.
++ *
++ ***************************************************************************/
++char *Curl_memdup(const char *src, size_t length)
++{
++ char *buffer = malloc(length);
++ if(!buffer)
++ return NULL; /* fail */
++
++ memcpy(buffer, src, length);
++
++ /* if length unknown do null termination */
++ return buffer;
++}
+Index: curl-7.37.1/lib/strdup.h
+===================================================================
+--- curl-7.37.1.orig/lib/strdup.h
++++ curl-7.37.1/lib/strdup.h
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -26,5 +26,6 @@
+ #ifndef HAVE_STRDUP
+ extern char *curlx_strdup(const char *str);
+ #endif
++char *Curl_memdup(const char *src, size_t buffer_length);
+
+ #endif /* HEADER_CURL_STRDUP_H */
+Index: curl-7.37.1/lib/url.c
+===================================================================
+--- curl-7.37.1.orig/lib/url.c
++++ curl-7.37.1/lib/url.c
+@@ -125,6 +125,7 @@ int curl_win32_idn_to_ascii(const char *
+ #include "multihandle.h"
+ #include "pipeline.h"
+ #include "dotdot.h"
++#include "strdup.h"
+
+ #define _MPRINTF_REPLACE /* use our functions only */
+ #include <curl/mprintf.h>
+@@ -270,8 +271,9 @@ void Curl_freeset(struct SessionHandle *
+ {
+ /* Free all dynamic strings stored in the data->set substructure. */
+ enum dupstring i;
+- for(i=(enum dupstring)0; i < STRING_LAST; i++)
++ for(i=(enum dupstring)0; i < STRING_LAST; i++) {
+ Curl_safefree(data->set.str[i]);
++ }
+
+ if(data->change.referer_alloc) {
+ Curl_safefree(data->change.referer);
+@@ -356,14 +358,24 @@ CURLcode Curl_dupset(struct SessionHandl
+ memset(dst->set.str, 0, STRING_LAST * sizeof(char *));
+
+ /* duplicate all strings */
+- for(i=(enum dupstring)0; i< STRING_LAST; i++) {
++ for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {
+ r = setstropt(&dst->set.str[i], src->set.str[i]);
+ if(r != CURLE_OK)
+- break;
++ return r;
+ }
+
+- /* If a failure occurred, freeing has to be performed externally. */
+- return r;
++ /* duplicate memory areas pointed to */
++ i = STRING_COPYPOSTFIELDS;
++ if(src->set.postfieldsize && src->set.str[i]) {
++ /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */
++ dst->set.str[i] = Curl_memdup(src->set.str[i], src->set.postfieldsize);
++ if(!dst->set.str[i])
++ return CURLE_OUT_OF_MEMORY;
++ /* point to the new copy */
++ dst->set.postfields = dst->set.str[i];
++ }
++
++ return CURLE_OK;
+ }
+
+ /*
+Index: curl-7.37.1/lib/urldata.h
+===================================================================
+--- curl-7.37.1.orig/lib/urldata.h
++++ curl-7.37.1/lib/urldata.h
+@@ -1359,7 +1359,6 @@ enum dupstring {
+ STRING_KRB_LEVEL, /* krb security level */
+ STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find
+ $HOME/.netrc */
+- STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
+ STRING_PROXY, /* proxy to use */
+ STRING_SET_RANGE, /* range, if used */
+ STRING_SET_REFERER, /* custom string for the HTTP referer field */
+@@ -1401,7 +1400,15 @@ enum dupstring {
+
+ STRING_BEARER, /* <bearer>, if used */
+
+- /* -- end of strings -- */
++ /* -- end of zero-terminated strings -- */
++
++ STRING_LASTZEROTERMINATED,
++
++ /* -- below this are pointers to binary data that cannot be strdup'ed.
++ Each such pointer must be added manually to Curl_dupset() --- */
++
++ STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
++
+ STRING_LAST /* not used, just an end-of-list marker */
+ };
+
+Index: curl-7.37.1/src/Makefile.inc
+===================================================================
+--- curl-7.37.1.orig/src/Makefile.inc
++++ curl-7.37.1/src/Makefile.inc
+@@ -11,7 +11,6 @@
+ # the official API, but we re-use the code here to avoid duplication.
+ CURLX_CFILES = \
+ ../lib/strtoofft.c \
+- ../lib/strdup.c \
+ ../lib/rawstr.c \
+ ../lib/nonblock.c \
+ ../lib/warnless.c
+@@ -19,7 +18,6 @@ CURLX_CFILES = \
+ CURLX_HFILES = \
+ ../lib/curl_setup.h \
+ ../lib/strtoofft.h \
+- ../lib/strdup.h \
+ ../lib/rawstr.h \
+ ../lib/nonblock.h \
+ ../lib/warnless.h
+@@ -55,6 +53,7 @@ CURL_CFILES = \
+ tool_panykey.c \
+ tool_paramhlp.c \
+ tool_parsecfg.c \
++ tool_strdup.c \
+ tool_setopt.c \
+ tool_sleep.c \
+ tool_urlglob.c \
+@@ -99,6 +98,7 @@ CURL_HFILES = \
+ tool_setopt.h \
+ tool_setup.h \
+ tool_sleep.h \
++ tool_strdup.h \
+ tool_urlglob.h \
+ tool_util.h \
+ tool_version.h \
+Index: curl-7.37.1/src/tool_setup.h
+===================================================================
+--- curl-7.37.1.orig/src/tool_setup.h
++++ curl-7.37.1/src/tool_setup.h
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -67,8 +67,7 @@
+ #endif
+
+ #ifndef HAVE_STRDUP
+-# include "strdup.h"
+-# define strdup(ptr) curlx_strdup(ptr)
++# include "tool_strdup.h"
+ #endif
+
+ #endif /* HEADER_CURL_TOOL_SETUP_H */
+Index: curl-7.37.1/src/tool_strdup.c
+===================================================================
+--- /dev/null
++++ curl-7.37.1/src/tool_strdup.c
+@@ -0,0 +1,47 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at http://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++#include "strdup.h"
++
++#ifndef HAVE_STRDUP
++char *strdup(const char *str)
++{
++ size_t len;
++ char *newstr;
++
++ if(!str)
++ return (char *)NULL;
++
++ len = strlen(str);
++
++ if(len >= ((size_t)-1) / sizeof(char))
++ return (char *)NULL;
++
++ newstr = malloc((len+1)*sizeof(char));
++ if(!newstr)
++ return (char *)NULL;
++
++ memcpy(newstr,str,(len+1)*sizeof(char));
++
++ return newstr;
++
++}
++#endif
+Index: curl-7.37.1/src/tool_strdup.h
+===================================================================
+--- /dev/null
++++ curl-7.37.1/src/tool_strdup.h
+@@ -0,0 +1,30 @@
++#ifndef HEADER_TOOL_STRDUP_H
++#define HEADER_TOOL_STRDUP_H
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at http://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++#include "tool_setup.h"
++
++#ifndef HAVE_STRDUP
++extern char *strdup(const char *str);
++#endif
++
++#endif /* HEADER_TOOL_STRDUP_H */
diff --git a/meta/recipes-support/curl/curl/CVE-2014-8150.patch b/meta/recipes-support/curl/curl/CVE-2014-8150.patch
new file mode 100644
index 0000000..9a08280
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2014-8150.patch
@@ -0,0 +1,29 @@
+From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 25 Dec 2014 23:55:03 +0100
+Subject: [PATCH] url-parsing: reject CRLFs within URLs
+
+Bug: http://curl.haxx.se/docs/adv_20150108B.html
+Reported-by: Andrey Labunets
+---
+ lib/url.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+Index: curl-7.37.1/lib/url.c
+===================================================================
+--- curl-7.37.1.orig/lib/url.c
++++ curl-7.37.1/lib/url.c
+@@ -3756,6 +3756,13 @@ static CURLcode parseurlandfillconn(stru
+
+ *prot_missing = FALSE;
+
++ /* We might pass the entire URL into the request so we need to make sure
++ * there are no bad characters in there.*/
++ if(strpbrk(data->change.url, "\r\n")) {
++ failf(data, "Illegal characters found in URL");
++ return CURLE_URL_MALFORMAT;
++ }
++
+ /*************************************************************
+ * Parse the URL.
+ *
diff --git a/meta/recipes-support/curl/curl/CVE-2015-3153.patch b/meta/recipes-support/curl/curl/CVE-2015-3153.patch
new file mode 100644
index 0000000..089020a
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2015-3153.patch
@@ -0,0 +1,90 @@
+From 69a2e8d7ec581695a62527cb2252e7350f314ffa Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 23 Apr 2015 15:58:21 +0200
+Subject: [PATCH] CURLOPT_HEADEROPT: default to separate
+
+Make the HTTP headers separated by default for improved security and
+reduced risk for information leakage.
+
+Bug: http://curl.haxx.se/docs/adv_20150429.html
+Reported-by: Yehezkel Horowitz, Oren Souroujon
+---
+ docs/libcurl/opts/CURLOPT_HEADEROPT.3 | 12 ++++++------
+ lib/url.c | 1 +
+ tests/data/test1527 | 2 +-
+ tests/data/test287 | 2 +-
+ tests/libtest/lib1527.c | 1 +
+ 5 files changed, 10 insertions(+), 8 deletions(-)
+
+Index: curl-7.37.1/docs/libcurl/opts/CURLOPT_HEADEROPT.3
+===================================================================
+--- curl-7.37.1.orig/docs/libcurl/opts/CURLOPT_HEADEROPT.3
++++ curl-7.37.1/docs/libcurl/opts/CURLOPT_HEADEROPT.3
+@@ -5,7 +5,7 @@
+ .\" * | (__| |_| | _ <| |___
+ .\" * \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -44,7 +44,7 @@ headers. When doing CONNECT, libcurl wil
+ headers only do the proxy and then \fICURLOPT_HTTPHEADER(3)\fP headers only to
+ the server.
+ .SH DEFAULT
+-CURLHEADER_UNIFIED
++CURLHEADER_SEPARATE (changed in 7.42.1, ased CURLHEADER_UNIFIED before then)
+ .SH PROTOCOLS
+ HTTP
+ .SH EXAMPLE
+Index: curl-7.37.1/tests/data/test1527
+===================================================================
+--- curl-7.37.1.orig/tests/data/test1527
++++ curl-7.37.1/tests/data/test1527
+@@ -45,7 +45,7 @@ http-proxy
+ lib1527
+ </tool>
+ <name>
+-Check same headers are generated without CURLOPT_PROXYHEADER
++Check same headers are generated with CURLOPT_HEADEROPT == CURLHEADER_UNIFIED
+ </name>
+ <command>
+ http://the.old.moo.1527:%HTTPPORT/1527 %HOSTIP:%PROXYPORT
+Index: curl-7.37.1/tests/data/test287
+===================================================================
+--- curl-7.37.1.orig/tests/data/test287
++++ curl-7.37.1/tests/data/test287
+@@ -28,7 +28,7 @@ http
+ HTTP proxy CONNECT with custom User-Agent header
+ </name>
+ <command>
+-http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2007" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel
++http://test.remote.example.com.287:%HTTPPORT/path/287 -H "User-Agent: looser/2015" --proxy http://%HOSTIP:%HTTPPORT --proxytunnel --proxy-header "User-Agent: looser/2007"
+ </command>
+ </client>
+
+Index: curl-7.37.1/tests/libtest/lib1527.c
+===================================================================
+--- curl-7.37.1.orig/tests/libtest/lib1527.c
++++ curl-7.37.1/tests/libtest/lib1527.c
+@@ -83,6 +83,7 @@ int test(char *URL)
+ test_setopt(curl, CURLOPT_READFUNCTION, read_callback);
+ test_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1L);
+ test_setopt(curl, CURLOPT_INFILESIZE, strlen(data));
++ test_setopt(curl, CURLOPT_HEADEROPT, CURLHEADER_UNIFIED);
+
+ res = curl_easy_perform(curl);
+
+Index: curl-7.37.1/lib/url.c
+===================================================================
+--- curl-7.37.1.orig/lib/url.c
++++ curl-7.37.1/lib/url.c
+@@ -584,6 +584,7 @@ CURLcode Curl_init_userdefined(struct Us
+ set->ssl_enable_alpn = TRUE;
+
+ set->expect_100_timeout = 1000L; /* Wait for a second by default. */
++ set->sep_headers = TRUE; /* separated header lists by default */
+ return res;
+ }
+
diff --git a/meta/recipes-support/curl/curl_7.37.1.bb b/meta/recipes-support/curl/curl_7.37.1.bb
index 8b854d7..2f4da97 100644
--- a/meta/recipes-support/curl/curl_7.37.1.bb
+++ b/meta/recipes-support/curl/curl_7.37.1.bb
@@ -9,6 +9,12 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://pkgconfig_fix.patch \
file://CVE-2014-3613.patch \
file://CVE-2014-3620.patch \
+ file://CVE-2015-3143.patch \
+ file://CVE-2015-3144.patch \
+ file://CVE-2015-3145.patch \
+ file://CVE-2014-3707.patch \
+ file://CVE-2014-8150.patch \
+ file://CVE-2015-3153.patch \
"
# curl likes to set -g0 in CFLAGS, so we stop it
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 06/25] squashfs-tools: build and install unsquashfs as well
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (4 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 05/25] curl: add a few missing " Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 07/25] perf: add LIBNUMA_DEFINES Armin Kuster
` (19 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
* it's useful for debugging corrupt squashfs images from mksquashfs
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster@smtp.gmail.com>
---
meta/recipes-devtools/squashfs-tools/squashfs-tools_4.3.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.3.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.3.bb
index d36f0fe..19d555e1 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.3.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_4.3.bb
@@ -27,11 +27,12 @@ SPDX_S = "${WORKDIR}/squashfs${PV}"
EXTRA_OEMAKE = "MAKEFLAGS= LZMA_SUPPORT=1 LZMA_DIR=../.. XZ_SUPPORT=1 LZO_SUPPORT=1 LZ4_SUPPORT=1"
do_compile() {
- oe_runmake mksquashfs
+ oe_runmake mksquashfs unsquashfs
}
do_install () {
install -d ${D}${sbindir}
install -m 0755 mksquashfs ${D}${sbindir}/
+ install -m 0755 unsquashfs ${D}${sbindir}/
}
ARM_INSTRUCTION_SET = "arm"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 07/25] perf: add LIBNUMA_DEFINES
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (5 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 06/25] squashfs-tools: build and install unsquashfs as well Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 08/25] license.bbclass: set dirs for do_populate_lic_setscene Armin Kuster
` (18 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Robert Yang <liezhi.yang@windriver.com>
Fixed:
WARNING: QA Issue: perf rdepends on numactl, but it isn't a build dependency? [build-deps]
The numactl is in meta-oe.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Armin Kuster <akuster@smtp.gmail.com>
---
meta/recipes-kernel/perf/perf.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index 19772d8..1f1f552 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -65,6 +65,7 @@ B = "${WORKDIR}/${BPN}-${PV}"
SCRIPTING_DEFINES = "${@perf_feature_enabled('perf-scripting', '', 'NO_LIBPERL=1 NO_LIBPYTHON=1',d)}"
TUI_DEFINES = "${@perf_feature_enabled('perf-tui', '', 'NO_NEWT=1',d)}"
LIBUNWIND_DEFINES = "${@perf_feature_enabled('perf-libunwind', '', 'NO_LIBUNWIND=1 NO_LIBDW_DWARF_UNWIND=1',d)}"
+LIBNUMA_DEFINES = "${@perf_feature_enabled('perf-libnuma', '', 'NO_LIBNUMA=1',d)}"
# The LDFLAGS is required or some old kernels fails due missing
# symbols and this is preferred than requiring patches to every old
@@ -80,7 +81,8 @@ EXTRA_OEMAKE = '\
AR="${AR}" \
EXTRA_CFLAGS="-ldw" \
perfexecdir=${libexecdir} \
- NO_GTK2=1 ${TUI_DEFINES} NO_DWARF=1 ${LIBUNWIND_DEFINES} ${SCRIPTING_DEFINES} \
+ NO_GTK2=1 ${TUI_DEFINES} NO_DWARF=1 ${LIBUNWIND_DEFINES} \
+ ${SCRIPTING_DEFINES} ${LIBNUMA_DEFINES} \
'
EXTRA_OEMAKE += "\
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 08/25] license.bbclass: set dirs for do_populate_lic_setscene
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (6 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 07/25] perf: add LIBNUMA_DEFINES Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 09/25] libsndfile: Security Advisory - libsndfile - CVE-2014-9496 Armin Kuster
` (17 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Robert Yang <liezhi.yang@windriver.com>
Fixed:
ERROR: Build of do_populate_lic failed
ERROR: Traceback (most recent call last):
File "bitbake/lib/bb/build.py", line 497, in exec_task
return _exec_task(fn, task, d, quieterr)
File "bitbake/lib/bb/build.py", line 437, in _exec_task
exec_func(func, localdata)
File "bitbake/lib/bb/build.py", line 212, in exec_func
exec_func_python(func, d, runfile, cwd=adir)
File "/home/nxadm/nx/ala-blade44.1/builds-2015-03-09-163005/qemuppc_world_oe_bp/bitbake/lib/bb/build.py", line 237, in exec_func_python
os.chdir(cwd)
OSError: [Errno 2] No such file or directory: 'bitbake_build/tmp/work/ppc7400-wrs-linux/taglib/1.9.1-r0/build'
When running setscene, the cwd is $B which maybe removed by
autotools.bbclass or cmake.bbclass when rebuild.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster@smtp.gmail.com>
---
meta/classes/license.bbclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/classes/license.bbclass b/meta/classes/license.bbclass
index 14d3107..d03b9eb 100644
--- a/meta/classes/license.bbclass
+++ b/meta/classes/license.bbclass
@@ -389,6 +389,8 @@ do_populate_lic[sstate-outputdirs] = "${LICENSE_DIRECTORY}/"
ROOTFS_POSTPROCESS_COMMAND_prepend = "write_package_manifest; license_create_manifest; "
+do_populate_lic_setscene[dirs] = "${LICSSTATEDIR}/${PN}"
+do_populate_lic_setscene[cleandirs] = "${LICSSTATEDIR}"
python do_populate_lic_setscene () {
sstate_setscene(d)
}
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 09/25] libsndfile: Security Advisory - libsndfile - CVE-2014-9496
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (7 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 08/25] license.bbclass: set dirs for do_populate_lic_setscene Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 10/25] qt4: add patch for BMP denial-of-service vulnerability Armin Kuster
` (16 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
Backport two commits from libsndfile upstream to fix a segfault and
two potential buffer overflows.
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch | 211 +++++++++++++++++++++
...c-Fix-two-potential-buffer-read-overflows.patch | 49 +++++
.../libsndfile/libsndfile1_1.0.25.bb | 5 +-
3 files changed, 264 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
create mode 100644 meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
diff --git a/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch b/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
new file mode 100644
index 0000000..cd48710
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch
@@ -0,0 +1,211 @@
+From 9341e9c6e70cd3ad76c901c3cf052d4cb52fd827 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Thu, 27 Jun 2013 18:04:03 +1000
+Subject: [PATCH] src/sd2.c : Fix segfault in SD2 RSRC parser.
+
+(Upstream commit 9341e9c6e70cd3ad76c901c3cf052d4cb52fd827)
+
+A specially crafted resource fork for an SD2 file can cause
+the SD2 RSRC parser to read data from outside a dynamically
+defined buffer. The data that is read is converted into a
+short or int and used during further processing.
+
+Since no write occurs, this is unlikely to be exploitable.
+
+Bug reported by The Mayhem Team from Cylab, Carnegie Mellon
+Univeristy. Paper is:
+http://users.ece.cmu.edu/~arebert/papers/mayhem-oakland-12.pdf
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ src/sd2.c | 93 ++++++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 55 insertions(+), 38 deletions(-)
+
+diff --git a/src/sd2.c b/src/sd2.c
+index 35ce36b..6be150c 100644
+--- a/src/sd2.c
++++ b/src/sd2.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 2001-2011 Erik de Castro Lopo <erikd@mega-nerd.com>
++** Copyright (C) 2001-2013 Erik de Castro Lopo <erikd@mega-nerd.com>
+ ** Copyright (C) 2004 Paavo Jumppanen
+ **
+ ** This program is free software; you can redistribute it and/or modify
+@@ -371,44 +371,61 @@ sd2_write_rsrc_fork (SF_PRIVATE *psf, int UNUSED (calc_length))
+ */
+
+ static inline int
+-read_char (const unsigned char * data, int offset)
+-{ return data [offset] ;
+-} /* read_char */
++read_rsrc_char (const SD2_RSRC *prsrc, int offset)
++{ const unsigned char * data = prsrc->rsrc_data ;
++ if (offset < 0 || offset >= prsrc->rsrc_len)
++ return 0 ;
++ return data [offset] ;
++} /* read_rsrc_char */
+
+ static inline int
+-read_short (const unsigned char * data, int offset)
+-{ return (data [offset] << 8) + data [offset + 1] ;
+-} /* read_short */
++read_rsrc_short (const SD2_RSRC *prsrc, int offset)
++{ const unsigned char * data = prsrc->rsrc_data ;
++ if (offset < 0 || offset + 1 >= prsrc->rsrc_len)
++ return 0 ;
++ return (data [offset] << 8) + data [offset + 1] ;
++} /* read_rsrc_short */
+
+ static inline int
+-read_int (const unsigned char * data, int offset)
+-{ return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
+-} /* read_int */
++read_rsrc_int (const SD2_RSRC *prsrc, int offset)
++{ const unsigned char * data = prsrc->rsrc_data ;
++ if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
++ return 0 ;
++ return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
++} /* read_rsrc_int */
+
+ static inline int
+-read_marker (const unsigned char * data, int offset)
+-{
++read_rsrc_marker (const SD2_RSRC *prsrc, int offset)
++{ const unsigned char * data = prsrc->rsrc_data ;
++
++ if (offset < 0 || offset + 3 >= prsrc->rsrc_len)
++ return 0 ;
++
+ if (CPU_IS_BIG_ENDIAN)
+ return (data [offset] << 24) + (data [offset + 1] << 16) + (data [offset + 2] << 8) + data [offset + 3] ;
+- else if (CPU_IS_LITTLE_ENDIAN)
++ if (CPU_IS_LITTLE_ENDIAN)
+ return data [offset] + (data [offset + 1] << 8) + (data [offset + 2] << 16) + (data [offset + 3] << 24) ;
+- else
+- return 0x666 ;
+-} /* read_marker */
++
++ return 0 ;
++} /* read_rsrc_marker */
+
+ static void
+-read_str (const unsigned char * data, int offset, char * buffer, int buffer_len)
+-{ int k ;
++read_rsrc_str (const SD2_RSRC *prsrc, int offset, char * buffer, int buffer_len)
++{ const unsigned char * data = prsrc->rsrc_data ;
++ int k ;
+
+ memset (buffer, 0, buffer_len) ;
+
++ if (offset < 0 || offset + buffer_len >= prsrc->rsrc_len)
++ return ;
++
+ for (k = 0 ; k < buffer_len - 1 ; k++)
+ { if (psf_isprint (data [offset + k]) == 0)
+ return ;
+ buffer [k] = data [offset + k] ;
+ } ;
+ return ;
+-} /* read_str */
++} /* read_rsrc_str */
+
+ static int
+ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+@@ -435,17 +452,17 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+ /* Reset the header storage because we have changed to the rsrcdes. */
+ psf->headindex = psf->headend = rsrc.rsrc_len ;
+
+- rsrc.data_offset = read_int (rsrc.rsrc_data, 0) ;
+- rsrc.map_offset = read_int (rsrc.rsrc_data, 4) ;
+- rsrc.data_length = read_int (rsrc.rsrc_data, 8) ;
+- rsrc.map_length = read_int (rsrc.rsrc_data, 12) ;
++ rsrc.data_offset = read_rsrc_int (&rsrc, 0) ;
++ rsrc.map_offset = read_rsrc_int (&rsrc, 4) ;
++ rsrc.data_length = read_rsrc_int (&rsrc, 8) ;
++ rsrc.map_length = read_rsrc_int (&rsrc, 12) ;
+
+ if (rsrc.data_offset == 0x51607 && rsrc.map_offset == 0x20000)
+ { psf_log_printf (psf, "Trying offset of 0x52 bytes.\n") ;
+- rsrc.data_offset = read_int (rsrc.rsrc_data, 0x52 + 0) + 0x52 ;
+- rsrc.map_offset = read_int (rsrc.rsrc_data, 0x52 + 4) + 0x52 ;
+- rsrc.data_length = read_int (rsrc.rsrc_data, 0x52 + 8) ;
+- rsrc.map_length = read_int (rsrc.rsrc_data, 0x52 + 12) ;
++ rsrc.data_offset = read_rsrc_int (&rsrc, 0x52 + 0) + 0x52 ;
++ rsrc.map_offset = read_rsrc_int (&rsrc, 0x52 + 4) + 0x52 ;
++ rsrc.data_length = read_rsrc_int (&rsrc, 0x52 + 8) ;
++ rsrc.map_length = read_rsrc_int (&rsrc, 0x52 + 12) ;
+ } ;
+
+ psf_log_printf (psf, " data offset : 0x%04X\n map offset : 0x%04X\n"
+@@ -488,7 +505,7 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+
+- rsrc.string_offset = rsrc.map_offset + read_short (rsrc.rsrc_data, rsrc.map_offset + 26) ;
++ rsrc.string_offset = rsrc.map_offset + read_rsrc_short (&rsrc, rsrc.map_offset + 26) ;
+ if (rsrc.string_offset > rsrc.rsrc_len)
+ { psf_log_printf (psf, "Bad string offset (%d).\n", rsrc.string_offset) ;
+ error = SFE_SD2_BAD_RSRC ;
+@@ -497,7 +514,7 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+
+ rsrc.type_offset = rsrc.map_offset + 30 ;
+
+- rsrc.type_count = read_short (rsrc.rsrc_data, rsrc.map_offset + 28) + 1 ;
++ rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ;
+ if (rsrc.type_count < 1)
+ { psf_log_printf (psf, "Bad type count.\n") ;
+ error = SFE_SD2_BAD_RSRC ;
+@@ -513,11 +530,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+
+ rsrc.str_index = -1 ;
+ for (k = 0 ; k < rsrc.type_count ; k ++)
+- { marker = read_marker (rsrc.rsrc_data, rsrc.type_offset + k * 8) ;
++ { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
+
+ if (marker == STR_MARKER)
+ { rsrc.str_index = k ;
+- rsrc.str_count = read_short (rsrc.rsrc_data, rsrc.type_offset + k * 8 + 4) + 1 ;
++ rsrc.str_count = read_rsrc_short (&rsrc, rsrc.type_offset + k * 8 + 4) + 1 ;
+ error = parse_str_rsrc (psf, &rsrc) ;
+ goto parse_rsrc_fork_cleanup ;
+ } ;
+@@ -549,26 +566,26 @@ parse_str_rsrc (SF_PRIVATE *psf, SD2_RSRC * rsrc)
+ for (k = 0 ; data_offset + data_len < rsrc->rsrc_len ; k++)
+ { int slen ;
+
+- slen = read_char (rsrc->rsrc_data, str_offset) ;
+- read_str (rsrc->rsrc_data, str_offset + 1, name, SF_MIN (SIGNED_SIZEOF (name), slen + 1)) ;
++ slen = read_rsrc_char (rsrc, str_offset) ;
++ read_rsrc_str (rsrc, str_offset + 1, name, SF_MIN (SIGNED_SIZEOF (name), slen + 1)) ;
+ str_offset += slen + 1 ;
+
+- rsrc_id = read_short (rsrc->rsrc_data, rsrc->item_offset + k * 12) ;
++ rsrc_id = read_rsrc_short (rsrc, rsrc->item_offset + k * 12) ;
+
+- data_offset = rsrc->data_offset + read_int (rsrc->rsrc_data, rsrc->item_offset + k * 12 + 4) ;
++ data_offset = rsrc->data_offset + read_rsrc_int (rsrc, rsrc->item_offset + k * 12 + 4) ;
+ if (data_offset < 0 || data_offset > rsrc->rsrc_len)
+ { psf_log_printf (psf, "Exiting parser on data offset of %d.\n", data_offset) ;
+ break ;
+ } ;
+
+- data_len = read_int (rsrc->rsrc_data, data_offset) ;
++ data_len = read_rsrc_int (rsrc, data_offset) ;
+ if (data_len < 0 || data_len > rsrc->rsrc_len)
+ { psf_log_printf (psf, "Exiting parser on data length of %d.\n", data_len) ;
+ break ;
+ } ;
+
+- slen = read_char (rsrc->rsrc_data, data_offset + 4) ;
+- read_str (rsrc->rsrc_data, data_offset + 5, value, SF_MIN (SIGNED_SIZEOF (value), slen + 1)) ;
++ slen = read_rsrc_char (rsrc, data_offset + 4) ;
++ read_rsrc_str (rsrc, data_offset + 5, value, SF_MIN (SIGNED_SIZEOF (value), slen + 1)) ;
+
+ psf_log_printf (psf, " 0x%04x %4d %4d %3d '%s'\n", data_offset, rsrc_id, data_len, slen, value) ;
+
+--
+1.7.9.5
+
diff --git a/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch b/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
new file mode 100644
index 0000000..fa6473d
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/files/0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch
@@ -0,0 +1,49 @@
+From dbe14f00030af5d3577f4cabbf9861db59e9c378 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Thu, 25 Dec 2014 19:23:12 +1100
+Subject: [PATCH] src/sd2.c : Fix two potential buffer read overflows.
+
+(Upstream commit dbe14f00030af5d3577f4cabbf9861db59e9c378)
+
+Closes: https://github.com/erikd/libsndfile/issues/93
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ src/sd2.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/sd2.c b/src/sd2.c
+index 0b4e5af..a70a1f1 100644
+--- a/src/sd2.c
++++ b/src/sd2.c
+@@ -517,6 +517,11 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+
+ rsrc.type_offset = rsrc.map_offset + 30 ;
+
++ if (rsrc.map_offset + 28 > rsrc.rsrc_len)
++ { psf_log_printf (psf, "Bad map offset.\n") ;
++ goto parse_rsrc_fork_cleanup ;
++ } ;
++
+ rsrc.type_count = read_rsrc_short (&rsrc, rsrc.map_offset + 28) + 1 ;
+ if (rsrc.type_count < 1)
+ { psf_log_printf (psf, "Bad type count.\n") ;
+@@ -533,7 +538,12 @@ sd2_parse_rsrc_fork (SF_PRIVATE *psf)
+
+ rsrc.str_index = -1 ;
+ for (k = 0 ; k < rsrc.type_count ; k ++)
+- { marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
++ { if (rsrc.type_offset + k * 8 > rsrc.rsrc_len)
++ { psf_log_printf (psf, "Bad rsrc marker.\n") ;
++ goto parse_rsrc_fork_cleanup ;
++ } ;
++
++ marker = read_rsrc_marker (&rsrc, rsrc.type_offset + k * 8) ;
+
+ if (marker == STR_MARKER)
+ { rsrc.str_index = k ;
+--
+1.7.9.5
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
index 9246298..3e02f4e 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
@@ -6,7 +6,10 @@ SECTION = "libs/multimedia"
LICENSE = "LGPLv2.1"
PR = "r2"
-SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz"
+SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
+ file://0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch \
+ file://0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch \
+"
SRC_URI[md5sum] = "e2b7bb637e01022c7d20f95f9c3990a2"
SRC_URI[sha256sum] = "59016dbd326abe7e2366ded5c344c853829bebfd1702ef26a07ef662d6aa4882"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 10/25] qt4: add patch for BMP denial-of-service vulnerability
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (8 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 09/25] libsndfile: Security Advisory - libsndfile - CVE-2014-9496 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 11/25] ppp: Security Advisory - CVE-2015-3310 Armin Kuster
` (15 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Jonathan Liu <net147@gmail.com>
did not include aarch64 patches.
For further details, see:
https://bugreports.qt.io/browse/QTBUG-44547
(From OE-Core rev: 840fccf8ec7691f03deeb167487cde941ebea8bf)
Signed-off-by: Jonathan Liu <net147@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Conflicts:
meta/recipes-qt/qt4/qt4-4.8.6.inc
---
meta/recipes-qt/qt4/qt4-4.8.6.inc | 1 +
...ion-by-zero-when-processing-malformed-BMP.patch | 44 ++++++++++++++++++++++
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-qt/qt4/qt4-4.8.6/0034-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc b/meta/recipes-qt/qt4/qt4-4.8.6.inc
index ae6692b..3134214 100644
--- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
+++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
@@ -22,6 +22,7 @@ SRC_URI = "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
file://0019-Fixes-for-gcc-4.7.0-particularly-on-qemux86.patch \
file://0027-tools.pro-disable-qmeegographicssystemhelper.patch \
file://0028-Don-t-crash-on-broken-GIF-images.patch \
+ file://0034-Fix-a-division-by-zero-when-processing-malformed-BMP.patch \
file://g++.conf \
file://linux.conf \
"
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/0034-Fix-a-division-by-zero-when-processing-malformed-BMP.patch b/meta/recipes-qt/qt4/qt4-4.8.6/0034-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
new file mode 100644
index 0000000..8ff4ad5
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.6/0034-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
@@ -0,0 +1,44 @@
+From e50aa2252cdd5cb53eef7d8c4503c7edff634f68 Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich@kde.org>
+Date: Tue, 24 Feb 2015 19:02:35 +0000
+Subject: [PATCH] Fix a division by zero when processing malformed BMP files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+
+Backport of 661f6bfd032dacc62841037732816a583640e187
+
+Upstream-Status: Backport
+
+Task-number: QTBUG-44547
+Change-Id: I43f06e752b11cb50669101460902a82b885ae618
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+Signed-off-by: Jonathan Liu <net147@gmail.com>
+---
+ src/gui/image/qbmphandler.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index b22e842..30fa9e0 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ }
+ } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+ red_shift = calc_shift(red_mask);
++ if (((red_mask >> red_shift) + 1) == 0)
++ return false;
+ red_scale = 256 / ((red_mask >> red_shift) + 1);
+ green_shift = calc_shift(green_mask);
++ if (((green_mask >> green_shift) + 1) == 0)
++ return false;
+ green_scale = 256 / ((green_mask >> green_shift) + 1);
+ blue_shift = calc_shift(blue_mask);
++ if (((blue_mask >> blue_shift) + 1) == 0)
++ return false;
+ blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+ } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+ blue_mask = 0x000000ff;
+--
+2.3.1
+
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 11/25] ppp: Security Advisory - CVE-2015-3310
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (9 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 10/25] qt4: add patch for BMP denial-of-service vulnerability Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 12/25] qemu: fix CVE-2015-3456 Armin Kuster
` (14 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Roy Li <rongqing.li@windriver.com>
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3310
Buffer overflow in the rc_mksid function in plugins/radius/util.c in
Paul's PPP Package (ppp) 2.4.6 and earlier, when the PID for pppd is
greater than 65535, allows remote attackers to cause a denial of
service (crash) via a start accounting message to the RADIUS server.
oe-core is using ppp 2.4.7, and this CVE say ppp 2.4.7 was not
effected, but I found this buggy codes are same between 2.4.6 and
2.4.7, and 2.4.7 should have this issue.
(From OE-Core rev: 5b549c6d73e91fdbd0b618a752d618deb1449ef9)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../ppp/ppp/fix-CVE-2015-3310.patch | 29 ++++++++++++++++++++++
meta/recipes-connectivity/ppp/ppp_2.4.6.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
diff --git a/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch b/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
new file mode 100644
index 0000000..c9edb30
--- /dev/null
+++ b/meta/recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
@@ -0,0 +1,29 @@
+ppp: Buffer overflow in radius plugin
+
+From: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;bug=782450
+
+Upstream-Status: Backport
+
+On systems with more than 65535 processes running, pppd aborts when
+sending a "start" accounting message to the RADIUS server because of a
+buffer overflow in rc_mksid.
+
+The process id is used in rc_mksid to generate a pseudo-unique string,
+assuming that the hex representation of the pid will be at most 4
+characters (FFFF). __sprintf_chk(), used when compiling with
+optimization levels greater than 0 and FORTIFY_SOURCE, detects the
+buffer overflow and makes pppd crash.
+
+The following patch fixes the problem.
+
+--- ppp-2.4.6.orig/pppd/plugins/radius/util.c
++++ ppp-2.4.6/pppd/plugins/radius/util.c
+@@ -77,7 +77,7 @@ rc_mksid (void)
+ static unsigned short int cnt = 0;
+ sprintf (buf, "%08lX%04X%02hX",
+ (unsigned long int) time (NULL),
+- (unsigned int) getpid (),
++ (unsigned int) getpid () % 65535,
+ cnt & 0xFF);
+ cnt++;
+ return buf;
diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.6.bb b/meta/recipes-connectivity/ppp/ppp_2.4.6.bb
index 8bc3672..b6b4048 100644
--- a/meta/recipes-connectivity/ppp/ppp_2.4.6.bb
+++ b/meta/recipes-connectivity/ppp/ppp_2.4.6.bb
@@ -29,6 +29,7 @@ SRC_URI = "http://ppp.samba.org/ftp/ppp/ppp-${PV}.tar.gz \
file://provider \
file://0001-ppp-Fix-compilation-errors-in-Makefile.patch \
file://ppp@.service \
+ file://fix-CVE-2015-3310.patch \
"
SRC_URI[md5sum] = "3434d2cc9327167a0723aaaa8670083b"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 12/25] qemu: fix CVE-2015-3456
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (10 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 11/25] ppp: Security Advisory - CVE-2015-3310 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 13/25] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow Armin Kuster
` (13 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix qemuc CVE issue CVE-2015-3456.
Refs:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
(From OE-Core rev: 1d9e6ef173bea8181fabc6abf0dbb53990b15fd8)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Conflicts:
meta/recipes-devtools/qemu/qemu_2.1.0.bb
---
.../qemu/qemu/qemu-CVE-2015-3456.patch | 92 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 +
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
new file mode 100644
index 0000000..f05441f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
@@ -0,0 +1,92 @@
+qemu: CVE-2015-3456
+
+the patch comes from:
+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
+http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Li Wang <li.wang@windriver.com>
+
+Upstream-Status: Backport
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 490d127..045459e 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--
+1.7.9.5
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
index a82d052..d0ce744 100644
--- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb
@@ -7,6 +7,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://qemu-enlarge-env-entry-size.patch \
file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
file://0001-Back-porting-security-fix-CVE-2014-5388.patch \
+ file://qemu-CVE-2015-3456.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 13/25] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (11 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 12/25] qemu: fix CVE-2015-3456 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 14/25] gpgme: fix CVE-2014-3564 Armin Kuster
` (12 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Haris Okanovic <haris.okanovic@ni.com>
Backport Arjun Shankar's patch for CVE-2015-1781:
A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
other related functions computed the size of a buffer when passed a
misaligned buffer as input. An attacker able to make an application call
any of these functions with a misaligned buffer could use this flaw to
crash the application or, potentially, execute arbitrary code with the
permissions of the user running the application.
https://sourceware.org/bugzilla/show_bug.cgi?id=18287
(From OE-Core rev: c0f0b6e6ef1edc0a9f9e1ceffb1cdbbef2e409c6)
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Ben Shelton <ben.shelton@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...81-resolv-nss_dns-dns-host.c-buffer-overf.patch | 43 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.20.bb | 3 ++
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
new file mode 100644
index 0000000..c02fa12
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
@@ -0,0 +1,43 @@
+From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun.is@lostca.se>
+Date: Tue, 21 Apr 2015 14:06:31 +0200
+Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
+ [BZ#18287]
+
+Upstream-Status: Backport
+https://sourceware.org/bugzilla/show_bug.cgi?id=18287
+---
+ resolv/nss_dns/dns-host.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -608,21 +608,22 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+ int n, ancount, qdcount;
+ int haveanswer, had_error;
+ char *bp, **ap, **hap;
+ char tbuf[MAXDNAME];
+ const char *tname;
+ int (*name_ok) (const char *);
+ u_char packtmp[NS_MAXCDNAME];
+ int have_to_map = 0;
+ uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+ buffer += pad;
+- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
++ buflen = buflen > pad ? buflen - pad : 0;
++ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
+ {
+ /* The buffer is too small. */
+ too_small:
+ *errnop = ERANGE;
+ *h_errnop = NETDB_INTERNAL;
+ return NSS_STATUS_TRYAGAIN;
+ }
+ host_data = (struct host_data *) buffer;
+ linebuflen = buflen - sizeof (struct host_data);
+ if (buflen - sizeof (struct host_data) != linebuflen)
+--
+2.2.2
+
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index 8a8b296..a0736cd 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -40,6 +40,9 @@ EGLIBCPATCHES = "\
# file://eglibc-install-pic-archives.patch \
# file://initgroups_keys.patch \
#
+CVEPATCHES = "\
+ file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
+"
CVEPATCHES = "\
file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 14/25] gpgme: fix CVE-2014-3564
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (12 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 13/25] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 15/25] e2fsprogs: install populate-extfs.sh Armin Kuster
` (11 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2014-3564.
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f
(From OE-Core rev: 421e21b08a6a32db88aaf46033ca503a99e49b74)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Conflicts:
meta/recipes-support/gpgme/gpgme_1.4.3.bb
---
.../gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch | 56 ++++++++++++++++++++++
meta/recipes-support/gpgme/gpgme_1.4.3.bb | 4 +-
2 files changed, 59 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
diff --git a/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
new file mode 100644
index 0000000..c728f58
--- /dev/null
+++ b/meta/recipes-support/gpgme/gpgme-1.4.3/gpgme-fix-CVE-2014-3564.patch
@@ -0,0 +1,56 @@
+Upstream-Status: Backport
+
+Backport patch to fix CVE-2014-3564.
+
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;a=commit;h=2cbd76f7911fc215845e89b50d6af5ff4a83dd77
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 2cbd76f7911fc215845e89b50d6af5ff4a83dd77 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 30 Jul 2014 11:04:55 +0200
+Subject: [PATCH 1/1] Fix possible realloc overflow for gpgsm and uiserver
+ engines.
+
+After a realloc (realloc is also used for initial alloc) the allocated
+size if the buffer is not correctly recorded. Thus an overflow can be
+introduced by receiving data with different line lengths in a specific
+order. This is not easy exploitable because libassuan constructs the
+line. However a crash has been reported and thus it might be possible
+to constructs an exploit.
+
+CVE-id: CVE-2014-3564
+Reported-by: Tomáš Trnka
+---
+ src/engine-gpgsm.c | 2 +-
+ src/engine-uiserver.c | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
+index 8ec1598..3a83757 100644
+--- a/src/engine-gpgsm.c
++++ b/src/engine-gpgsm.c
+@@ -836,7 +836,7 @@ status_handler (void *opaque, int fd)
+ else
+ {
+ *aline = newline;
+- gpgsm->colon.attic.linesize += linelen + 1;
++ gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
+ }
+ }
+ if (!err)
+diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
+index 2738c36..a7184b7 100644
+--- a/src/engine-uiserver.c
++++ b/src/engine-uiserver.c
+@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
+ else
+ {
+ *aline = newline;
+- uiserver->colon.attic.linesize += linelen + 1;
++ uiserver->colon.attic.linesize = *alinelen + linelen + 1;
+ }
+ }
+ if (!err)
+--
+2.1.4
diff --git a/meta/recipes-support/gpgme/gpgme_1.4.3.bb b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
index ca1e5f9..f16677e 100644
--- a/meta/recipes-support/gpgme/gpgme_1.4.3.bb
+++ b/meta/recipes-support/gpgme/gpgme_1.4.3.bb
@@ -11,7 +11,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
SRC_URI = "ftp://ftp.gnupg.org/gcrypt/gpgme/gpgme-${PV}.tar.bz2 \
file://disable_gpgconf_check.patch \
- file://gpgme.pc"
+ file://gpgme.pc \
+ file://gpgme-fix-CVE-2014-3564.patch \
+ "
SRC_URI[md5sum] = "334e524cffa8af4e2f43ae8afe585672"
SRC_URI[sha256sum] = "2d1cc12411753752d9c5b9037e6fd3fd363517af720154768cc7b46b60120496"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 15/25] e2fsprogs: install populate-extfs.sh
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (13 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 14/25] gpgme: fix CVE-2014-3564 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 16/25] mesa: update --with-llvm-shared-libs configure option Armin Kuster
` (10 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
* install populate-extfs.sh from contrib, be aware that in order
to use it you need to set DEBUGFS shell variable, otherwise it will
try to use debugfs from relative path which is almost always
incorrect:
CONTRIB_DIR=$(dirname $(readlink -f $0))
DEBUGFS="$CONTRIB_DIR/../debugfs/debugfs"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
index 70ccdfd..95c612c 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bb
@@ -54,6 +54,8 @@ do_install () {
oe_multilib_header ext2fs/ext2_types.h
install -d ${D}${base_bindir}
mv ${D}${bindir}/chattr ${D}${base_bindir}/chattr.e2fsprogs
+
+ install -v -m 755 ${S}/contrib/populate-extfs.sh ${D}${base_sbindir}/
}
do_install_append_class-target() {
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 16/25] mesa: update --with-llvm-shared-libs configure option
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (14 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 15/25] e2fsprogs: install populate-extfs.sh Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 17/25] test-dependencies.sh: strip only .bb suffix Armin Kuster
` (9 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Andre McCurdy <armccurdy@gmail.com>
As per the Mesa 10.2 release notes, "--with-llvm-shared-libs"
has been renamed to "--enable-llvm-shared-libs".
http://www.mesa3d.org/relnotes/10.2.html
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-graphics/mesa/mesa.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc
index 1857f3c..658bd3a 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -62,7 +62,7 @@ PACKAGECONFIG[gallium] = "--with-gallium-drivers=${GALLIUMDRIVERS}, --witho
PACKAGECONFIG[gallium-egl] = "--enable-gallium-egl, --disable-gallium-egl"
PACKAGECONFIG[gallium-gbm] = "--enable-gallium-gbm, --disable-gallium-gbm"
MESA_LLVM_RELEASE ?= "3.3"
-PACKAGECONFIG[gallium-llvm] = "--enable-gallium-llvm --with-llvm-shared-libs, --disable-gallium-llvm, llvm${MESA_LLVM_RELEASE} \
+PACKAGECONFIG[gallium-llvm] = "--enable-gallium-llvm --enable-llvm-shared-libs, --disable-gallium-llvm, llvm${MESA_LLVM_RELEASE} \
${@'elfutils' if ${GALLIUMDRIVERS_LLVM33_ENABLED} else ''}"
export WANT_LLVM_RELEASE = "${MESA_LLVM_RELEASE}"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 17/25] test-dependencies.sh: strip only .bb suffix
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (15 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 16/25] mesa: update --with-llvm-shared-libs configure option Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 18/25] unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315 Armin Kuster
` (8 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <Martin.Jansa@gmail.com>
* we were stripping too much when stripping recipe name from line like this:
ERROR: Task 12016 (/some/patch/something.dot.bar.bb, do_fetch) failed with exit code '1'
where the recipe name contains dots and doesn't end with _<version>.bb
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
scripts/test-dependencies.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/test-dependencies.sh b/scripts/test-dependencies.sh
index 2bcc2ca..0170947 100755
--- a/scripts/test-dependencies.sh
+++ b/scripts/test-dependencies.sh
@@ -141,7 +141,7 @@ build_all() {
bitbake -k $targets 2>&1 | tee -a ${OUTPUT1}/complete.log
RESULT+=${PIPESTATUS[0]}
grep "ERROR: Task.*failed" ${OUTPUT1}/complete.log > ${OUTPUT1}/failed-tasks.log
- cat ${OUTPUT1}/failed-tasks.log | sed 's@.*/@@g; s@_.*@@g; s@\..*@@g' | sort -u > ${OUTPUT1}/failed-recipes.log
+ cat ${OUTPUT1}/failed-tasks.log | sed 's@.*/@@g; s@_.*@@g; s@\.bb, .*@@g' | sort -u > ${OUTPUT1}/failed-recipes.log
}
build_every_recipe() {
@@ -178,7 +178,7 @@ build_every_recipe() {
RESULT+=${RECIPE_RESULT}
mv ${OUTPUTB}/${recipe}.log ${OUTPUTB}/failed/
grep "ERROR: Task.*failed" ${OUTPUTB}/failed/${recipe}.log | tee -a ${OUTPUTB}/failed-tasks.log
- grep "ERROR: Task.*failed" ${OUTPUTB}/failed/${recipe}.log | sed 's@.*/@@g; s@_.*@@g; s@\..*@@g' >> ${OUTPUTB}/failed-recipes.log
+ grep "ERROR: Task.*failed" ${OUTPUTB}/failed/${recipe}.log | sed 's@.*/@@g; s@_.*@@g; s@\.bb, .*@@g' >> ${OUTPUTB}/failed-recipes.log
# and append also ${recipe} in case the failed task was from some dependency
echo ${recipe} >> ${OUTPUTB}/failed-recipes.log
else
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 18/25] unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (16 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 17/25] test-dependencies.sh: strip only .bb suffix Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 19/25] unzip: fix four CVE defects Armin Kuster
` (7 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Roy Li <rongqing.li@windriver.com>
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636
unzip 6.0 allows remote attackers to cause a denial of service
(out-of-bounds read or write and crash) via an extra field with
an uncompressed size smaller than the compressed field size in a
zip archive that advertises STORED method compression.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1315
Buffer overflow in the charset_to_intern function in unix/unix.c in
Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code
via a crafted string, as demonstrated by converting a string from CP866
to UTF-8.
(From OE-Core rev: f86a178fd7036541a45bf31a46bddf634c133802)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch | 402 +++++++++++++++++++++
.../unzip/unzip/unzip-6.0_overflow3.diff | 45 +++
meta/recipes-extended/unzip/unzip_6.0.bb | 5 +-
3 files changed, 451 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
create mode 100644 meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
diff --git a/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
new file mode 100644
index 0000000..9ba3c1d
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
@@ -0,0 +1,402 @@
+From: Giovanni Scafora <giovanni.archlinux.org>
+Subject: unzip files encoded with non-latin, non-unicode file names
+Last-Update: 2015-02-11
+
+Upstream-Status: Backport
+
+Updated 2015-02-11 by Marc Deslauriers <marc.deslauriers@canonical.com>
+to fix buffer overflow in charset_to_intern()
+
+Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
+
+Index: unzip-6.0/unix/unix.c
+===================================================================
+--- unzip-6.0.orig/unix/unix.c 2015-02-11 08:46:43.675324290 -0500
++++ unzip-6.0/unix/unix.c 2015-02-11 09:18:04.902081319 -0500
+@@ -30,6 +30,9 @@
+ #define UNZIP_INTERNAL
+ #include "unzip.h"
+
++#include <iconv.h>
++#include <langinfo.h>
++
+ #ifdef SCO_XENIX
+ # define SYSNDIR
+ #else /* SCO Unix, AIX, DNIX, TI SysV, Coherent 4.x, ... */
+@@ -1874,3 +1877,102 @@
+ }
+ }
+ #endif /* QLZIP */
++
++
++typedef struct {
++ char *local_charset;
++ char *archive_charset;
++} CHARSET_MAP;
++
++/* A mapping of local <-> archive charsets used by default to convert filenames
++ * of DOS/Windows Zip archives. Currently very basic. */
++static CHARSET_MAP dos_charset_map[] = {
++ { "ANSI_X3.4-1968", "CP850" },
++ { "ISO-8859-1", "CP850" },
++ { "CP1252", "CP850" },
++ { "UTF-8", "CP866" },
++ { "KOI8-R", "CP866" },
++ { "KOI8-U", "CP866" },
++ { "ISO-8859-5", "CP866" }
++};
++
++char OEM_CP[MAX_CP_NAME] = "";
++char ISO_CP[MAX_CP_NAME] = "";
++
++/* Try to guess the default value of OEM_CP based on the current locale.
++ * ISO_CP is left alone for now. */
++void init_conversion_charsets()
++{
++ const char *local_charset;
++ int i;
++
++ /* Make a guess only if OEM_CP not already set. */
++ if(*OEM_CP == '\0') {
++ local_charset = nl_langinfo(CODESET);
++ for(i = 0; i < sizeof(dos_charset_map)/sizeof(CHARSET_MAP); i++)
++ if(!strcasecmp(local_charset, dos_charset_map[i].local_charset)) {
++ strncpy(OEM_CP, dos_charset_map[i].archive_charset,
++ sizeof(OEM_CP));
++ break;
++ }
++ }
++}
++
++/* Convert a string from one encoding to the current locale using iconv().
++ * Be as non-intrusive as possible. If error is encountered during covertion
++ * just leave the string intact. */
++static void charset_to_intern(char *string, char *from_charset)
++{
++ iconv_t cd;
++ char *s,*d, *buf;
++ size_t slen, dlen, buflen;
++ const char *local_charset;
++
++ if(*from_charset == '\0')
++ return;
++
++ buf = NULL;
++ local_charset = nl_langinfo(CODESET);
++
++ if((cd = iconv_open(local_charset, from_charset)) == (iconv_t)-1)
++ return;
++
++ slen = strlen(string);
++ s = string;
++
++ /* Make sure OUTBUFSIZ + 1 never ends up smaller than FILNAMSIZ
++ * as this function also gets called with G.outbuf in fileio.c
++ */
++ buflen = FILNAMSIZ;
++ if (OUTBUFSIZ + 1 < FILNAMSIZ)
++ {
++ buflen = OUTBUFSIZ + 1;
++ }
++
++ d = buf = malloc(buflen);
++ if(!d)
++ goto cleanup;
++
++ bzero(buf,buflen);
++ dlen = buflen - 1;
++
++ if(iconv(cd, &s, &slen, &d, &dlen) == (size_t)-1)
++ goto cleanup;
++ strncpy(string, buf, buflen);
++
++ cleanup:
++ free(buf);
++ iconv_close(cd);
++}
++
++/* Convert a string from OEM_CP to the current locale charset. */
++inline void oem_intern(char *string)
++{
++ charset_to_intern(string, OEM_CP);
++}
++
++/* Convert a string from ISO_CP to the current locale charset. */
++inline void iso_intern(char *string)
++{
++ charset_to_intern(string, ISO_CP);
++}
+Index: unzip-6.0/unix/unxcfg.h
+===================================================================
+--- unzip-6.0.orig/unix/unxcfg.h 2015-02-11 08:46:43.675324290 -0500
++++ unzip-6.0/unix/unxcfg.h 2015-02-11 08:46:43.671324260 -0500
+@@ -228,4 +228,30 @@
+ /* wild_dir, dirname, wildname, matchname[], dirnamelen, have_dirname, */
+ /* and notfirstcall are used by do_wild(). */
+
++
++#define MAX_CP_NAME 25
++
++#ifdef SETLOCALE
++# undef SETLOCALE
++#endif
++#define SETLOCALE(category, locale) setlocale(category, locale)
++#include <locale.h>
++
++#ifdef _ISO_INTERN
++# undef _ISO_INTERN
++#endif
++#define _ISO_INTERN(str1) iso_intern(str1)
++
++#ifdef _OEM_INTERN
++# undef _OEM_INTERN
++#endif
++#ifndef IZ_OEM2ISO_ARRAY
++# define IZ_OEM2ISO_ARRAY
++#endif
++#define _OEM_INTERN(str1) oem_intern(str1)
++
++void iso_intern(char *);
++void oem_intern(char *);
++void init_conversion_charsets(void);
++
+ #endif /* !__unxcfg_h */
+Index: unzip-6.0/unzip.c
+===================================================================
+--- unzip-6.0.orig/unzip.c 2015-02-11 08:46:43.675324290 -0500
++++ unzip-6.0/unzip.c 2015-02-11 08:46:43.675324290 -0500
+@@ -327,11 +327,21 @@
+ -2 just filenames but allow -h/-t/-z -l long Unix \"ls -l\" format\n\
+ -v verbose, multi-page format\n";
+
++#ifndef UNIX
+ static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
+ -h print header line -t print totals for listed files or for all\n\
+ -z print zipfile comment -T print file times in sortable decimal format\
+ \n -C be case-insensitive %s\
+ -x exclude filenames that follow from listing\n";
++#else /* UNIX */
++static ZCONST char Far ZipInfoUsageLine3[] = "miscellaneous options:\n\
++ -h print header line -t print totals for listed files or for all\n\
++ -z print zipfile comment %c-T%c print file times in sortable decimal format\
++\n %c-C%c be case-insensitive %s\
++ -x exclude filenames that follow from listing\n\
++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
++ -I CHARSET specify a character encoding for UNIX and other archives\n";
++#endif /* !UNIX */
+ #ifdef MORE
+ static ZCONST char Far ZipInfoUsageLine4[] =
+ " -M page output through built-in \"more\"\n";
+@@ -664,6 +674,17 @@
+ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
+ -C match filenames case-insensitively -L make (some) names \
+ lowercase\n %-42s -V retain VMS version numbers\n%s";
++#elif (defined UNIX)
++static ZCONST char Far UnzipUsageLine4[] = "\
++modifiers:\n\
++ -n never overwrite existing files -q quiet mode (-qq => quieter)\n\
++ -o overwrite files WITHOUT prompting -a auto-convert any text files\n\
++ -j junk paths (do not make directories) -aa treat ALL files as text\n\
++ -U use escapes for all non-ASCII Unicode -UU ignore any Unicode fields\n\
++ -C match filenames case-insensitively -L make (some) names \
++lowercase\n %-42s -V retain VMS version numbers\n%s\
++ -O CHARSET specify a character encoding for DOS, Windows and OS/2 archives\n\
++ -I CHARSET specify a character encoding for UNIX and other archives\n\n";
+ #else /* !VMS */
+ static ZCONST char Far UnzipUsageLine4[] = "\
+ modifiers:\n\
+@@ -802,6 +823,10 @@
+ #endif /* UNICODE_SUPPORT */
+
+
++#ifdef UNIX
++ init_conversion_charsets();
++#endif
++
+ #if (defined(__IBMC__) && defined(__DEBUG_ALLOC__))
+ extern void DebugMalloc(void);
+
+@@ -1335,6 +1360,11 @@
+ argc = *pargc;
+ argv = *pargv;
+
++#ifdef UNIX
++ extern char OEM_CP[MAX_CP_NAME];
++ extern char ISO_CP[MAX_CP_NAME];
++#endif
++
+ while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
+ s = *argv + 1;
+ while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */
+@@ -1516,6 +1546,35 @@
+ }
+ break;
+ #endif /* MACOS */
++#ifdef UNIX
++ case ('I'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Icharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(ISO_CP, s, sizeof(ISO_CP));
++ } else { /* -I charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(ISO_CP, s, sizeof(ISO_CP));
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case ('j'): /* junk pathnames/directory structure */
+ if (negative)
+ uO.jflag = FALSE, negative = 0;
+@@ -1591,6 +1650,35 @@
+ } else
+ ++uO.overwrite_all;
+ break;
++#ifdef UNIX
++ case ('O'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Ocharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(OEM_CP, s, sizeof(OEM_CP));
++ } else { /* -O charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -O argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(OEM_CP, s, sizeof(OEM_CP));
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case ('p'): /* pipes: extract to stdout, no messages */
+ if (negative) {
+ uO.cflag = FALSE;
+Index: unzip-6.0/unzpriv.h
+===================================================================
+--- unzip-6.0.orig/unzpriv.h 2015-02-11 08:46:43.675324290 -0500
++++ unzip-6.0/unzpriv.h 2015-02-11 08:46:43.675324290 -0500
+@@ -3008,7 +3008,7 @@
+ !(((islochdr) || (isuxatt)) && \
+ ((hostver) == 25 || (hostver) == 26 || (hostver) == 40))) || \
+ (hostnum) == FS_HPFS_ || \
+- ((hostnum) == FS_NTFS_ && (hostver) == 50)) { \
++ ((hostnum) == FS_NTFS_ /* && (hostver) == 50 */ )) { \
+ _OEM_INTERN((string)); \
+ } else { \
+ _ISO_INTERN((string)); \
+Index: unzip-6.0/zipinfo.c
+===================================================================
+--- unzip-6.0.orig/zipinfo.c 2015-02-11 08:46:43.675324290 -0500
++++ unzip-6.0/zipinfo.c 2015-02-11 08:46:43.675324290 -0500
+@@ -457,6 +457,10 @@
+ int tflag_slm=TRUE, tflag_2v=FALSE;
+ int explicit_h=FALSE, explicit_t=FALSE;
+
++#ifdef UNIX
++ extern char OEM_CP[MAX_CP_NAME];
++ extern char ISO_CP[MAX_CP_NAME];
++#endif
+
+ #ifdef MACOS
+ uO.lflag = LFLAG; /* reset default on each call */
+@@ -501,6 +505,35 @@
+ uO.lflag = 0;
+ }
+ break;
++#ifdef UNIX
++ case ('I'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Icharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(ISO_CP, s, sizeof(ISO_CP));
++ } else { /* -I charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(ISO_CP, s, sizeof(ISO_CP));
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case 'l': /* longer form of "ls -l" type listing */
+ if (negative)
+ uO.lflag = -2, negative = 0;
+@@ -521,6 +554,35 @@
+ G.M_flag = TRUE;
+ break;
+ #endif
++#ifdef UNIX
++ case ('O'):
++ if (negative) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: encodings can't be negated"));
++ return(PK_PARAM);
++ } else {
++ if(*s) { /* Handle the -Ocharset case */
++ /* Assume that charsets can't start with a dash to spot arguments misuse */
++ if(*s == '-') {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -I argument"));
++ return(PK_PARAM);
++ }
++ strncpy(OEM_CP, s, sizeof(OEM_CP));
++ } else { /* -O charset */
++ ++argv;
++ if(!(--argc > 0 && *argv != NULL && **argv != '-')) {
++ Info(slide, 0x401, ((char *)slide,
++ "error: a valid character encoding should follow the -O argument"));
++ return(PK_PARAM);
++ }
++ s = *argv;
++ strncpy(OEM_CP, s, sizeof(OEM_CP));
++ }
++ while(*(++s)); /* No params straight after charset name */
++ }
++ break;
++#endif /* ?UNIX */
+ case 's': /* default: shorter "ls -l" type listing */
+ if (negative)
+ uO.lflag = -2, negative = 0;
diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
new file mode 100644
index 0000000..0a0bfbb
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
@@ -0,0 +1,45 @@
+From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Wed, 11 Feb 2015
+Subject: Info-ZIP UnZip buffer overflow
+
+Upstream-Status: Backport
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+Signed-off-by: mancha <mancha1 AT zoho DOT com>
+---
+ extract.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/extract.c
++++ b/extract.c
+@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
+ ulg eb_ucsize;
+ uch *eb_ucptr;
+ int r;
++ ush method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
+ eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+ return IZ_EF_TRUNC; /* no compressed data! */
+
++ method = makeword(eb + (EB_HEADSIZE + compr_offset));
++ if ((method == STORED) &&
++ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
++ return PK_ERR; /* compressed & uncompressed
++ * should match in STORED
++ * method */
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 33c20f8..9653bee 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -8,7 +8,10 @@ PR = "r5"
SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
file://avoid-strip.patch \
- file://define-ldflags.patch"
+ file://define-ldflags.patch \
+ file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
+ file://unzip-6.0_overflow3.diff \
+"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 19/25] unzip: fix four CVE defects
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (17 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 18/25] unzip: Security Advisory -CVE-2014-9636 and CVE-2015-1315 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 20/25] dbus: CVE-2015-0245: prevent forged ActivationFailure Armin Kuster
` (6 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Roy Li <rongqing.li@windriver.com>
Port four patches from unzip_6.0-8+deb7u2.debian.tar.gz to fix:
cve-2014-8139
cve-2014-8140
cve-2014-8141
cve-2014-9636
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../unzip/09-cve-2014-8139-crc-overflow.patch | 52 ++++++++
.../unzip/10-cve-2014-8140-test-compr-eb.patch | 33 +++++
.../unzip/11-cve-2014-8141-getzip64data.patch | 144 +++++++++++++++++++++
.../unzip/12-cve-2014-9636-test-compr-eb.patch | 45 +++++++
meta/recipes-extended/unzip/unzip_6.0.bb | 4 +
5 files changed, 278 insertions(+)
create mode 100644 meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
create mode 100644 meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
create mode 100644 meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
create mode 100644 meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
diff --git a/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
new file mode 100644
index 0000000..e137f0d
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/09-cve-2014-8139-crc-overflow.patch
@@ -0,0 +1,52 @@
+From: sms
+Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
+Bug-Debian: http://bugs.debian.org/773722
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+--- a/extract.c
++++ b/extract.c
+@@ -298,6 +298,8 @@
+ #ifndef SFX
+ static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
+ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
++ static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
++ EF block length (%u bytes) invalid (< %d)\n";
+ static ZCONST char Far InvalidComprDataEAs[] =
+ " invalid compressed data for EAs\n";
+ # if (defined(WIN32) && defined(NTSD_EAS))
+@@ -2023,7 +2025,8 @@
+ ebID = makeword(ef);
+ ebLen = (unsigned)makeword(ef+EB_LEN);
+
+- if (ebLen > (ef_len - EB_HEADSIZE)) {
++ if (ebLen > (ef_len - EB_HEADSIZE))
++ {
+ /* Discovered some extra field inconsistency! */
+ if (uO.qflag)
+ Info(slide, 1, ((char *)slide, "%-22s ",
+@@ -2158,11 +2161,19 @@
+ }
+ break;
+ case EF_PKVMS:
+- if (makelong(ef+EB_HEADSIZE) !=
++ if (ebLen < 4)
++ {
++ Info(slide, 1,
++ ((char *)slide, LoadFarString(TooSmallEBlength),
++ ebLen, 4));
++ }
++ else if (makelong(ef+EB_HEADSIZE) !=
+ crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
+ (extent)(ebLen-4)))
++ {
+ Info(slide, 1, ((char *)slide,
+ LoadFarString(BadCRC_EAs)));
++ }
+ break;
+ case EF_PKW32:
+ case EF_PKUNIX:
diff --git a/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
new file mode 100644
index 0000000..edc7d51
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/10-cve-2014-8140-test-compr-eb.patch
@@ -0,0 +1,33 @@
+From: sms
+Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
+Bug-Debian: http://bugs.debian.org/773722
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+--- a/extract.c
++++ b/extract.c
+@@ -2232,10 +2232,17 @@
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+
++ /* Return no/bad-data error status if any problem is found:
++ * 1. eb_size is too small to hold the uncompressed size
++ * (eb_ucsize). (Else extract eb_ucsize.)
++ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
++ * 3. eb_ucsize is positive, but eb_size is too small to hold
++ * the compressed data header.
++ */
+ if ((eb_size < (EB_UCSIZE_P + 4)) ||
+- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
+- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
+- return IZ_EF_TRUNC; /* no compressed data! */
++ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
++ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
++ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
+ if (
+ #ifdef INT_16BIT
diff --git a/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
new file mode 100644
index 0000000..d0c1db3
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/11-cve-2014-8141-getzip64data.patch
@@ -0,0 +1,144 @@
+From: sms
+Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data()
+Bug-Debian: http://bugs.debian.org/773722
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+
+--- a/fileio.c
++++ b/fileio.c
+@@ -176,6 +176,8 @@
+ #endif
+ static ZCONST char Far ExtraFieldTooLong[] =
+ "warning: extra field too long (%d). Ignoring...\n";
++static ZCONST char Far ExtraFieldCorrupt[] =
++ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
+
+ #ifdef WINDLL
+ static ZCONST char Far DiskFullQuery[] =
+@@ -2295,7 +2297,12 @@
+ if (readbuf(__G__ (char *)G.extra_field, length) == 0)
+ return PK_EOF;
+ /* Looks like here is where extra fields are read */
+- getZip64Data(__G__ G.extra_field, length);
++ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
++ {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
++ error = PK_WARN;
++ }
+ #ifdef UNICODE_SUPPORT
+ G.unipath_filename = NULL;
+ if (G.UzO.U_flag < 2) {
+--- a/process.c
++++ b/process.c
+@@ -1,5 +1,5 @@
+ /*
+- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
++ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
+
+ See the accompanying file LICENSE, version 2009-Jan-02 or later
+ (the contents of which are also included in unzip.h) for terms of use.
+@@ -1901,48 +1901,82 @@
+ and a 4-byte version of disk start number.
+ Sets both local header and central header fields. Not terribly clever,
+ but it means that this procedure is only called in one place.
++
++ 2014-12-05 SMS.
++ Added checks to ensure that enough data are available before calling
++ makeint64() or makelong(). Replaced various sizeof() values with
++ simple ("4" or "8") constants. (The Zip64 structures do not depend
++ on our variable sizes.) Error handling is crude, but we should now
++ stay within the buffer.
+ ---------------------------------------------------------------------------*/
+
++#define Z64FLGS 0xffff
++#define Z64FLGL 0xffffffff
++
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+
+ Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
+ ef_len));
+
+- while (ef_len >= EB_HEADSIZE) {
++ while (ef_len >= EB_HEADSIZE)
++ {
+ eb_id = makeword(EB_ID + ef_buf);
+ eb_len = makeword(EB_LEN + ef_buf);
+
+- if (eb_len > (ef_len - EB_HEADSIZE)) {
+- /* discovered some extra field inconsistency! */
++ if (eb_len > (ef_len - EB_HEADSIZE))
++ {
++ /* Extra block length exceeds remaining extra field length. */
+ Trace((stderr,
+ "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
+ ef_len - EB_HEADSIZE));
+ break;
+ }
+- if (eb_id == EF_PKSZ64) {
+-
++ if (eb_id == EF_PKSZ64)
++ {
+ int offset = EB_HEADSIZE;
+
+- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
+- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.ucsize);
++ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
+- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.csize);
++
++ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
++ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
++ offset += 8;
+ }
+- if (G.crec.relative_offset_local_header == 0xffffffff){
++
++ if (G.crec.relative_offset_local_header == Z64FLGL)
++ {
++ if (offset+ 8 > ef_len)
++ return PK_ERR;
++
+ G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
+- offset += sizeof(G.crec.relative_offset_local_header);
++ offset += 8;
+ }
+- if (G.crec.disk_number_start == 0xffff){
++
++ if (G.crec.disk_number_start == Z64FLGS)
++ {
++ if (offset+ 4 > ef_len)
++ return PK_ERR;
++
+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+- offset += sizeof(G.crec.disk_number_start);
++ offset += 4;
+ }
++#if 0
++ break; /* Expect only one EF_PKSZ64 block. */
++#endif /* 0 */
+ }
+
+- /* Skip this extra field block */
++ /* Skip this extra field block. */
+ ef_buf += (eb_len + EB_HEADSIZE);
+ ef_len -= (eb_len + EB_HEADSIZE);
+ }
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
new file mode 100644
index 0000000..b64dd99
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
@@ -0,0 +1,45 @@
+From: mancha <mancha1 AT zoho DOT com>
+Date: Mon, 3 Nov 2014
+Subject: Info-ZIP UnZip buffer overflow
+Bug-Debian: http://bugs.debian.org/776589
+
+By carefully crafting a corrupt ZIP archive with "extra fields" that
+purport to have compressed blocks larger than the corresponding
+uncompressed blocks in STORED no-compression mode, an attacker can
+trigger a heap overflow that can result in application crash or
+possibly have other unspecified impact.
+
+This patch ensures that when extra fields use STORED mode, the
+"compressed" and uncompressed block sizes match.
+
+The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
+
+Upstream-Status: Backport
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+
+--- a/extract.c
++++ b/extract.c
+@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
+ uch *eb_ucptr;
+ int r;
+ ush method;
++ ush eb_compr_method;
+
+ if (compr_offset < 4) /* field is not compressed: */
+ return PK_OK; /* do nothing and signal OK */
+@@ -2244,6 +2245,14 @@
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
+
++ /* 2014-11-03 Michal Zalewski, SMS.
++ * For STORE method, compressed and uncompressed sizes must agree.
++ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
++ */
++ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
++ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
++ return PK_ERR;
++
+ if (
+ #ifdef INT_16BIT
+ (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 9653bee..00b68ad 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -11,6 +11,10 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
file://define-ldflags.patch \
file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
file://unzip-6.0_overflow3.diff \
+ file://09-cve-2014-8139-crc-overflow.patch \
+ file://10-cve-2014-8140-test-compr-eb.patch \
+ file://11-cve-2014-8141-getzip64data.patch \
+ file://12-cve-2014-9636-test-compr-eb.patch \
"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 20/25] dbus: CVE-2015-0245: prevent forged ActivationFailure
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (18 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 19/25] unzip: fix four CVE defects Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 21/25] linux-firmware: Package Marvell pci8897 and usb8897 firmware Armin Kuster
` (5 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Jussi Kukkonen <jussi.kukkonen@intel.com>
Fix CVE-2015-0245 by preventing non-root and non-systemd processes
from fooling the dbus daemon into thinking systemd service activation
failed.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/dbus/dbus.inc | 1 +
...015-0245-prevent-forged-ActivationFailure.patch | 48 ++++++++++++++++++++++
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
diff --git a/meta/recipes-core/dbus/dbus.inc b/meta/recipes-core/dbus/dbus.inc
index d38ba7e..971eabf 100644
--- a/meta/recipes-core/dbus/dbus.inc
+++ b/meta/recipes-core/dbus/dbus.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://dbus.freedesktop.org/releases/dbus/dbus-${PV}.tar.gz \
file://dbus-1.init \
file://os-test.patch \
file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+ file://CVE-2015-0245-prevent-forged-ActivationFailure.patch \
"
inherit useradd autotools pkgconfig gettext update-rc.d
diff --git a/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
new file mode 100644
index 0000000..59363b3
--- /dev/null
+++ b/meta/recipes-core/dbus/dbus/CVE-2015-0245-prevent-forged-ActivationFailure.patch
@@ -0,0 +1,48 @@
+CVE-2015-0245: prevent forged ActivationFailure from non-root processes
+
+Upstream has fixed this in code but suggests using this as a easily
+backportable fix: https://bugs.freedesktop.org/show_bug.cgi?id=88811
+
+Upstream-Status: Inappropriate
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+
+
+From 91eb2ea3362630190e08c1c777c47bae065ac828 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Date: Mon, 26 Jan 2015 20:09:56 +0000
+Subject: [PATCH 1/3] CVE-2015-0245: prevent forged ActivationFailure from
+ non-root processes
+
+Without either this rule or better checking in dbus-daemon, non-systemd
+processes can make dbus-daemon think systemd failed to activate a system
+service, resulting in an error reply back to the requester.
+
+This is redundant with the fix in the C code (which I consider to be
+the real solution), but is likely to be easier to backport.
+---
+ bus/system.conf.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bus/system.conf.in b/bus/system.conf.in
+index 92f4cc4..851b9e6 100644
+--- a/bus/system.conf.in
++++ b/bus/system.conf.in
+@@ -68,6 +68,14 @@
+ <deny send_destination="org.freedesktop.DBus"
+ send_interface="org.freedesktop.DBus"
+ send_member="UpdateActivationEnvironment"/>
++ <deny send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
++ </policy>
++
++ <!-- Only systemd, which runs as root, may report activation failures. -->
++ <policy user="root">
++ <allow send_destination="org.freedesktop.DBus"
++ send_interface="org.freedesktop.systemd1.Activator"/>
+ </policy>
+
+ <!-- Config files are placed here that among other things, punch
+--
+2.1.4
+
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 21/25] linux-firmware: Package Marvell pci8897 and usb8897 firmware
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (19 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 20/25] dbus: CVE-2015-0245: prevent forged ActivationFailure Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 22/25] unzip: drop 12-cve-2014-9636-test-compr-eb.patch Armin Kuster
` (4 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Ng Wei Tee <wei.tee.ng@intel.com>
Signed-off-by: Ng Shui Lei <shui.lei.ng@intel.com>
Signed-off-by: Ng Wei Tee <wei.tee.ng@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../linux-firmware/linux-firmware_git.bb | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb
index a107f80..bd0b9a3 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_git.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.radeon;md5=07b0c31777bd686d8e1609c6940b5e74\
file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \
file://LICENCE.ralink-firmware.txt;md5=ab2c269277c45476fb449673911a2dfd \
file://LICENCE.qla2xxx;md5=f5ce8529ec5c17cb7f911d2721d90e91 \
- file://LICENCE.iwlwifi_firmware;md5=8b938534f77ffd453690eb34ed84ae8b \
+ file://LICENCE.iwlwifi_firmware;md5=5106226b2863d00d8ed553221ddf8cd2 \
file://LICENCE.i2400m;md5=14b901969e23c41881327c0d9e4b7d36 \
file://LICENCE.atheros_firmware;md5=30a14c7823beedac9fa39c64fdd01a13 \
file://LICENCE.agere;md5=af0133de6b4a9b2522defd5f188afd31 \
@@ -24,7 +24,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.radeon;md5=07b0c31777bd686d8e1609c6940b5e74\
file://LICENCE.Marvell;md5=9ddea1734a4baf3c78d845151f42a37a \
"
-SRCREV = "dec41bce44e0dff6a2c3358a958fadf22bf58858"
+SRCREV = "ec89525b2ab65f1d5ae4f67e27f0d525ddedd2ef"
PE = "1"
PV = "0.0+git${SRCPV}"
@@ -62,7 +62,7 @@ do_install() {
PACKAGES =+ "${PN}-ralink \
${PN}-radeon \
- ${PN}-marvell-license ${PN}-sd8686 ${PN}-sd8787 ${PN}-sd8797 \
+ ${PN}-marvell-license ${PN}-sd8686 ${PN}-sd8787 ${PN}-sd8797 ${PN}-pcie8897 ${PN}-usb8897 \
${PN}-wl12xx ${PN}-wl18xx ${PN}-vt6656 \
${PN}-rtl-license ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su \
${PN}-broadcom-license ${PN}-bcm4329 ${PN}-bcm4330 ${PN}-bcm4334 \
@@ -133,6 +133,19 @@ FILES_${PN}-sd8797 = " \
"
RDEPENDS_${PN}-sd8797 += "${PN}-marvell-license"
+LICENSE_${PN}-pcie8897 = "Firmware-Marvell"
+FILES_${PN}-pcie8897 = " \
+ /lib/firmware/mrvl/pcie8897_uapsta.bin \
+"
+RDEPENDS_${PN}-pcie8897 += "${PN}-marvell-license"
+
+LICENSE_${PN}-usb8897 = "Firmware-Marvell"
+FILES_${PN}-usb8897 = " \
+ /lib/firmware/mrvl/usb8897_uapsta.bin \
+"
+RDEPENDS_${PN}-usb8897 += "${PN}-marvell-license"
+
+
FILES_${PN}-rtl-license = " \
/lib/firmware/LICENCE.rtlwifi_firmware.txt \
"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 22/25] unzip: drop 12-cve-2014-9636-test-compr-eb.patch
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (20 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 21/25] linux-firmware: Package Marvell pci8897 and usb8897 firmware Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 23/25] rpm: Fix CVE-2014-8118 Armin Kuster
` (3 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Roy Li <rongqing.li@windriver.com>
12-cve-2014-9636-test-compr-eb.patch is same as unzip-6.0_overflow3.diff,
is to fix CVE-2014-9636
(From OE-Core rev: 9cf42db4e545cd260faf45931d3b3c63ab3b3aab)
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../unzip/12-cve-2014-9636-test-compr-eb.patch | 45 ----------------------
meta/recipes-extended/unzip/unzip_6.0.bb | 1 -
2 files changed, 46 deletions(-)
delete mode 100644 meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
diff --git a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch b/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
deleted file mode 100644
index b64dd99..0000000
--- a/meta/recipes-extended/unzip/unzip/12-cve-2014-9636-test-compr-eb.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: mancha <mancha1 AT zoho DOT com>
-Date: Mon, 3 Nov 2014
-Subject: Info-ZIP UnZip buffer overflow
-Bug-Debian: http://bugs.debian.org/776589
-
-By carefully crafting a corrupt ZIP archive with "extra fields" that
-purport to have compressed blocks larger than the corresponding
-uncompressed blocks in STORED no-compression mode, an attacker can
-trigger a heap overflow that can result in application crash or
-possibly have other unspecified impact.
-
-This patch ensures that when extra fields use STORED mode, the
-"compressed" and uncompressed block sizes match.
-
-The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz
-
-Upstream-Status: Backport
-
-Signed-off-by: Roy Li <rongqing.li@windriver.com>
-
---- a/extract.c
-+++ b/extract.c
-@@ -2229,6 +2229,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
- uch *eb_ucptr;
- int r;
- ush method;
-+ ush eb_compr_method;
-
- if (compr_offset < 4) /* field is not compressed: */
- return PK_OK; /* do nothing and signal OK */
-@@ -2244,6 +2245,14 @@
- ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
- return IZ_EF_TRUNC; /* no/bad compressed data! */
-
-+ /* 2014-11-03 Michal Zalewski, SMS.
-+ * For STORE method, compressed and uncompressed sizes must agree.
-+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
-+ */
-+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
-+ if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
-+ return PK_ERR;
-+
- if (
- #ifdef INT_16BIT
- (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 00b68ad..e590f81 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -14,7 +14,6 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
file://09-cve-2014-8139-crc-overflow.patch \
file://10-cve-2014-8140-test-compr-eb.patch \
file://11-cve-2014-8141-getzip64data.patch \
- file://12-cve-2014-9636-test-compr-eb.patch \
"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 23/25] rpm: Fix CVE-2014-8118
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (21 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 22/25] unzip: drop 12-cve-2014-9636-test-compr-eb.patch Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 24/25] rpm: Fix CVE-2013-6435 Armin Kuster
` (2 subsequent siblings)
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Backport patch to fix CVE-2014-8118. Description is on [1] and
original patch taken from [2].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1168715
[2] https://bugzilla.redhat.com/attachment.cgi?id=962159
[YOCTO #7181]
(From OE-Core rev: 0a1f924157cb75d0f67cf534762c89dc8656d352)
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../rpm/rpm/rpm-CVE-2014-8118.patch | 43 ++++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_4.11.2.bb | 1 +
2 files changed, 44 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
new file mode 100644
index 0000000..bf1795c
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2014-8118.patch
@@ -0,0 +1,43 @@
+From 71c812edf1431a9967bd99ba6ffa6ab89eb7ec7c Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 12:56:55 +0000
+Subject: [PATCH 1/2] rpm: CVE-2014-8118
+
+Upstream-Status: Backport
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=1168715
+
+Description:
+It was found that RPM could encounter an integer overflow,
+leading to a stack-based overflow, while parsing a crafted
+CPIO header in the payload section of an RPM file. This could
+allow an attacker to modify signed RPM files in such a way that
+they would execute code chosen by the attacker during package
+installation.
+
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=962159
+
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/cpio.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/cpio.c b/lib/cpio.c
+index 382eeb6..74ddd9c 100644
+--- a/lib/cpio.c
++++ b/lib/cpio.c
+@@ -296,6 +296,9 @@ int rpmcpioHeaderRead(rpmcpio_t cpio, char ** path, struct stat * st)
+ st->st_rdev = makedev(major, minor);
+
+ GET_NUM_FIELD(hdr.namesize, nameSize);
++ if (nameSize <= 0 || nameSize > 4096) {
++ return CPIOERR_BAD_HEADER;
++ }
+
+ *path = xmalloc(nameSize + 1);
+ read = Fread(*path, nameSize, 1, cpio->fd);
+--
+1.8.4.5
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 86a14fa..86a5fbb 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -34,6 +34,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
file://fix_libdir.patch \
file://rpm-scriptetexechelp.patch \
file://pythondeps.sh \
+ file://rpm-CVE-2014-8118.patch \
"
SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 24/25] rpm: Fix CVE-2013-6435
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (22 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 23/25] rpm: Fix CVE-2014-8118 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-18 15:16 ` [PATCH 25/25] libxml2: Security Advisory - libxml2 - CVE-2015-1819 Armin Kuster
2015-07-24 7:34 ` [PATCH 00/25] Dizzy next for .3 Richard Purdie
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Backport to fix CVE-2013-6435. Description on [1] and original
patch taken from [2].
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
[2] https://bugzilla.redhat.com/attachment.cgi?id=956207
[YOCTO #7181]
(From OE-Core rev: 6bf846ed5ccd1a4d01b36630708b2b9aa9e69ed5)
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../rpm/rpm/rpm-CVE-2013-6435.patch | 109 +++++++++++++++++++++
meta/recipes-devtools/rpm/rpm_4.11.2.bb | 1 +
2 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
diff --git a/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
new file mode 100644
index 0000000..b107e8f
--- /dev/null
+++ b/meta/recipes-devtools/rpm/rpm/rpm-CVE-2013-6435.patch
@@ -0,0 +1,109 @@
+From 08105acda1da63d32fbb18596a3d6c3e0aa106d1 Mon Sep 17 00:00:00 2001
+From: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+Date: Wed, 10 Jun 2015 14:36:56 +0000
+Subject: [PATCH 2/2] rpm: CVE-2013-6435
+
+Upstream-Status: Backport
+
+Reference:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
+
+Description:
+It was found that RPM wrote file contents to the target installation
+directory under a temporary name, and verified its cryptographic signature
+only after the temporary file has been written completely. Under certain
+conditions, the system interprets the unverified temporary file contents
+and extracts commands from it. This could allow an attacker to modify
+signed RPM files in such a way that they would execute code chosen
+by the attacker during package installation.
+
+Original Patch:
+https://bugzilla.redhat.com/attachment.cgi?id=956207
+
+Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
+---
+ lib/fsm.c | 2 +-
+ rpmio/rpmio.c | 18 ++++++++++++++----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/lib/fsm.c b/lib/fsm.c
+index 1ee7e67..094eb1d 100644
+--- a/lib/fsm.c
++++ b/lib/fsm.c
+@@ -726,7 +726,7 @@ static int expandRegular(FSM_t fsm, rpmpsm psm, rpmcpio_t archive, int nodigest)
+ {
+ FD_t wfd = NULL;
+ const struct stat * st = &fsm->sb;
+- rpm_loff_t left = st->st_size;
++ rpm_loff_t left = rpmfiFSizeIndex(fsmGetFi(fsm), fsm->ix);
+ const unsigned char * fidigest = NULL;
+ pgpHashAlgo digestalgo = 0;
+ int rc = 0;
+diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
+index cd223e8..0b12e31 100644
+--- a/rpmio/rpmio.c
++++ b/rpmio/rpmio.c
+@@ -1309,15 +1309,19 @@ int Fclose(FD_t fd)
+ * - bzopen: [1-9] is block size (modulo 100K)
+ * - bzopen: 's' is smallmode
+ * - HACK: '.' terminates, rest is type of I/O
++ * - 'U' sets *mode to zero (no permissions) instead of 0666
+ */
+ static void cvtfmode (const char *m,
+ char *stdio, size_t nstdio,
+ char *other, size_t nother,
+- const char **end, int * f)
++ const char **end, int *f, mode_t *mode)
+ {
+ int flags = 0;
+ char c;
+
++ if (mode)
++ *mode = 0666;
++
+ switch (*m) {
+ case 'a':
+ flags |= O_WRONLY | O_CREAT | O_APPEND;
+@@ -1357,6 +1361,10 @@ static void cvtfmode (const char *m,
+ if (--nstdio > 0) *stdio++ = c;
+ continue;
+ break;
++ case 'U':
++ if (mode)
++ *mode = 0;
++ break;
+ default:
+ if (--nother > 0) *other++ = c;
+ continue;
+@@ -1385,7 +1393,8 @@ fprintf(stderr, "*** Fdopen(%p,%s) %s\n", fd, fmode, fdbg(fd));
+ if (fd == NULL || fmode == NULL)
+ return NULL;
+
+- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL);
++ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, NULL,
++ NULL);
+ if (stdio[0] == '\0')
+ return NULL;
+ zstdio[0] = '\0';
+@@ -1436,7 +1445,7 @@ FD_t Fopen(const char *path, const char *fmode)
+ {
+ char stdio[20], other[20];
+ const char *end = NULL;
+- mode_t perms = 0666;
++ mode_t perms;
+ int flags = 0;
+ FD_t fd;
+
+@@ -1444,7 +1453,8 @@ FD_t Fopen(const char *path, const char *fmode)
+ return NULL;
+
+ stdio[0] = '\0';
+- cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags);
++ cvtfmode(fmode, stdio, sizeof(stdio), other, sizeof(other), &end, &flags,
++ &perms);
+ if (stdio[0] == '\0')
+ return NULL;
+
+--
+1.8.4.5
+
diff --git a/meta/recipes-devtools/rpm/rpm_4.11.2.bb b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
index 86a5fbb..7c67b69 100644
--- a/meta/recipes-devtools/rpm/rpm_4.11.2.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.11.2.bb
@@ -35,6 +35,7 @@ SRC_URI += "http://rpm.org/releases/rpm-4.11.x/${BP}.tar.bz2 \
file://rpm-scriptetexechelp.patch \
file://pythondeps.sh \
file://rpm-CVE-2014-8118.patch \
+ file://rpm-CVE-2013-6435.patch \
"
SRC_URI[md5sum] = "876ac9948a88367054f8ddb5c0e87173"
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* [PATCH 25/25] libxml2: Security Advisory - libxml2 - CVE-2015-1819
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (23 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 24/25] rpm: Fix CVE-2013-6435 Armin Kuster
@ 2015-07-18 15:16 ` Armin Kuster
2015-07-24 7:34 ` [PATCH 00/25] Dizzy next for .3 Richard Purdie
25 siblings, 0 replies; 29+ messages in thread
From: Armin Kuster @ 2015-07-18 15:16 UTC (permalink / raw)
To: openembedded-core
From: Yue Tao <Yue.Tao@windriver.com>
for CVE-2015-1819 Enforce the reader to run in constant memory
(From OE-Core rev: 9e67d8ae592a37d7c92d6566466b09c83e9ec6a7)
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Conflicts:
meta/recipes-core/libxml/libxml2.inc
---
meta/recipes-core/libxml/libxml2.inc | 1 +
...19-Enforce-the-reader-to-run-in-constant-.patch | 181 +++++++++++++++++++++
2 files changed, 182 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index c729c19..840a8eb 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -22,6 +22,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://python-sitepackages-dir.patch \
file://libxml-m4-use-pkgconfig.patch \
file://libxml2-CVE-2014-3660.patch \
+ file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
new file mode 100644
index 0000000..96d58f9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch
@@ -0,0 +1,181 @@
+From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 14 Apr 2015 17:41:48 +0800
+Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory
+
+One of the operation on the reader could resolve entities
+leading to the classic expansion issue. Make sure the
+buffer used for xmlreader operation is bounded.
+Introduce a new allocation type for the buffers for this effect.
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++-
+ include/libxml/tree.h | 3 ++-
+ xmlreader.c | 20 +++++++++++++++++++-
+ 3 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index 6efc7b6..07922ff 100644
+--- a/buf.c
++++ b/buf.c
+@@ -27,6 +27,7 @@
+ #include <libxml/tree.h>
+ #include <libxml/globals.h>
+ #include <libxml/tree.h>
++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+
+ #define WITH_BUFFER_COMPAT
+@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf,
+ if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) ||
+ (scheme == XML_BUFFER_ALLOC_EXACT) ||
+ (scheme == XML_BUFFER_ALLOC_HYBRID) ||
+- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) {
++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) ||
++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) {
+ buf->alloc = scheme;
+ if (buf->buffer)
+ buf->buffer->alloc = scheme;
+@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+ size = buf->use + len + 100;
+ #endif
+
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) ||
++ (buf->size >= XML_MAX_TEXT_LENGTH)) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(0);
++ }
++ if (size >= XML_MAX_TEXT_LENGTH)
++ size = XML_MAX_TEXT_LENGTH;
++ }
+ if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+ size_t start_buf = buf->content - buf->contentIO;
+
+@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ CHECK_COMPAT(buf)
+
+ if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (size >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(0);
++ }
++ }
+
+ /* Don't resize if we don't have to */
+ if (size < buf->size)
+@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+
+ needSize = buf->use + len + 2;
+ if (needSize > buf->size){
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (needSize >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(-1);
++ }
++ }
+ if (!xmlBufResize(buf, needSize)){
+ xmlBufMemoryError(buf, "growing buffer");
+ return XML_ERR_NO_MEMORY;
+@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) {
+ }
+ needSize = buf->use + len + 2;
+ if (needSize > buf->size){
++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
++ /*
++ * Used to provide parsing limits
++ */
++ if (needSize >= XML_MAX_TEXT_LENGTH) {
++ xmlBufMemoryError(buf, "buffer error: text too long\n");
++ return(-1);
++ }
++ }
+ if (!xmlBufResize(buf, needSize)){
+ xmlBufMemoryError(buf, "growing buffer");
+ return XML_ERR_NO_MEMORY;
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index 2f90717..4a9b3bc 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -76,7 +76,8 @@ typedef enum {
+ XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */
+ XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */
+ XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */
+- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */
++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */
++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */
+ } xmlBufferAllocationScheme;
+
+ /**
+diff --git a/xmlreader.c b/xmlreader.c
+index f19e123..471e7e2 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) {
+ "xmlNewTextReader : malloc failed\n");
+ return(NULL);
+ }
++ /* no operation on a reader should require a huge buffer */
++ xmlBufSetAllocationScheme(ret->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+ if (ret->sax == NULL) {
+ xmlBufFree(ret->buffer);
+@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ return(((xmlNsPtr) node)->href);
+ case XML_ATTRIBUTE_NODE:{
+ xmlAttrPtr attr = (xmlAttrPtr) node;
++ const xmlChar *ret;
+
+ if ((attr->children != NULL) &&
+ (attr->children->type == XML_TEXT_NODE) &&
+@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) {
+ "xmlTextReaderSetup : malloc failed\n");
+ return (NULL);
+ }
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ } else
+ xmlBufEmpty(reader->buffer);
+ xmlBufGetNodeContent(reader->buffer, node);
+- return(xmlBufContent(reader->buffer));
++ ret = xmlBufContent(reader->buffer);
++ if (ret == NULL) {
++ /* error on the buffer best to reallocate */
++ xmlBufFree(reader->buffer);
++ reader->buffer = xmlBufCreateSize(100);
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
++ ret = BAD_CAST "";
++ }
++ return(ret);
+ }
+ break;
+ }
+@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader,
+ "xmlTextReaderSetup : malloc failed\n");
+ return (-1);
+ }
++ /* no operation on a reader should require a huge buffer */
++ xmlBufSetAllocationScheme(reader->buffer,
++ XML_BUFFER_ALLOC_BOUNDED);
+ if (reader->sax == NULL)
+ reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler));
+ if (reader->sax == NULL) {
+--
+1.7.9.5
+
--
1.9.1
^ permalink raw reply related [flat|nested] 29+ messages in thread* Re: [PATCH 00/25] Dizzy next for .3
2015-07-18 15:16 [PATCH 00/25] Dizzy next for .3 Armin Kuster
` (24 preceding siblings ...)
2015-07-18 15:16 ` [PATCH 25/25] libxml2: Security Advisory - libxml2 - CVE-2015-1819 Armin Kuster
@ 2015-07-24 7:34 ` Richard Purdie
2015-07-25 5:28 ` akuster808
25 siblings, 1 reply; 29+ messages in thread
From: Richard Purdie @ 2015-07-24 7:34 UTC (permalink / raw)
To: Armin Kuster; +Cc: openembedded-core
On Sat, 2015-07-18 at 08:16 -0700, Armin Kuster wrote:
> Please consider these for the 1.7.3 release
>
> The following changes since commit 5f0d25152bac2d3798663a4ebfdd2df24060f153:
>
> openssl: upgrade to 1.0.1p (2015-07-15 15:25:43 +0100)
>
> are available in the git repository at:
>
> git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
> http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-nex
We ran dizzy through the autobuilder as we have an opportunity to roll a
1.7.3 release soon. The result was:
https://autobuilder.yoctoproject.org/main/tgrid
or more specifically:
http://errors.yoctoproject.org/Errors/Search/?items=10&query=1b492dfcdd692fe9440a1711812a1bb60ac741e5
which looks to me to largely be gcc5 issues on the host, particularly
Fedora22. There was also a bug occurred in build-appliance which has
been resolved in master/fido.
We therefore need to decide whether to backport the gcc5 host fixes back
to 1.7.3 or whether we have to disable autobuilders in order to be able
to build it...
Cheers,
Richard
^ permalink raw reply [flat|nested] 29+ messages in thread* Re: [PATCH 00/25] Dizzy next for .3
2015-07-24 7:34 ` [PATCH 00/25] Dizzy next for .3 Richard Purdie
@ 2015-07-25 5:28 ` akuster808
2015-07-25 23:27 ` Richard Purdie
0 siblings, 1 reply; 29+ messages in thread
From: akuster808 @ 2015-07-25 5:28 UTC (permalink / raw)
To: Richard Purdie; +Cc: openembedded-core
On 07/24/2015 12:34 AM, Richard Purdie wrote:
> On Sat, 2015-07-18 at 08:16 -0700, Armin Kuster wrote:
>> Please consider these for the 1.7.3 release
>>
>> The following changes since commit 5f0d25152bac2d3798663a4ebfdd2df24060f153:
>>
>> openssl: upgrade to 1.0.1p (2015-07-15 15:25:43 +0100)
>>
>> are available in the git repository at:
>>
>> git://git.yoctoproject.org/poky-contrib akuster/dizzy-next
>> http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/dizzy-nex
>
> We ran dizzy through the autobuilder as we have an opportunity to roll a
> 1.7.3 release soon. The result was:
>
> https://autobuilder.yoctoproject.org/main/tgrid
> or more specifically:
> http://errors.yoctoproject.org/Errors/Search/?items=10&query=1b492dfcdd692fe9440a1711812a1bb60ac741e5
>
> which looks to me to largely be gcc5 issues on the host, particularly
> Fedora22. There was also a bug occurred in build-appliance which has
> been resolved in master/fido.
>
> We therefore need to decide whether to backport the gcc5 host fixes back
> to 1.7.3 or whether we have to disable autobuilders in order to be able
> to build it...
I found the answer on
https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
"The primary focus for stable branches is bugfixing, security updates,
and making sure that builds on recently released Ubuntu, Fedora, and
OpenSUSE distros work"
so we should back port the gcc5 host fixes. Is that something I need to ?
thanks for asking,
Kind regards and Mahalo,
Armin
>
> Cheers,
>
> Richard
>
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH 00/25] Dizzy next for .3
2015-07-25 5:28 ` akuster808
@ 2015-07-25 23:27 ` Richard Purdie
0 siblings, 0 replies; 29+ messages in thread
From: Richard Purdie @ 2015-07-25 23:27 UTC (permalink / raw)
To: akuster808; +Cc: openembedded-core
On Fri, 2015-07-24 at 22:28 -0700, akuster808 wrote:
> On 07/24/2015 12:34 AM, Richard Purdie wrote:
> > On Sat, 2015-07-18 at 08:16 -0700, Armin Kuster wrote:
> > We therefore need to decide whether to backport the gcc5 host fixes back
> > to 1.7.3 or whether we have to disable autobuilders in order to be able
> > to build it...
>
> I found the answer on
> https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance
>
> "The primary focus for stable branches is bugfixing, security updates,
> and making sure that builds on recently released Ubuntu, Fedora, and
> OpenSUSE distros work"
>
> so we should back port the gcc5 host fixes. Is that something I need to ?
If we choose to do it (the above says its within policy) then someone
needs to. It would certainly make life easier on the autobuilder.
I've attempted the low hanging fruit with the patches in:
http://git.yoctoproject.org/cgit.cgi/poky/log/?h=dizzy-next
which get ncurses-native, cross-localedef-native and binutils-native
working at least...
Cheers,
Richard
^ permalink raw reply [flat|nested] 29+ messages in thread