* [PATCH 0/8] [jethro] 8 patches for jethro
@ 2015-12-01 9:44 Robert Yang
2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang
` (7 more replies)
0 siblings, 8 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
Hello,
Here are 8 patches for jethro. There are still a few patches that are
requested but not included here because they have not been merged by
master by now.
All these patches have already been merged by master.
// Robert
The following changes since commit e44ed8c18e395b9c055aefee113b90708e8a8a2f:
build-appliance-image: Update to jethro head revision (2015-11-03 14:02:57 +0000)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib rbt/jethro-next
http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=rbt/HEAD
Alejandro del Castillo (1):
opkg: add cache filename length fixes
Armin Kuster (2):
libxslt: CVE-2015-7995
libxml2: fix CVE-2015-7942 and CVE-2015-8035
Mark Hatle (1):
binutils: Fix octeon3 disassembly patch
Maxin B. John (1):
libsndfile: fix CVE-2014-9756
Ross Burton (3):
libarchive: rename patch to reflect CVE
readline: rename patch to contain CVE reference
unzip: rename patch to reflect CVE fix
meta/recipes-core/libxml/libxml2.inc | 2 +
.../libxml/libxml2/CVE-2015-7942.patch | 55 +++++++++
.../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++
...ne63-003.patch => readline-cve-2014-2524.patch} | 0
meta/recipes-core/readline/readline_6.3.bb | 2 +-
.../binutils/binutils/binutils-octeon3.patch | 2 +-
...ng_util-New-file-with-bin_to_hex-function.patch | 122 ++++++++++++++++++++
.../opkg/0002-md5-Add-md5_to_string-function.patch | 110 ++++++++++++++++++
...0003-sha256-Add-sha256_to_string-function.patch | 110 ++++++++++++++++++
...4-opkg_download-Use-short-cache-file-name.patch | 85 ++++++++++++++
meta/recipes-devtools/opkg/opkg_0.3.0.bb | 4 +
...option.patch => libarchive-CVE-2015-2304.patch} | 0
.../libarchive/libarchive_3.1.2.bb | 2 +-
...nzip-6.0_overflow3.diff => cve-2014-9636.patch} | 0
meta/recipes-extended/unzip/unzip_6.0.bb | 2 +-
.../files/libsndfile-fix-CVE-2014-9756.patch | 24 ++++
.../libsndfile/libsndfile1_1.0.25.bb | 1 +
.../libxslt/libxslt/CVE-2015-7995.patch | 33 ++++++
meta/recipes-support/libxslt/libxslt_1.1.28.bb | 3 +-
19 files changed, 593 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
rename meta/recipes-core/readline/readline-6.3/{readline63-003.patch => readline-cve-2014-2524.patch} (100%)
create mode 100644 meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
rename meta/recipes-extended/libarchive/libarchive/{0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch => libarchive-CVE-2015-2304.patch} (100%)
rename meta/recipes-extended/unzip/unzip/{unzip-6.0_overflow3.diff => cve-2014-9636.patch} (100%)
create mode 100644 meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
--
1.7.9.5
^ permalink raw reply [flat|nested] 11+ messages in thread* [PATCH 1/8] opkg: add cache filename length fixes 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang @ 2015-12-01 9:44 ` Robert Yang 2015-12-01 9:44 ` [PATCH 2/8] binutils: Fix octeon3 disassembly patch Robert Yang ` (6 subsequent siblings) 7 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: Alejandro del Castillo <alejandro.delcastillo@ni.com> (From OE-Core master rev: 8e53500a7c05204fc63759f456639545a022e82b) Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- ...ng_util-New-file-with-bin_to_hex-function.patch | 122 ++++++++++++++++++++ .../opkg/0002-md5-Add-md5_to_string-function.patch | 110 ++++++++++++++++++ ...0003-sha256-Add-sha256_to_string-function.patch | 110 ++++++++++++++++++ ...4-opkg_download-Use-short-cache-file-name.patch | 85 ++++++++++++++ meta/recipes-devtools/opkg/opkg_0.3.0.bb | 4 + 5 files changed, 431 insertions(+) create mode 100644 meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch create mode 100644 meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch create mode 100644 meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch create mode 100644 meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch diff --git a/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch b/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch new file mode 100644 index 0000000..fb3ac46 --- /dev/null +++ b/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch @@ -0,0 +1,122 @@ +From 646b80024567a6245c598be3374653fa1fa09a12 Mon Sep 17 00:00:00 2001 +From: Paul Barker <paul@paulbarker.me.uk> +Date: Sat, 7 Nov 2015 10:23:49 +0000 +Subject: [PATCH 1/4] string_util: New file with bin_to_hex function + +This function does very simple conversion from binary data to a hex string. + +Signed-off-by: Paul Barker <paul@paulbarker.me.uk> +Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> + +Upstream-Status: Accepted +--- + libopkg/Makefile.am | 4 ++-- + libopkg/string_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + libopkg/string_util.h | 24 ++++++++++++++++++++++++ + 3 files changed, 68 insertions(+), 2 deletions(-) + create mode 100644 libopkg/string_util.c + create mode 100644 libopkg/string_util.h + +diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am +index ee3fbee..3e62c24 100644 +--- a/libopkg/Makefile.am ++++ b/libopkg/Makefile.am +@@ -13,7 +13,7 @@ opkg_headers = active_list.h cksum_list.h conffile.h conffile_list.h \ + pkg_depends.h pkg_dest.h pkg_dest_list.h pkg_extract.h pkg_hash.h \ + pkg_parse.h pkg_src.h pkg_src_list.h pkg_vec.h release.h \ + release_parse.h sha256.h sprintf_alloc.h str_list.h void_list.h \ +- xregex.h xsystem.h xfuncs.h opkg_verify.h ++ xregex.h xsystem.h xfuncs.h opkg_verify.h string_util.h + + opkg_sources = opkg_cmd.c opkg_configure.c opkg_download.c \ + opkg_install.c opkg_remove.c opkg_conf.c release.c \ +@@ -23,7 +23,7 @@ opkg_sources = opkg_cmd.c opkg_configure.c opkg_download.c \ + pkg_src.c pkg_src_list.c str_list.c void_list.c active_list.c \ + file_util.c opkg_message.c md5.c parse_util.c cksum_list.c \ + sprintf_alloc.c xregex.c xsystem.c xfuncs.c opkg_archive.c \ +- opkg_verify.c ++ opkg_verify.c string_util.c + + if HAVE_CURL + opkg_sources += opkg_download_curl.c +diff --git a/libopkg/string_util.c b/libopkg/string_util.c +new file mode 100644 +index 0000000..822cab6 +--- /dev/null ++++ b/libopkg/string_util.c +@@ -0,0 +1,42 @@ ++/* vi: set expandtab sw=4 sts=4: */ ++/* string_util.c - convenience routines for common string operations ++ ++ Copyright (C) 2015 Paul Barker ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License as ++ published by the Free Software Foundation; either version 2, or (at ++ your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++*/ ++ ++#include "config.h" ++ ++#include "string_util.h" ++#include "xfuncs.h" ++ ++char *bin_to_hex(const void *bin_data, size_t len) ++{ ++ const unsigned char *src = (const unsigned char *)bin_data; ++ char *buf = xmalloc(2 * len + 1); ++ int i; ++ ++ static const unsigned char bin2hex[16] = { ++ '0', '1', '2', '3', ++ '4', '5', '6', '7', ++ '8', '9', 'a', 'b', ++ 'c', 'd', 'e', 'f' ++ }; ++ ++ for (i = 0; i < len; i++) { ++ buf[i * 2] = bin2hex[src[i] >> 4]; ++ buf[i * 2 + 1] = bin2hex[src[i] & 0xf]; ++ } ++ ++ buf[len * 2] = '\0'; ++ return buf; ++} +diff --git a/libopkg/string_util.h b/libopkg/string_util.h +new file mode 100644 +index 0000000..a920e2a +--- /dev/null ++++ b/libopkg/string_util.h +@@ -0,0 +1,24 @@ ++/* vi: set expandtab sw=4 sts=4: */ ++/* string_util.h - convenience routines for common file operations ++ ++ Copyright (C) 2015 Paul Barker ++ ++ This program is free software; you can redistribute it and/or ++ modify it under the terms of the GNU General Public License as ++ published by the Free Software Foundation; either version 2, or (at ++ your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ General Public License for more details. ++*/ ++ ++#ifndef STRING_UTIL_H ++#define STRING_UTIL_H ++ ++#include <stddef.h> ++ ++char *bin_to_hex(const void *bin_data, size_t len); ++ ++#endif /* STRING_UTIL_H */ +-- +1.9.1 + diff --git a/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch b/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch new file mode 100644 index 0000000..3b823c6 --- /dev/null +++ b/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch @@ -0,0 +1,110 @@ +From ecad8afab377d8be95eeaafc08afa228c8e030c3 Mon Sep 17 00:00:00 2001 +From: Paul Barker <paul@paulbarker.me.uk> +Date: Sat, 7 Nov 2015 10:23:50 +0000 +Subject: [PATCH 2/4] md5: Add md5_to_string function + +Signed-off-by: Paul Barker <paul@paulbarker.me.uk> +Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> + +Upstream-Status: Accepted +--- + libopkg/file_util.c | 28 +++------------------------- + libopkg/md5.c | 7 +++++++ + libopkg/md5.h | 3 +++ + 3 files changed, 13 insertions(+), 25 deletions(-) + +diff --git a/libopkg/file_util.c b/libopkg/file_util.c +index 5eff469..cb3dbf0 100644 +--- a/libopkg/file_util.c ++++ b/libopkg/file_util.c +@@ -349,27 +349,13 @@ int file_mkdir_hier(const char *path, long mode) + + char *file_md5sum_alloc(const char *file_name) + { +- static const int md5sum_bin_len = 16; +- static const int md5sum_hex_len = 32; +- +- static const unsigned char bin2hex[16] = { +- '0', '1', '2', '3', +- '4', '5', '6', '7', +- '8', '9', 'a', 'b', +- 'c', 'd', 'e', 'f' +- }; +- +- int i, err; ++ int err; + FILE *file; +- char *md5sum_hex; +- unsigned char md5sum_bin[md5sum_bin_len]; +- +- md5sum_hex = xcalloc(1, md5sum_hex_len + 1); ++ unsigned char md5sum_bin[16]; + + file = fopen(file_name, "r"); + if (file == NULL) { + opkg_perror(ERROR, "Failed to open file %s", file_name); +- free(md5sum_hex); + return NULL; + } + +@@ -377,20 +363,12 @@ char *file_md5sum_alloc(const char *file_name) + if (err) { + opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name); + fclose(file); +- free(md5sum_hex); + return NULL; + } + + fclose(file); + +- for (i = 0; i < md5sum_bin_len; i++) { +- md5sum_hex[i * 2] = bin2hex[md5sum_bin[i] >> 4]; +- md5sum_hex[i * 2 + 1] = bin2hex[md5sum_bin[i] & 0xf]; +- } +- +- md5sum_hex[md5sum_hex_len] = '\0'; +- +- return md5sum_hex; ++ return md5_to_string(md5sum_bin); + } + + #ifdef HAVE_SHA256 +diff --git a/libopkg/md5.c b/libopkg/md5.c +index d476b8b..bc2b229 100644 +--- a/libopkg/md5.c ++++ b/libopkg/md5.c +@@ -30,6 +30,8 @@ + #include <string.h> + #include <sys/types.h> + ++#include "string_util.h" ++ + #if USE_UNLOCKED_IO + #include "unlocked-io.h" + #endif +@@ -431,3 +433,8 @@ void md5_process_block(const void *buffer, size_t len, struct md5_ctx *ctx) + ctx->C = C; + ctx->D = D; + } ++ ++char *md5_to_string(const void *md5sum_bin) ++{ ++ return bin_to_hex(md5sum_bin, 16); ++} +diff --git a/libopkg/md5.h b/libopkg/md5.h +index 01320f5..2a7274d 100644 +--- a/libopkg/md5.h ++++ b/libopkg/md5.h +@@ -118,6 +118,9 @@ extern int __md5_stream(FILE * stream, void *resblock) __THROW; + extern void *__md5_buffer(const char *buffer, size_t len, + void *resblock) __THROW; + ++/* Convert a binary md5sum value to an ASCII string. */ ++char *md5_to_string(const void *md5sum_bin); ++ + #ifdef __cplusplus + } + #endif +-- +1.9.1 + diff --git a/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch b/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch new file mode 100644 index 0000000..16e82d7 --- /dev/null +++ b/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch @@ -0,0 +1,110 @@ +From 92e8378103bba3b91f2dec4e6fda3e1755a7c0fd Mon Sep 17 00:00:00 2001 +From: Paul Barker <paul@paulbarker.me.uk> +Date: Sat, 7 Nov 2015 10:23:51 +0000 +Subject: [PATCH 3/4] sha256: Add sha256_to_string function + +Signed-off-by: Paul Barker <paul@paulbarker.me.uk> +Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> + +Upstream-Status: Accepted +--- + libopkg/file_util.c | 28 +++------------------------- + libopkg/sha256.c | 7 +++++++ + libopkg/sha256.h | 3 +++ + 3 files changed, 13 insertions(+), 25 deletions(-) + +diff --git a/libopkg/file_util.c b/libopkg/file_util.c +index cb3dbf0..864aedb 100644 +--- a/libopkg/file_util.c ++++ b/libopkg/file_util.c +@@ -374,27 +374,13 @@ char *file_md5sum_alloc(const char *file_name) + #ifdef HAVE_SHA256 + char *file_sha256sum_alloc(const char *file_name) + { +- static const int sha256sum_bin_len = 32; +- static const int sha256sum_hex_len = 64; +- +- static const unsigned char bin2hex[16] = { +- '0', '1', '2', '3', +- '4', '5', '6', '7', +- '8', '9', 'a', 'b', +- 'c', 'd', 'e', 'f' +- }; +- +- int i, err; ++ int err; + FILE *file; +- char *sha256sum_hex; +- unsigned char sha256sum_bin[sha256sum_bin_len]; +- +- sha256sum_hex = xcalloc(1, sha256sum_hex_len + 1); ++ unsigned char sha256sum_bin[32]; + + file = fopen(file_name, "r"); + if (file == NULL) { + opkg_perror(ERROR, "Failed to open file %s", file_name); +- free(sha256sum_hex); + return NULL; + } + +@@ -402,20 +388,12 @@ char *file_sha256sum_alloc(const char *file_name) + if (err) { + opkg_msg(ERROR, "Could't compute sha256sum for %s.\n", file_name); + fclose(file); +- free(sha256sum_hex); + return NULL; + } + + fclose(file); + +- for (i = 0; i < sha256sum_bin_len; i++) { +- sha256sum_hex[i * 2] = bin2hex[sha256sum_bin[i] >> 4]; +- sha256sum_hex[i * 2 + 1] = bin2hex[sha256sum_bin[i] & 0xf]; +- } +- +- sha256sum_hex[sha256sum_hex_len] = '\0'; +- +- return sha256sum_hex; ++ return sha256_to_string(sha256sum_bin); + } + + #endif +diff --git a/libopkg/sha256.c b/libopkg/sha256.c +index 0816858..bceed72 100644 +--- a/libopkg/sha256.c ++++ b/libopkg/sha256.c +@@ -29,6 +29,8 @@ + #include <stddef.h> + #include <string.h> + ++#include "string_util.h" ++ + #if USE_UNLOCKED_IO + #include "unlocked-io.h" + #endif +@@ -517,3 +519,8 @@ void sha256_process_block(const void *buffer, size_t len, + h = ctx->state[7] += h; + } + } ++ ++char *sha256_to_string(const void *sha256sum_bin) ++{ ++ return bin_to_hex(sha256sum_bin, 32); ++} +diff --git a/libopkg/sha256.h b/libopkg/sha256.h +index 734ab54..0d1e9e5 100644 +--- a/libopkg/sha256.h ++++ b/libopkg/sha256.h +@@ -85,6 +85,9 @@ extern int sha224_stream(FILE * stream, void *resblock); + extern void *sha256_buffer(const char *buffer, size_t len, void *resblock); + extern void *sha224_buffer(const char *buffer, size_t len, void *resblock); + ++/* Convert a binary sha256sum value to an ASCII string. */ ++char *sha256_to_string(const void *sha256sum_bin); ++ + #ifdef __cplusplus + } + #endif +-- +1.9.1 + diff --git a/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch b/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch new file mode 100644 index 0000000..7ea661d --- /dev/null +++ b/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch @@ -0,0 +1,85 @@ +From 61636f15718edc7ea17b91f22f1d97b905eaf951 Mon Sep 17 00:00:00 2001 +From: Paul Barker <paul@paulbarker.me.uk> +Date: Sat, 7 Nov 2015 10:23:52 +0000 +Subject: [PATCH 4/4] opkg_download: Use short cache file name + +Source URIs can be very long. The cache directory itself may already have a very +long path, especially if we're installing packages into an offline rootfs. +Therefore it's not a good idea to simply tag the source URI onto the cache +directory path to create a cache file name. + +To create shorter cache file names which are deterministic and very likely to be +unique, we use the md5sum of the source URI along with the basename of the +source URI. The basename is length limited to ensure that it the resulting +filename length is always reasonable. + +Signed-off-by: Paul Barker <paul@paulbarker.me.uk> +Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com> + +Upstream-Status: Accepted +--- + libopkg/opkg_download.c | 35 ++++++++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 7 deletions(-) + +diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c +index e9b86a5..a37b10d 100644 +--- a/libopkg/opkg_download.c ++++ b/libopkg/opkg_download.c +@@ -29,10 +29,18 @@ + #include "opkg_verify.h" + #include "opkg_utils.h" + ++#include "md5.h" + #include "sprintf_alloc.h" + #include "file_util.h" + #include "xfuncs.h" + ++/* Limit the short file name used to generate cache file names to 90 characters ++ * so that when added to the md5sum (32 characters) and an underscore, the ++ * resulting length is below 128 characters. The maximum file name length ++ * differs between plaforms but 128 characters should be reasonable. ++ */ ++#define MAX_SHORT_FILE_NAME_LENGTH 90 ++ + static int opkg_download_set_env() + { + int r; +@@ -135,15 +143,28 @@ int opkg_download_internal(const char *src, const char *dest, + */ + char *get_cache_location(const char *src) + { +- char *cache_name = xstrdup(src); +- char *cache_location, *p; ++ unsigned char md5sum_bin[16]; ++ char *md5sum_hex; ++ char *cache_location; ++ char *short_file_name; ++ char *tmp = xstrdup(src); + +- for (p = cache_name; *p; p++) +- if (*p == '/') +- *p = '_'; ++ md5_buffer(src, strlen(src), md5sum_bin); ++ md5sum_hex = md5_to_string(md5sum_bin); + +- sprintf_alloc(&cache_location, "%s/%s", opkg_config->cache_dir, cache_name); +- free(cache_name); ++ /* Generate a short file name which will be used along with an md5sum of the ++ * full src URI in the cache file name. This short file name is limited to ++ * MAX_SHORT_FILE_NAME_LENGTH to ensure that the total cache file name ++ * length is reasonable. ++ */ ++ short_file_name = basename(tmp); ++ if (strlen(short_file_name) > MAX_SHORT_FILE_NAME_LENGTH) ++ short_file_name[MAX_SHORT_FILE_NAME_LENGTH] = '\0'; ++ ++ sprintf_alloc(&cache_location, "%s/%s_%s", opkg_config->cache_dir, ++ md5sum_hex, short_file_name); ++ free(md5sum_hex); ++ free(tmp); + return cache_location; + } + +-- +1.9.1 + diff --git a/meta/recipes-devtools/opkg/opkg_0.3.0.bb b/meta/recipes-devtools/opkg/opkg_0.3.0.bb index 588250e..5ad3e92 100644 --- a/meta/recipes-devtools/opkg/opkg_0.3.0.bb +++ b/meta/recipes-devtools/opkg/opkg_0.3.0.bb @@ -17,6 +17,10 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz file://0001-opkg_archive-add-support-for-empty-compressed-files.patch \ file://0001-libopkg-include-stdio.h-for-getting-FILE-defined.patch \ file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ + file://0001-string_util-New-file-with-bin_to_hex-function.patch \ + file://0002-md5-Add-md5_to_string-function.patch \ + file://0003-sha256-Add-sha256_to_string-function.patch \ + file://0004-opkg_download-Use-short-cache-file-name.patch \ " SRC_URI[md5sum] = "3412cdc71d78b98facc84b19331ec64e" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 2/8] binutils: Fix octeon3 disassembly patch 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang 2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang @ 2015-12-01 9:44 ` Robert Yang 2015-12-01 9:44 ` [PATCH 3/8] libarchive: rename patch to reflect CVE Robert Yang ` (5 subsequent siblings) 7 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: Mark Hatle <mark.hatle@windriver.com> The structure has apparently changed, and there was a missing setting. This corrects a segfault when disassembling code. (From OE-Core master rev: 2e8f1ffe3a8d7740b0ac68eefbba3fe28f7ba6d4) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- .../binutils/binutils/binutils-octeon3.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch b/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch index 6108c0d..4e8c69f 100644 --- a/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch +++ b/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch @@ -229,7 +229,7 @@ Index: git/opcodes/mips-dis.c + { "octeon3", 1, bfd_mach_mips_octeon3, CPU_OCTEON3, + ISA_MIPS64R2 | INSN_OCTEON3, ASE_VIRT | ASE_VIRT64, + mips_cp0_names_numeric, -+ NULL, 0, mips_hwr_names_numeric }, ++ NULL, 0, mips_cp1_names_mips3264, mips_hwr_names_numeric }, + { "xlr", 1, bfd_mach_mips_xlr, CPU_XLR, ISA_MIPS64 | INSN_XLR, 0, -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 3/8] libarchive: rename patch to reflect CVE 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang 2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang 2015-12-01 9:44 ` [PATCH 2/8] binutils: Fix octeon3 disassembly patch Robert Yang @ 2015-12-01 9:44 ` Robert Yang 2015-12-01 9:44 ` [PATCH 4/8] readline: rename patch to contain CVE reference Robert Yang ` (4 subsequent siblings) 7 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: Ross Burton <ross.burton@intel.com> This patch is a CVE fix, so rename it to help CVE detection tools identify it as such. (From OE-Core master rev: 3fd05ce1f709cbbd8fdeb1dbfdffbd39922eca6e) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- ...option.patch => libarchive-CVE-2015-2304.patch} | 0 .../libarchive/libarchive_3.1.2.bb | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/libarchive/libarchive/{0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch => libarchive-CVE-2015-2304.patch} (100%) diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch b/meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2015-2304.patch similarity index 100% rename from meta/recipes-extended/libarchive/libarchive/0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch rename to meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2015-2304.patch diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb index aaa3255..716db9a 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb @@ -32,7 +32,7 @@ PACKAGECONFIG[nettle] = "--with-nettle,--without-nettle,nettle," SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://libarchive-CVE-2013-0211.patch \ file://pkgconfig.patch \ - file://0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch \ + file://libarchive-CVE-2015-2304.patch \ file://mkdir.patch \ " -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 4/8] readline: rename patch to contain CVE reference 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang ` (2 preceding siblings ...) 2015-12-01 9:44 ` [PATCH 3/8] libarchive: rename patch to reflect CVE Robert Yang @ 2015-12-01 9:44 ` Robert Yang 2015-12-01 9:44 ` [PATCH 5/8] unzip: rename patch to reflect CVE fix Robert Yang ` (3 subsequent siblings) 7 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: Ross Burton <ross.burton@intel.com> To help automated scanning of CVEs, put the CVE ID in the filename. (From OE-Core master rev: 211bce4f23230c7898cccdb73b582420f830f977) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- ...ne63-003.patch => readline-cve-2014-2524.patch} | 0 meta/recipes-core/readline/readline_6.3.bb | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/readline/readline-6.3/{readline63-003.patch => readline-cve-2014-2524.patch} (100%) diff --git a/meta/recipes-core/readline/readline-6.3/readline63-003.patch b/meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch similarity index 100% rename from meta/recipes-core/readline/readline-6.3/readline63-003.patch rename to meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch diff --git a/meta/recipes-core/readline/readline_6.3.bb b/meta/recipes-core/readline/readline_6.3.bb index 6ba1c18..fc362ae 100644 --- a/meta/recipes-core/readline/readline_6.3.bb +++ b/meta/recipes-core/readline/readline_6.3.bb @@ -1,6 +1,6 @@ require readline.inc -SRC_URI += "file://readline63-003.patch;striplevel=0 \ +SRC_URI += "file://readline-cve-2014-2524.patch;striplevel=0 \ file://readline-dispatch-multikey.patch" SRC_URI[archive.md5sum] = "33c8fb279e981274f485fd91da77e94a" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 5/8] unzip: rename patch to reflect CVE fix 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang ` (3 preceding siblings ...) 2015-12-01 9:44 ` [PATCH 4/8] readline: rename patch to contain CVE reference Robert Yang @ 2015-12-01 9:44 ` Robert Yang 2015-12-01 9:44 ` [PATCH 6/8] libxslt: CVE-2015-7995 Robert Yang ` (2 subsequent siblings) 7 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: Ross Burton <ross.burton@intel.com> (From OE-Core rev: e3d2974348bd830ec2fcf84ea08cbf38abbc0327) (master rev: 78e05984b1ac48b1f25547ccd9740611cd5890a9) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- ...nzip-6.0_overflow3.diff => cve-2014-9636.patch} | 0 meta/recipes-extended/unzip/unzip_6.0.bb | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-extended/unzip/unzip/{unzip-6.0_overflow3.diff => cve-2014-9636.patch} (100%) diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/cve-2014-9636.patch similarity index 100% rename from meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff rename to meta/recipes-extended/unzip/unzip/cve-2014-9636.patch diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 9e63d3a..b386323 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -10,7 +10,7 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \ file://avoid-strip.patch \ file://define-ldflags.patch \ file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ - file://unzip-6.0_overflow3.diff \ + file://cve-2014-9636.patch \ file://09-cve-2014-8139-crc-overflow.patch \ file://10-cve-2014-8140-test-compr-eb.patch \ file://11-cve-2014-8141-getzip64data.patch \ -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 6/8] libxslt: CVE-2015-7995 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang ` (4 preceding siblings ...) 2015-12-01 9:44 ` [PATCH 5/8] unzip: rename patch to reflect CVE fix Robert Yang @ 2015-12-01 9:44 ` Robert Yang 2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang 2015-12-01 9:44 ` [PATCH 8/8] libsndfile: fix CVE-2014-9756 Robert Yang 7 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: Armin Kuster <akuster@mvista.com> This is a is being give a High rating so please consider it for all 1.1.28 versions. A type confusion error within the libxslt "xsltStylePreCompute()" function in preproc.c can lead to a DoS. Confirmed in version 1.1.28, other versions may also be affected. (From OE-Core master rev: 0f89bbab6588a1171259801fa879516740030acb) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- .../libxslt/libxslt/CVE-2015-7995.patch | 33 ++++++++++++++++++++ meta/recipes-support/libxslt/libxslt_1.1.28.bb | 3 +- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch new file mode 100644 index 0000000..e4d09c2 --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch @@ -0,0 +1,33 @@ +From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 29 Oct 2015 19:33:23 +0800 +Subject: Fix for type confusion in preprocessing attributes + +CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10 +We need to check that the parent node is an element before dereferencing +its namespace + +Upstream-Status: Backport + +https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libxslt/preproc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: libxslt-1.1.28/libxslt/preproc.c +=================================================================== +--- libxslt-1.1.28.orig/libxslt/preproc.c ++++ libxslt-1.1.28/libxslt/preproc.c +@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st + } else if (IS_XSLT_NAME(inst, "attribute")) { + xmlNodePtr parent = inst->parent; + +- if ((parent == NULL) || (parent->ns == NULL) || ++ if ((parent == NULL) || ++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) || + ((parent->ns != inst->ns) && + (!xmlStrEqual(parent->ns->href, inst->ns->href))) || + (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) { diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb index 166bcd8..87fabec 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb @@ -10,7 +10,8 @@ DEPENDS = "libxml2" SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \ file://pkgconfig_fix.patch \ - file://pkgconfig.patch" + file://pkgconfig.patch \ + file://CVE-2015-7995.patch" SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7" SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang ` (5 preceding siblings ...) 2015-12-01 9:44 ` [PATCH 6/8] libxslt: CVE-2015-7995 Robert Yang @ 2015-12-01 9:44 ` Robert Yang 2015-12-01 22:48 ` Andre McCurdy 2015-12-01 9:44 ` [PATCH 8/8] libsndfile: fix CVE-2014-9756 Robert Yang 7 siblings, 1 reply; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: Armin Kuster <akuster@mvista.com> CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled [YOCTO #8641] (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- meta/recipes-core/libxml/libxml2.inc | 2 + .../libxml/libxml2/CVE-2015-7942.patch | 55 ++++++++++++++++++++ .../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++++++++++ 3 files changed, 98 insertions(+) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc index 1c3c37d..6ada401 100644 --- a/meta/recipes-core/libxml/libxml2.inc +++ b/meta/recipes-core/libxml/libxml2.inc @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ file://libxml-m4-use-pkgconfig.patch \ file://configure.ac-fix-cross-compiling-warning.patch \ file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ + file://CVE-2015-7942.patch \ + file://CVE-2015-8035.patch \ " BINCONFIG = "${bindir}/xml2-config" diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch new file mode 100644 index 0000000..a5930ed --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch @@ -0,0 +1,55 @@ +libxml2: CVE-2015-7942 + +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. + +Upstream-Status: Backport +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 + +[YOCTO #8641] +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: libxml2-2.9.2/parser.c +=================================================================== +--- libxml2-2.9.2.orig/parser.c ++++ libxml2-2.9.2/parser.c +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch new file mode 100644 index 0000000..d175f74 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch @@ -0,0 +1,41 @@ +libxml2: CVE-2015-8035 + +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) + +Upstream-Status: Backport +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 + +[YOCTO #8641] + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index 0dcb9f4..1fab546 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +cgit v0.11.2 + -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang @ 2015-12-01 22:48 ` Andre McCurdy 2015-12-03 2:43 ` Robert Yang 0 siblings, 1 reply; 11+ messages in thread From: Andre McCurdy @ 2015-12-01 22:48 UTC (permalink / raw) To: Robert Yang; +Cc: OE Core mailing list On Tue, Dec 1, 2015 at 1:44 AM, Robert Yang <liezhi.yang@windriver.com> wrote: > From: Armin Kuster <akuster@mvista.com> > > CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() > CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled It looks like CVE-2015-7942 requires two separate patches, only one of which made it to oe-core master, plus there were a lot of the other CVE fixes committed upstream in October and November. http://www.xmlsoft.org/news.html https://git.gnome.org/browse/libxml2/log/?h=v2.9.3 > [YOCTO #8641] > > (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38) > > Signed-off-by: Armin Kuster <akuster@mvista.com> > Signed-off-by: Ross Burton <ross.burton@intel.com> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > Signed-off-by: Robert Yang <liezhi.yang@windriver.com> > --- > meta/recipes-core/libxml/libxml2.inc | 2 + > .../libxml/libxml2/CVE-2015-7942.patch | 55 ++++++++++++++++++++ > .../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++++++++++ > 3 files changed, 98 insertions(+) > create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch > create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch > > diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc > index 1c3c37d..6ada401 100644 > --- a/meta/recipes-core/libxml/libxml2.inc > +++ b/meta/recipes-core/libxml/libxml2.inc > @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ > file://libxml-m4-use-pkgconfig.patch \ > file://configure.ac-fix-cross-compiling-warning.patch \ > file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ > + file://CVE-2015-7942.patch \ > + file://CVE-2015-8035.patch \ > " > > BINCONFIG = "${bindir}/xml2-config" > diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch > new file mode 100644 > index 0000000..a5930ed > --- /dev/null > +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch > @@ -0,0 +1,55 @@ > +libxml2: CVE-2015-7942 > + > +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 > +From: Daniel Veillard <veillard@redhat.com> > +Date: Mon, 23 Feb 2015 11:29:20 +0800 > +Subject: Cleanup conditional section error handling > + > +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 > + > +The error handling of Conditional Section also need to be > +straightened as the structure of the document can't be > +guessed on a failure there and it's better to stop parsing > +as further errors are likely to be irrelevant. > + > +Upstream-Status: Backport > +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 > + > +[YOCTO #8641] > +Signed-off-by: Armin Kuster <akuster@mvista.com> > + > +--- > + parser.c | 6 ++++++ > + 1 file changed, 6 insertions(+) > + > +Index: libxml2-2.9.2/parser.c > +=================================================================== > +--- libxml2-2.9.2.orig/parser.c > ++++ libxml2-2.9.2/parser.c > +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx > + SKIP_BLANKS; > + if (RAW != '[') { > + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); > ++ xmlStopParser(ctxt); > ++ return; > + } else { > + if (ctxt->input->id != id) { > + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, > +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx > + SKIP_BLANKS; > + if (RAW != '[') { > + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); > ++ xmlStopParser(ctxt); > ++ return; > + } else { > + if (ctxt->input->id != id) { > + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, > +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx > + > + } else { > + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); > ++ xmlStopParser(ctxt); > ++ return; > + } > + > + if (RAW == 0) > diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch > new file mode 100644 > index 0000000..d175f74 > --- /dev/null > +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch > @@ -0,0 +1,41 @@ > +libxml2: CVE-2015-8035 > + > +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 > +From: Daniel Veillard <veillard@redhat.com> > +Date: Tue, 3 Nov 2015 15:31:25 +0800 > +Subject: CVE-2015-8035 Fix XZ compression support loop > + > +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 > +DoS when parsing specially crafted XML document if XZ support > +is compiled in (which wasn't the case for 2.9.2 and master since > +Nov 2013, fixed in next commit !) > + > +Upstream-Status: Backport > +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 > + > +[YOCTO #8641] > + > +Signed-off-by: Armin Kuster <akuster@mvista.com> > + > +--- > + xzlib.c | 4 ++++ > + 1 file changed, 4 insertions(+) > + > +diff --git a/xzlib.c b/xzlib.c > +index 0dcb9f4..1fab546 100644 > +--- a/xzlib.c > ++++ b/xzlib.c > +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) > + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); > + return -1; > + } > ++ if (ret == LZMA_PROG_ERROR) { > ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); > ++ return -1; > ++ } > + } while (strm->avail_out && ret != LZMA_STREAM_END); > + > + /* update available output and crc check value */ > +-- > +cgit v0.11.2 > + > -- > 1.7.9.5 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 2015-12-01 22:48 ` Andre McCurdy @ 2015-12-03 2:43 ` Robert Yang 0 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-03 2:43 UTC (permalink / raw) To: Andre McCurdy, Armin Kuster; +Cc: OE Core mailing list Hi Armin, On 12/02/2015 06:48 AM, Andre McCurdy wrote: > On Tue, Dec 1, 2015 at 1:44 AM, Robert Yang <liezhi.yang@windriver.com> wrote: >> From: Armin Kuster <akuster@mvista.com> >> >> CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() >> CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled > > It looks like CVE-2015-7942 requires two separate patches, only one of > which made it to oe-core master, plus there were a lot of the other > CVE fixes committed upstream in October and November. Do you have any comments on CVE-2015-7942, please ? // Robert > > http://www.xmlsoft.org/news.html > https://git.gnome.org/browse/libxml2/log/?h=v2.9.3 > > >> [YOCTO #8641] >> >> (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38) >> >> Signed-off-by: Armin Kuster <akuster@mvista.com> >> Signed-off-by: Ross Burton <ross.burton@intel.com> >> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> >> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> >> --- >> meta/recipes-core/libxml/libxml2.inc | 2 + >> .../libxml/libxml2/CVE-2015-7942.patch | 55 ++++++++++++++++++++ >> .../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++++++++++ >> 3 files changed, 98 insertions(+) >> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch >> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch >> >> diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc >> index 1c3c37d..6ada401 100644 >> --- a/meta/recipes-core/libxml/libxml2.inc >> +++ b/meta/recipes-core/libxml/libxml2.inc >> @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \ >> file://libxml-m4-use-pkgconfig.patch \ >> file://configure.ac-fix-cross-compiling-warning.patch \ >> file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \ >> + file://CVE-2015-7942.patch \ >> + file://CVE-2015-8035.patch \ >> " >> >> BINCONFIG = "${bindir}/xml2-config" >> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch >> new file mode 100644 >> index 0000000..a5930ed >> --- /dev/null >> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch >> @@ -0,0 +1,55 @@ >> +libxml2: CVE-2015-7942 >> + >> +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 >> +From: Daniel Veillard <veillard@redhat.com> >> +Date: Mon, 23 Feb 2015 11:29:20 +0800 >> +Subject: Cleanup conditional section error handling >> + >> +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 >> + >> +The error handling of Conditional Section also need to be >> +straightened as the structure of the document can't be >> +guessed on a failure there and it's better to stop parsing >> +as further errors are likely to be irrelevant. >> + >> +Upstream-Status: Backport >> +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 >> + >> +[YOCTO #8641] >> +Signed-off-by: Armin Kuster <akuster@mvista.com> >> + >> +--- >> + parser.c | 6 ++++++ >> + 1 file changed, 6 insertions(+) >> + >> +Index: libxml2-2.9.2/parser.c >> +=================================================================== >> +--- libxml2-2.9.2.orig/parser.c >> ++++ libxml2-2.9.2/parser.c >> +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx >> + SKIP_BLANKS; >> + if (RAW != '[') { >> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); >> ++ xmlStopParser(ctxt); >> ++ return; >> + } else { >> + if (ctxt->input->id != id) { >> + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, >> +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx >> + SKIP_BLANKS; >> + if (RAW != '[') { >> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); >> ++ xmlStopParser(ctxt); >> ++ return; >> + } else { >> + if (ctxt->input->id != id) { >> + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, >> +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx >> + >> + } else { >> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); >> ++ xmlStopParser(ctxt); >> ++ return; >> + } >> + >> + if (RAW == 0) >> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch >> new file mode 100644 >> index 0000000..d175f74 >> --- /dev/null >> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch >> @@ -0,0 +1,41 @@ >> +libxml2: CVE-2015-8035 >> + >> +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 >> +From: Daniel Veillard <veillard@redhat.com> >> +Date: Tue, 3 Nov 2015 15:31:25 +0800 >> +Subject: CVE-2015-8035 Fix XZ compression support loop >> + >> +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 >> +DoS when parsing specially crafted XML document if XZ support >> +is compiled in (which wasn't the case for 2.9.2 and master since >> +Nov 2013, fixed in next commit !) >> + >> +Upstream-Status: Backport >> +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 >> + >> +[YOCTO #8641] >> + >> +Signed-off-by: Armin Kuster <akuster@mvista.com> >> + >> +--- >> + xzlib.c | 4 ++++ >> + 1 file changed, 4 insertions(+) >> + >> +diff --git a/xzlib.c b/xzlib.c >> +index 0dcb9f4..1fab546 100644 >> +--- a/xzlib.c >> ++++ b/xzlib.c >> +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) >> + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); >> + return -1; >> + } >> ++ if (ret == LZMA_PROG_ERROR) { >> ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); >> ++ return -1; >> ++ } >> + } while (strm->avail_out && ret != LZMA_STREAM_END); >> + >> + /* update available output and crc check value */ >> +-- >> +cgit v0.11.2 >> + >> -- >> 1.7.9.5 >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core > ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 8/8] libsndfile: fix CVE-2014-9756 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang ` (6 preceding siblings ...) 2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang @ 2015-12-01 9:44 ` Robert Yang 7 siblings, 0 replies; 11+ messages in thread From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw) To: openembedded-core From: "Maxin B. John" <maxin.john@intel.com> Fix divide by zero bug (CVE-2014-9756) (From OE-Core master rev: f47cf07ab9d00ed7eddc8e867138481f7bd2bb7d) Signed-off-by: Maxin B. John <maxin.john@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> --- .../files/libsndfile-fix-CVE-2014-9756.patch | 24 ++++++++++++++++++++ .../libsndfile/libsndfile1_1.0.25.bb | 1 + 2 files changed, 25 insertions(+) create mode 100644 meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch diff --git a/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch b/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch new file mode 100644 index 0000000..b54b3ba --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch @@ -0,0 +1,24 @@ +src/file_io.c : Prevent potential divide-by-zero. + +Closes: https://github.com/erikd/libsndfile/issues/92 + +Upstream-Status: Backport + +Fixes CVE-2014-9756 + +Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com> +Signed-off-by: Maxin B. John <maxin.john@intel.com> +--- +diff -Naur libsndfile-1.0.25-orig/src/file_io.c libsndfile-1.0.25/src/file_io.c +--- libsndfile-1.0.25-orig/src/file_io.c 2011-01-19 12:12:28.000000000 +0200 ++++ libsndfile-1.0.25/src/file_io.c 2015-11-04 15:02:04.337395618 +0200 +@@ -358,6 +358,9 @@ + { sf_count_t total = 0 ; + ssize_t count ; + ++ if (bytes == 0 || items == 0) ++ return 0 ; ++ + if (psf->virtual_io) + return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ; + diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb index 3e02f4e..be875c2 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb @@ -9,6 +9,7 @@ PR = "r2" SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \ file://0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch \ file://0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch \ + file://libsndfile-fix-CVE-2014-9756.patch \ " SRC_URI[md5sum] = "e2b7bb637e01022c7d20f95f9c3990a2" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2015-12-03 2:43 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang 2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang 2015-12-01 9:44 ` [PATCH 2/8] binutils: Fix octeon3 disassembly patch Robert Yang 2015-12-01 9:44 ` [PATCH 3/8] libarchive: rename patch to reflect CVE Robert Yang 2015-12-01 9:44 ` [PATCH 4/8] readline: rename patch to contain CVE reference Robert Yang 2015-12-01 9:44 ` [PATCH 5/8] unzip: rename patch to reflect CVE fix Robert Yang 2015-12-01 9:44 ` [PATCH 6/8] libxslt: CVE-2015-7995 Robert Yang 2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang 2015-12-01 22:48 ` Andre McCurdy 2015-12-03 2:43 ` Robert Yang 2015-12-01 9:44 ` [PATCH 8/8] libsndfile: fix CVE-2014-9756 Robert Yang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox