[jethro-next 0/8] pull request for jethro

[jethro-next 0/8] pull request for jethro

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

please consider these last few security fixes for jethro next

The following changes since commit 049be17b533d7c592dae8e0f33ddbae54639a776:

  libpcre: bug fixes include security (2016-01-30 12:13:10 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib akuster/jethro_cve_fixes
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=akuster/jethro_cve_fixes

Armin Kuster (8):
  dpkg: Security fix CVE-2015-0860
  libxml2: Security fix CVE-2015-8241
  libxml2: Security fix CVE-2015-8710
  bind: Security fix CVE-2015-8000
  bind: Security fix CVE-2015-8461
  librsvg: Security fix CVE-2015-7558
  gdk-pixbuf: Security fix CVE-2015-7674
  grub: Security fix CVE-2015-8370

 meta/recipes-bsp/grub/files/CVE-2015-8370.patch    |  59 +++++
 meta/recipes-bsp/grub/grub2.inc                    |   1 +
 .../bind/bind/CVE-2015-8000.patch                  | 278 +++++++++++++++++++++
 .../bind/bind/CVE-2015-8461.patch                  |  44 ++++
 meta/recipes-connectivity/bind/bind_9.10.2-P4.bb   |   2 +
 meta/recipes-core/libxml/libxml2.inc               |   2 +
 .../libxml/libxml2/CVE-2015-8241.patch             |  40 +++
 .../libxml/libxml2/CVE-2015-8710.patch             |  71 ++++++
 .../recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch |  52 ++++
 meta/recipes-devtools/dpkg/dpkg_1.18.2.bb          |   1 +
 .../gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch      |  39 +++
 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb |   1 +
 .../librsvg/librsvg/CVE-2015-7558_1.patch          | 139 +++++++++++
 .../librsvg/librsvg/CVE-2015-7558_2.patch          | 230 +++++++++++++++++
 .../librsvg/librsvg/CVE-2015-7558_3.patch          | 223 +++++++++++++++++
 meta/recipes-gnome/librsvg/librsvg_2.40.10.bb      |   6 +-
 16 files changed, 1187 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2015-8370.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
 create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch
 create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
 create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
 create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch

-- 
2.3.5

[jethro-next 1/8] dpkg: Security fix CVE-2015-0860

[Armin Kuster]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=a, Size: 3238 bytes --]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-0860 dpkg: stack overflows and out of bounds read

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch | 52 ++++++++++++++++++++++
 meta/recipes-devtools/dpkg/dpkg_1.18.2.bb          |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch

diff --git a/meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch b/meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch
new file mode 100644
index 0000000..1f259d3
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch
@@ -0,0 +1,52 @@
+From f1aac7d933819569bf6f347c3c0d5a64a90bbce0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <hanno@hboeck.de>
+Date: Thu, 19 Nov 2015 20:03:10 +0100
+Subject: [PATCH] dpkg-deb: Fix off-by-one write access on ctrllenbuf variable
+
+This affects old format .deb packages.
+
+Fixes: CVE-2015-0860
+Warned-by: afl
+Signed-off-by: Guillem Jover <guillem@debian.org>
+
+Upstream-Status: Backport
+
+https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0
+
+CVE: CVE-2015-0860
+
+hand merge Changelog
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ debian/changelog   | 3 +++
+ dpkg-deb/extract.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: dpkg-1.18.2/dpkg-deb/extract.c
+===================================================================
+--- dpkg-1.18.2.orig/dpkg-deb/extract.c
++++ dpkg-1.18.2/dpkg-deb/extract.c
+@@ -247,7 +247,7 @@ extracthalf(const char *debar, const cha
+     if (errstr)
+       ohshit(_("archive has invalid format version: %s"), errstr);
+ 
+-    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
++    r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
+     if (r < 0)
+       read_fail(r, debar, _("archive control member size"));
+     if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||
+Index: dpkg-1.18.2/ChangeLog
+===================================================================
+--- dpkg-1.18.2.orig/ChangeLog
++++ dpkg-1.18.2/ChangeLog
+@@ -1,3 +1,8 @@
++[ Guillem Jover ]
++  * Fix an off-by-one write access in dpkg-deb when parsing the old format
++    .deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
++    Fixes CVE-2015-0860.
++
+ commit 5459d330c73cdcfd1327bc93c0ebddc2da4a3a3a (HEAD -> master, tag: 1.18.2)
+ Author: Guillem Jover <guillem@debian.org>
+ Date:   Mon Aug 3 15:41:05 2015 +0200
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb b/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb
index 4c3fa4f..2fc096d 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://noman.patch \
 	    file://0003-Our-pre-postinsts-expect-D-to-be-set-when-running-in.patch \
 	    file://0004-The-lutimes-function-doesn-t-work-properly-for-all-s.patch \
 	    file://0005-dpkg-compiler.m4-remove-Wvla.patch \
+        file://CVE-2015-0860.patch \
            "
 
 SRC_URI[md5sum] = "63b9d869081ec49adeef6c5ff62d6576"
-- 
2.3.5

[jethro-next 2/8] libxml2: Security fix CVE-2015-8241

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-8241.patch             | 40 ++++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index b9ce0f0..bced950f 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -35,6 +35,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
            file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
            file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
+           file://CVE-2015-8241.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
new file mode 100644
index 0000000..89a46ad
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
@@ -0,0 +1,40 @@
+From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Upstream-status: Backport
+
+https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe
+
+CVE: CVE-2015-8241
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -6999,6 +6999,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt
+ 	    xmlParsePI(ctxt);
+ 	}
+     }
++
++    /*
++     * detect requirement to exit there and act accordingly
++     * and avoid having instate overriden later on
++     */
++    if (ctxt->instate == XML_PARSER_EOF)
++        return;
++
+     /*
+      * This is only for internal subset. On external entities,
+      * the replacement is done before parsing stage
-- 
2.3.5

[jethro-next 3/8] libxml2: Security fix CVE-2015-8710

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-core/libxml/libxml2.inc               |  1 +
 .../libxml/libxml2/CVE-2015-8710.patch             | 71 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch

diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bced950f..310d5bb 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -36,6 +36,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
            file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
            file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
            file://CVE-2015-8241.patch \
+           file://CVE-2015-8710.patch \
           "
 
 BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
new file mode 100644
index 0000000..be06cc2
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
@@ -0,0 +1,71 @@
+From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 30 Oct 2015 21:14:55 +0800
+Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=746048
+The HTML parser was too optimistic when processing comments and
+didn't check for the end of the stream on the first 2 characters
+
+Upstream-Status: Backport
+
+https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
+
+CVE: CVE-2015-8710
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ 	ctxt->instate = state;
+ 	return;
+     }
++    len = 0;
++    buf[len] = 0;
+     q = CUR_CHAR(ql);
++    if (!IS_CHAR(q))
++        goto unfinished;
+     NEXTL(ql);
+     r = CUR_CHAR(rl);
++    if (!IS_CHAR(r))
++        goto unfinished;
+     NEXTL(rl);
+     cur = CUR_CHAR(l);
+-    len = 0;
+     while (IS_CHAR(cur) &&
+            ((cur != '>') ||
+ 	    (r != '-') || (q != '-'))) {
+@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ 	}
+     }
+     buf[len] = 0;
+-    if (!IS_CHAR(cur)) {
+-	htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+-	             "Comment not terminated \n<!--%.50s\n", buf, NULL);
+-	xmlFree(buf);
+-    } else {
++    if (IS_CHAR(cur)) {
+         NEXT;
+ 	if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
+ 	    (!ctxt->disableSAX))
+ 	    ctxt->sax->comment(ctxt->userData, buf);
+ 	xmlFree(buf);
++	ctxt->instate = state;
++	return;
+     }
+-    ctxt->instate = state;
++
++unfinished:
++    htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++		 "Comment not terminated \n<!--%.50s\n", buf, NULL);
++    xmlFree(buf);
+ }
+ 
+ /**
-- 
2.3.5

[jethro-next 4/8] bind: Security fix CVE-2015-8000

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-8000 bind: responses with a malformed class attribute can trigger an assertion failure in db.c

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../bind/bind/CVE-2015-8000.patch                  | 278 +++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.10.2-P4.bb   |   1 +
 2 files changed, 279 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
new file mode 100644
index 0000000..e1c8052
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
@@ -0,0 +1,278 @@
+From 8259daad7242ab2af8731681177ef7e948a15ece Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 16 Nov 2015 13:12:20 +1100
+Subject: [PATCH] 4260.   [security]      Insufficient testing when parsing a
+ message allowed                         records with an incorrect class to be
+ be accepted,                         triggering a REQUIRE failure when those
+ records                         were subsequently cached. (CVE-2015-8000) [RT
+ #4098]
+
+(cherry picked from commit c8821d124c532e0a65752b378f924d4259499fd3)
+(cherry picked from commit 3a4c24c4a52d4a2d21d2decbde3d4e514e27d51c)
+
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=8259daad7242ab2af8731681177ef7e948a15ece
+
+CVE: CVE-2015-8000
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES                       |  5 +++++
+ bin/tests/system/start.pl     |  5 ++++-
+ doc/arm/notes.xml             |  9 +++++++++
+ lib/dns/include/dns/message.h | 13 +++++++++++--
+ lib/dns/message.c             | 45 ++++++++++++++++++++++++++++++++++++++-----
+ lib/dns/resolver.c            |  9 +++++++++
+ lib/dns/xfrin.c               |  2 ++
+ 7 files changed, 80 insertions(+), 8 deletions(-)
+
+Index: bind-9.10.2-P4/bin/tests/system/start.pl
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/start.pl
++++ bind-9.10.2-P4/bin/tests/system/start.pl
+@@ -68,6 +68,7 @@ my $NAMED = $ENV{'NAMED'};
+ my $LWRESD = $ENV{'LWRESD'};
+ my $DIG = $ENV{'DIG'};
+ my $PERL = $ENV{'PERL'};
++my $PYTHON = $ENV{'PYTHON'};
+ 
+ # Start the server(s)
+ 
+@@ -213,7 +214,9 @@ sub start_server {
+ 		$pid_file = "lwresd.pid";
+ 	} elsif ($server =~ /^ans/) {
+ 		$cleanup_files = "{ans.run}";
+-                if (-e "$testdir/$server/ans.pl") {
++                if (-e "$testdir/$server/ans.py") {
++                        $command = "$PYTHON ans.py 10.53.0.$' 5300";
++                } elsif (-e "$testdir/$server/ans.pl") {
+                         $command = "$PERL ans.pl";
+                 } else {
+                         $command = "$PERL $topdir/ans.pl 10.53.0.$'";
+Index: bind-9.10.2-P4/doc/arm/notes.xml
+===================================================================
+--- bind-9.10.2-P4.orig/doc/arm/notes.xml
++++ bind-9.10.2-P4/doc/arm/notes.xml
+@@ -62,6 +62,15 @@
+     <itemizedlist>
+       <listitem>
+ 	<para>
++	  Insufficient testing when parsing a message allowed
++	  records with an incorrect class to be be accepted,
++	  triggering a REQUIRE failure when those records
++	  were subsequently cached.  This flaw is disclosed
++	  in CVE-2015-8000. [RT #4098]
++	</para>
++      </listitem>
++      <listitem>
++	<para>
+ 	  An incorrect boundary check in the OPENPGPKEY rdatatype
+ 	  could trigger an assertion failure. This flaw is disclosed
+ 	  in CVE-2015-5986. [RT #40286]
+Index: bind-9.10.2-P4/lib/dns/include/dns/message.h
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/include/dns/message.h
++++ bind-9.10.2-P4/lib/dns/include/dns/message.h
+@@ -15,8 +15,6 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id$ */
+-
+ #ifndef DNS_MESSAGE_H
+ #define DNS_MESSAGE_H 1
+ 
+@@ -221,6 +219,8 @@ struct dns_message {
+ 	unsigned int			free_saved : 1;
+ 	unsigned int			sitok : 1;
+ 	unsigned int			sitbad : 1;
++	unsigned int			tkey : 1;
++	unsigned int			rdclass_set : 1;
+ 
+ 	unsigned int			opt_reserved;
+ 	unsigned int			sig_reserved;
+@@ -1400,6 +1400,15 @@ dns_message_buildopt(dns_message_t *msg,
+  * \li	 other.
+  */
+ 
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
++/*%<
++ * Set the expected class of records in the response.
++ *
++ * Requires:
++ * \li   msg be a valid message with parsing intent.
++ */
++
+ ISC_LANG_ENDDECLS
+ 
+ #endif /* DNS_MESSAGE_H */
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
++++ bind-9.10.2-P4/lib/dns/message.c
+@@ -439,6 +439,8 @@ msginit(dns_message_t *m) {
+ 	m->free_saved = 0;
+ 	m->sitok = 0;
+ 	m->sitbad = 0;
++	m->tkey = 0;
++	m->rdclass_set = 0;
+ 	m->querytsig = NULL;
+ }
+ 
+@@ -1091,13 +1093,19 @@ getquestions(isc_buffer_t *source, dns_m
+ 		 * If this class is different than the one we already read,
+ 		 * this is an error.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY) {
+-			msg->state = DNS_SECTION_QUESTION;
++		if (msg->rdclass_set == 0) {
+ 			msg->rdclass = rdclass;
++			msg->rdclass_set = 1;
+ 		} else if (msg->rdclass != rdclass)
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * Is this a TKEY query?
++		 */
++		if (rdtype == dns_rdatatype_tkey)
++			msg->tkey = 1;
++
++		/*
+ 		 * Can't ask the same question twice.
+ 		 */
+ 		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+@@ -1241,12 +1249,12 @@ getsection(isc_buffer_t *source, dns_mes
+ 		 * If there was no question section, we may not yet have
+ 		 * established a class.  Do so now.
+ 		 */
+-		if (msg->state == DNS_SECTION_ANY &&
++		if (msg->rdclass_set == 0 &&
+ 		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
+ 		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
+ 		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
+ 			msg->rdclass = rdclass;
+-			msg->state = DNS_SECTION_QUESTION;
++			msg->rdclass_set = 1;
+ 		}
+ 
+ 		/*
+@@ -1256,7 +1264,7 @@ getsection(isc_buffer_t *source, dns_mes
+ 		if (msg->opcode != dns_opcode_update
+ 		    && rdtype != dns_rdatatype_tsig
+ 		    && rdtype != dns_rdatatype_opt
+-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
++		    && rdtype != dns_rdatatype_key /* in a TKEY query */
+ 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
+ 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+ 		    && msg->rdclass != dns_rdataclass_any
+@@ -1264,6 +1272,16 @@ getsection(isc_buffer_t *source, dns_mes
+ 			DO_FORMERR;
+ 
+ 		/*
++		 * If this is not a TKEY query/response then the KEY
++		 * record's class needs to match.
++		 */
++		if (msg->opcode != dns_opcode_update && !msg->tkey &&
++		    rdtype == dns_rdatatype_key &&
++		    msg->rdclass != dns_rdataclass_any &&
++		    msg->rdclass != rdclass)
++			DO_FORMERR;
++
++		/*
+ 		 * Special type handling for TSIG, OPT, and TKEY.
+ 		 */
+ 		if (rdtype == dns_rdatatype_tsig) {
+@@ -1377,6 +1395,10 @@ getsection(isc_buffer_t *source, dns_mes
+ 				skip_name_search = ISC_TRUE;
+ 				skip_type_search = ISC_TRUE;
+ 				issigzero = ISC_TRUE;
++			} else {
++				if (msg->rdclass != dns_rdataclass_any &&
++				    msg->rdclass != rdclass)
++					DO_FORMERR;
+ 			}
+ 		} else
+ 			covers = 0;
+@@ -1625,6 +1647,7 @@ dns_message_parse(dns_message_t *msg, is
+ 	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+ 
+ 	msg->header_ok = 1;
++	msg->state = DNS_SECTION_QUESTION;
+ 
+ 	/*
+ 	 * -1 means no EDNS.
+@@ -3706,3 +3729,15 @@ dns_message_buildopt(dns_message_t *mess
+ 		dns_message_puttemprdatalist(message, &rdatalist);
+ 	return (result);
+ }
++
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
++
++	REQUIRE(DNS_MESSAGE_VALID(msg));
++	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
++	REQUIRE(msg->state == DNS_SECTION_ANY);
++	REQUIRE(msg->rdclass_set == 0);
++
++	msg->rdclass = rdclass;
++	msg->rdclass_set = 1;
++}
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7309,6 +7309,8 @@ resquery_response(isc_task_t *task, isc_
+ 			goto done;
+ 	}
+ 
++	dns_message_setclass(message, fctx->res->rdclass);
++
+ 	if ((options & DNS_FETCHOPT_TCP) == 0) {
+ 		if ((options & DNS_FETCHOPT_NOEDNS0) == 0)
+ 			dns_adb_setudpsize(fctx->adb, query->addrinfo,
+@@ -7391,6 +7393,13 @@ resquery_response(isc_task_t *task, isc_
+ 				 &dns_master_style_comment,
+ 				 ISC_LOG_DEBUG(10),
+ 				 fctx->res->mctx);
++
++	if (message->rdclass != fctx->res->rdclass) {
++		resend = ISC_TRUE;
++		FCTXTRACE("bad class");
++		goto done;
++	}
++
+ 	/*
+ 	 * Process receive opt record.
+ 	 */
+Index: bind-9.10.2-P4/lib/dns/xfrin.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/xfrin.c
++++ bind-9.10.2-P4/lib/dns/xfrin.c
+@@ -1225,6 +1225,8 @@ xfrin_recv_done(isc_task_t *task, isc_ev
+ 	msg->tsigctx = xfr->tsigctx;
+ 	xfr->tsigctx = NULL;
+ 
++	dns_message_setclass(msg, xfr->rdclass);
++
+ 	if (xfr->nmsg > 0)
+ 		msg->tcp_continuation = 1;
+ 
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,4 +1,9 @@
+-	--- 9.10.2-P4 released ---
++4260.  [security]      Insufficient testing when parsing a message allowed
++                       records with an incorrect class to be be accepted,
++                       triggering a REQUIRE failure when those records
++                       were subsequently cached. (CVE-2015-8000) [RT #4098]
++
++    --- 9.10.2-P4 released ---
+ 
+ 4170.	[security]	An incorrect boundary check in the OPENPGPKEY
+ 			rdatatype could trigger an assertion failure.
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index c9a7acd..b22dbf3 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://0001-lib-dns-gen.c-fix-too-long-error.patch \
            file://CVE-2015-8704.patch \
            file://CVE-2015-8705.patch \
+           file://CVE-2015-8000.patch \
            "
 
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
-- 
2.3.5

[jethro-next 5/8] bind: Security fix CVE-2015-8461

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c\

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../bind/bind/CVE-2015-8461.patch                  | 44 ++++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.10.2-P4.bb   |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
new file mode 100644
index 0000000..88e9c83
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
@@ -0,0 +1,44 @@
+From adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 25 Jun 2015 18:36:27 +1000
+Subject: [PATCH] 4146.   [bug]           Address reference leak that could
+ prevent a clean                         shutdown. [RT #37125]
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d
+
+CVE: CVE-2015-8461
+Signed-off-by:  Armin Kuster <akuster@mvista.com>
+---
+ CHANGES            | 3 +++
+ lib/dns/resolver.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
++4146.  [bug]           Address reference leak that could prevent a clean
++                       shutdown. [RT #37125]
++
+ 4260.  [security]      Insufficient testing when parsing a message allowed
+                        records with an incorrect class to be be accepted,
+                        triggering a REQUIRE failure when those records
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -1649,6 +1649,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
+ 	if (query->dispatch != NULL)
+ 		dns_dispatch_detach(&query->dispatch);
+ 
++	LOCK(&res->buckets[fctx->bucketnum].lock);
++	INSIST(fctx->references > 1);
++	fctx->references--;
++	UNLOCK(&res->buckets[fctx->bucketnum].lock);
++
+  cleanup_query:
+ 	if (query->connects == 0) {
+ 		query->magic = 0;
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index b22dbf3..19f87d7 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://CVE-2015-8704.patch \
            file://CVE-2015-8705.patch \
            file://CVE-2015-8000.patch \
+           file://CVE-2015-8461.patch \
            "
 
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
-- 
2.3.5

[jethro-next 6/8] librsvg: Security fix CVE-2015-7558

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-7558 librsvg2: Stack exhaustion causing DoS

including two supporting patches.

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../librsvg/librsvg/CVE-2015-7558_1.patch          | 139 +++++++++++++
 .../librsvg/librsvg/CVE-2015-7558_2.patch          | 230 +++++++++++++++++++++
 .../librsvg/librsvg/CVE-2015-7558_3.patch          | 223 ++++++++++++++++++++
 meta/recipes-gnome/librsvg/librsvg_2.40.10.bb      |   6 +-
 4 files changed, 597 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
 create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
 create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch

diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
new file mode 100644
index 0000000..a3ba41f
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
@@ -0,0 +1,139 @@
+From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 05:31:08 +0200
+Subject: [PATCH] state: Store mask as reference
+
+Instead of immediately looking up the mask, store the reference and look
+it up on use.
+
+Upstream-status: Backport
+
+supporting patch
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2
+
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ rsvg-cairo-draw.c |  6 +++++-
+ rsvg-mask.c       | 17 -----------------
+ rsvg-mask.h       |  2 --
+ rsvg-styles.c     | 12 ++++++++----
+ rsvg-styles.h     |  2 +-
+ 5 files changed, 14 insertions(+), 25 deletions(-)
+
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
++++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+     cairo_set_operator (render->cr, state->comp_op);
+ 
+     if (state->mask) {
+-        rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
++        RsvgNode *mask;
++
++        mask = rsvg_defs_lookup (ctx->defs, state->mask);
++        if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
++          rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
+     } else if (state->opacity != 0xFF)
+         cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
+     else
+Index: librsvg-2.40.10/rsvg-mask.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.c
++++ librsvg-2.40.10/rsvg-mask.c
+@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
+ }
+ 
+ RsvgNode *
+-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
+-{
+-    char *name;
+-
+-    name = rsvg_get_url_string (str);
+-    if (name) {
+-        RsvgNode *val;
+-        val = rsvg_defs_lookup (defs, name);
+-        g_free (name);
+-
+-        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
+-            return val;
+-    }
+-    return NULL;
+-}
+-
+-RsvgNode *
+ rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
+ {
+     char *name;
+Index: librsvg-2.40.10/rsvg-mask.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.h
++++ librsvg-2.40.10/rsvg-mask.h
+@@ -48,8 +48,6 @@ struct _RsvgMask {
+ 
+ G_GNUC_INTERNAL
+ RsvgNode *rsvg_new_mask	    (void);
+-G_GNUC_INTERNAL
+-RsvgNode *rsvg_mask_parse   (const RsvgDefs * defs, const char *str);
+ 
+ typedef struct _RsvgClipPath RsvgClipPath;
+ 
+Index: librsvg-2.40.10/rsvg-styles.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.c
++++ librsvg-2.40.10/rsvg-styles.c
+@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const
+ 
+     *dst = *src;
+     dst->parent = parent;
++    dst->mask = g_strdup (src->mask);
+     dst->font_family = g_strdup (src->font_family);
+     dst->lang = g_strdup (src->lang);
+     rsvg_paint_server_ref (dst->fill);
+@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
+ 
+     if (inherituninheritables) {
+         dst->clip_path_ref = src->clip_path_ref;
+-        dst->mask = src->mask;
++        g_free (dst->mask);
++        dst->mask = g_strdup (src->mask);
+         dst->enable_background = src->enable_background;
+         dst->adobe_blend = src->adobe_blend;
+         dst->opacity = src->opacity;
+@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
+ void
+ rsvg_state_finalize (RsvgState * state)
+ {
++    g_free (state->mask);
+     g_free (state->font_family);
+     g_free (state->lang);
+     rsvg_paint_server_unref (state->fill);
+@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
+             state->adobe_blend = 11;
+         else
+             state->adobe_blend = 0;
+-    } else if (g_str_equal (name, "mask"))
+-        state->mask = rsvg_mask_parse (ctx->priv->defs, value);
+-    else if (g_str_equal (name, "clip-path")) {
++    } else if (g_str_equal (name, "mask")) {
++        g_free (state->mask);
++        state->mask = rsvg_get_url_string (value);
++    } else if (g_str_equal (name, "clip-path")) {
+         state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
+     } else if (g_str_equal (name, "overflow")) {
+         if (!g_str_equal (value, "inherit")) {
+Index: librsvg-2.40.10/rsvg-styles.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.h
++++ librsvg-2.40.10/rsvg-styles.h
+@@ -80,7 +80,7 @@ struct _RsvgState {
+     cairo_matrix_t personal_affine;
+ 
+     RsvgFilter *filter;
+-    void *mask;
++    char *mask;
+     void *clip_path_ref;
+     guint8 adobe_blend;         /* 0..11 */
+     guint8 opacity;             /* 0..255 */
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
new file mode 100644
index 0000000..9f6820e
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
@@ -0,0 +1,230 @@
+From 6cfaab12c70cd4a34c4730837f1ecdf792593c90 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 07:57:39 +0200
+Subject: [PATCH] state: Look up clip path lazily
+
+Upstream-status: Backport
+
+supporting patch
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=6cfaab12c70cd4a34c4730837f1ecdf792593c90
+
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ rsvg-cairo-draw.c | 56 +++++++++++++++++++++++++++++++++----------------------
+ rsvg-mask.c       | 17 -----------------
+ rsvg-mask.h       |  2 --
+ rsvg-styles.c     | 10 +++++++---
+ rsvg-styles.h     |  2 +-
+ 5 files changed, 42 insertions(+), 45 deletions(-)
+
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
++++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -461,7 +461,7 @@ rsvg_cairo_render_path (RsvgDrawingCtx *
+         return;
+ 
+     need_tmpbuf = ((state->fill != NULL) && (state->stroke != NULL) && state->opacity != 0xff)
+-        || state->clip_path_ref || state->mask || state->filter
++        || state->clip_path || state->mask || state->filter
+         || (state->comp_op != CAIRO_OPERATOR_OVER);
+ 
+     if (need_tmpbuf)
+@@ -708,18 +708,6 @@ rsvg_cairo_generate_mask (cairo_t * cr,
+ }
+ 
+ static void
+-rsvg_cairo_push_early_clips (RsvgDrawingCtx * ctx)
+-{
+-    RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
+-  
+-    cairo_save (render->cr);
+-    if (rsvg_current_state (ctx)->clip_path_ref)
+-        if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == userSpaceOnUse)
+-            rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, NULL);
+-
+-}
+-
+-static void
+ rsvg_cairo_push_render_stack (RsvgDrawingCtx * ctx)
+ {
+     /* XXX: Untested, probably needs help wrt filters */
+@@ -731,9 +719,27 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+     RsvgState *state = rsvg_current_state (ctx);
+     gboolean lateclip = FALSE;
+ 
+-    if (rsvg_current_state (ctx)->clip_path_ref)
+-        if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
+-            lateclip = TRUE;
++    if (rsvg_current_state (ctx)->clip_path) {
++        RsvgNode *node;
++        node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++        if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
++            RsvgClipPath *clip_path = (RsvgClipPath *) node;
++
++            switch (clip_path->units) {
++            case userSpaceOnUse:
++                rsvg_cairo_clip (ctx, clip_path, NULL);
++                break;
++            case objectBoundingBox:
++                lateclip = TRUE;
++                break;
++
++            default:
++                g_assert_not_reached ();
++                break;
++            }
++
++        }
++    }
+ 
+     if (state->opacity == 0xFF
+         && !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
+@@ -774,7 +780,9 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+ void
+ rsvg_cairo_push_discrete_layer (RsvgDrawingCtx * ctx)
+ {
+-    rsvg_cairo_push_early_clips (ctx);
++    RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
++
++    cairo_save (render->cr);
+     rsvg_cairo_push_render_stack (ctx);
+ }
+ 
+@@ -783,14 +791,18 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ {
+     RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
+     cairo_t *child_cr = render->cr;
+-    gboolean lateclip = FALSE;
++    RsvgClipPath *lateclip = NULL;
+     cairo_surface_t *surface = NULL;
+     RsvgState *state = rsvg_current_state (ctx);
+     gboolean nest;
+ 
+-    if (rsvg_current_state (ctx)->clip_path_ref)
+-        if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
+-            lateclip = TRUE;
++    if (rsvg_current_state (ctx)->clip_path) {
++        RsvgNode *node;
++        node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++        if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
++            && ((RsvgClipPath *) node)->units == objectBoundingBox)
++            lateclip = (RsvgClipPath *) node;
++    }
+ 
+     if (state->opacity == 0xFF
+         && !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
+@@ -820,7 +832,7 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+                               nest ? 0 : render->offset_y);
+ 
+     if (lateclip)
+-        rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, &render->bbox);
++        rsvg_cairo_clip (ctx, lateclip, &render->bbox);
+ 
+     cairo_set_operator (render->cr, state->comp_op);
+ 
+Index: librsvg-2.40.10/rsvg-mask.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.c
++++ librsvg-2.40.10/rsvg-mask.c
+@@ -102,23 +102,6 @@ rsvg_get_url_string (const char *str)
+     return NULL;
+ }
+ 
+-RsvgNode *
+-rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
+-{
+-    char *name;
+-
+-    name = rsvg_get_url_string (str);
+-    if (name) {
+-        RsvgNode *val;
+-        val = rsvg_defs_lookup (defs, name);
+-        g_free (name);
+-
+-        if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_CLIP_PATH)
+-            return val;
+-    }
+-    return NULL;
+-}
+-
+ static void
+ rsvg_clip_path_set_atts (RsvgNode * self, RsvgHandle * ctx, RsvgPropertyBag * atts)
+ {
+Index: librsvg-2.40.10/rsvg-mask.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.h
++++ librsvg-2.40.10/rsvg-mask.h
+@@ -58,8 +58,6 @@ struct _RsvgClipPath {
+ 
+ G_GNUC_INTERNAL
+ RsvgNode *rsvg_new_clip_path	(void);
+-G_GNUC_INTERNAL
+-RsvgNode *rsvg_clip_path_parse	(const RsvgDefs * defs, const char *str);
+ 
+ G_END_DECLS
+ #endif
+Index: librsvg-2.40.10/rsvg-styles.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.c
++++ librsvg-2.40.10/rsvg-styles.c
+@@ -149,7 +149,7 @@ rsvg_state_init (RsvgState * state)
+     state->visible = TRUE;
+     state->cond_true = TRUE;
+     state->filter = NULL;
+-    state->clip_path_ref = NULL;
++    state->clip_path = NULL;
+     state->startMarker = NULL;
+     state->middleMarker = NULL;
+     state->endMarker = NULL;
+@@ -222,6 +222,7 @@ rsvg_state_clone (RsvgState * dst, const
+     *dst = *src;
+     dst->parent = parent;
+     dst->mask = g_strdup (src->mask);
++    dst->clip_path = g_strdup (src->clip_path);
+     dst->font_family = g_strdup (src->font_family);
+     dst->lang = g_strdup (src->lang);
+     rsvg_paint_server_ref (dst->fill);
+@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
+     }
+ 
+     if (inherituninheritables) {
+-        dst->clip_path_ref = src->clip_path_ref;
++        g_free (dst->clip_path);
++        dst->clip_path = g_strdup (src->clip_path);
+         g_free (dst->mask);
+         dst->mask = g_strdup (src->mask);
+         dst->enable_background = src->enable_background;
+@@ -447,6 +449,7 @@ void
+ rsvg_state_finalize (RsvgState * state)
+ {
+     g_free (state->mask);
++    g_free (state->clip_path);
+     g_free (state->font_family);
+     g_free (state->lang);
+     rsvg_paint_server_unref (state->fill);
+@@ -524,7 +527,8 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
+         g_free (state->mask);
+         state->mask = rsvg_get_url_string (value);
+     } else if (g_str_equal (name, "clip-path")) {
+-        state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
++        g_free (state->clip_path);
++        state->clip_path = rsvg_get_url_string (value);
+     } else if (g_str_equal (name, "overflow")) {
+         if (!g_str_equal (value, "inherit")) {
+             state->overflow = rsvg_css_parse_overflow (value, &state->has_overflow);
+Index: librsvg-2.40.10/rsvg-styles.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.h
++++ librsvg-2.40.10/rsvg-styles.h
+@@ -81,7 +81,7 @@ struct _RsvgState {
+ 
+     RsvgFilter *filter;
+     char *mask;
+-    void *clip_path_ref;
++    char *clip_path;
+     guint8 adobe_blend;         /* 0..11 */
+     guint8 opacity;             /* 0..255 */
+ 
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
new file mode 100644
index 0000000..dd67ab7
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
@@ -0,0 +1,223 @@
+From a51919f7e1ca9c535390a746fbf6e28c8402dc61 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 08:45:37 +0200
+Subject: [PATCH] rsvg: Add rsvg_acquire_node()
+
+This function does proper recursion checks when looking up resources
+from URLs and thereby helps avoiding infinite loops when cyclic
+references span multiple types of elements.
+
+Upstream-status: Backport
+
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61
+
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ rsvg-base.c         | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ rsvg-cairo-draw.c   | 15 +++++++++++----
+ rsvg-cairo-render.c |  1 +
+ rsvg-filter.c       |  9 +++++++--
+ rsvg-private.h      |  5 +++++
+ 5 files changed, 79 insertions(+), 6 deletions(-)
+
+Index: librsvg-2.40.10/rsvg-base.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-base.c
++++ librsvg-2.40.10/rsvg-base.c
+@@ -1236,6 +1236,8 @@ rsvg_drawing_ctx_free (RsvgDrawingCtx *
+ 	g_slist_free (handle->drawsub_stack);
+ 
+     g_slist_free (handle->ptrs);
++    g_warn_if_fail (handle->acquired_nodes == NULL);
++    g_slist_free (handle->acquired_nodes);
+ 	
+     if (handle->base_uri)
+         g_free (handle->base_uri);
+@@ -2018,6 +2020,59 @@ rsvg_push_discrete_layer (RsvgDrawingCtx
+     ctx->render->push_discrete_layer (ctx);
+ }
+ 
++/*
++ * rsvg_acquire_node:
++ * @ctx: The drawing context in use
++ * @url: The IRI to lookup
++ *
++ * Use this function when looking up urls to other nodes. This
++ * function does proper recursion checking and thereby avoids
++ * infinite loops.
++ *
++ * Nodes acquired by this function must be released using
++ * rsvg_release_node() in reverse acquiring order.
++ *
++ * Returns: The node referenced by @url or %NULL if the @url
++ *          does not reference a node.
++ */
++RsvgNode *
++rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url)
++{
++  RsvgNode *node;
++
++  node = rsvg_defs_lookup (ctx->defs, url);
++  if (node == NULL)
++    return NULL;
++
++  if (g_slist_find (ctx->acquired_nodes, node))
++    return NULL;
++
++  ctx->acquired_nodes = g_slist_prepend (ctx->acquired_nodes, node);
++
++  return node;
++}
++
++/*
++ * rsvg_release_node:
++ * @ctx: The drawing context the node was acquired from
++ * @node: Node to release
++ *
++ * Releases a node previously acquired via rsvg_acquire_node().
++ *
++ * if @node is %NULL, this function does nothing.
++ */
++void
++rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node)
++{
++  if (node == NULL)
++    return;
++
++  g_return_if_fail (ctx->acquired_nodes != NULL);
++  g_return_if_fail (ctx->acquired_nodes->data == node);
++
++  ctx->acquired_nodes = g_slist_remove (ctx->acquired_nodes, node);
++}
++
+ void
+ rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path)
+ {
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
++++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -721,7 +721,7 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+ 
+     if (rsvg_current_state (ctx)->clip_path) {
+         RsvgNode *node;
+-        node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++        node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
+         if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
+             RsvgClipPath *clip_path = (RsvgClipPath *) node;
+ 
+@@ -739,6 +739,8 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+             }
+ 
+         }
++        
++        rsvg_release_node (ctx, node);
+     }
+ 
+     if (state->opacity == 0xFF
+@@ -798,10 +800,12 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ 
+     if (rsvg_current_state (ctx)->clip_path) {
+         RsvgNode *node;
+-        node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++        node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
+         if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
+             && ((RsvgClipPath *) node)->units == objectBoundingBox)
+             lateclip = (RsvgClipPath *) node;
++        else
++            rsvg_release_node (ctx, node);
+     }
+ 
+     if (state->opacity == 0xFF
+@@ -831,17 +835,20 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+                               nest ? 0 : render->offset_x,
+                               nest ? 0 : render->offset_y);
+ 
+-    if (lateclip)
++    if (lateclip) {
+         rsvg_cairo_clip (ctx, lateclip, &render->bbox);
++        rsvg_release_node (ctx, (RsvgNode *) lateclip);
++    }
+ 
+     cairo_set_operator (render->cr, state->comp_op);
+ 
+     if (state->mask) {
+         RsvgNode *mask;
+ 
+-        mask = rsvg_defs_lookup (ctx->defs, state->mask);
++        mask = rsvg_acquire_node (ctx, state->mask);
+         if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
+           rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
++        rsvg_release_node (ctx, mask);
+     } else if (state->opacity != 0xFF)
+         cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
+     else
+Index: librsvg-2.40.10/rsvg-cairo-render.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-render.c
++++ librsvg-2.40.10/rsvg-cairo-render.c
+@@ -155,6 +155,7 @@ rsvg_cairo_new_drawing_ctx (cairo_t * cr
+     draw->pango_context = NULL;
+     draw->drawsub_stack = NULL;
+     draw->ptrs = NULL;
++    draw->acquired_nodes = NULL;
+ 
+     rsvg_state_push (draw);
+     state = rsvg_current_state (draw);
+Index: librsvg-2.40.10/rsvg-filter.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-filter.c
++++ librsvg-2.40.10/rsvg-filter.c
+@@ -3921,6 +3921,7 @@ rsvg_filter_primitive_image_render_in (R
+     RsvgDrawingCtx *ctx;
+     RsvgFilterPrimitiveImage *upself;
+     RsvgNode *drawable;
++    cairo_surface_t *result;
+ 
+     ctx = context->ctx;
+ 
+@@ -3929,13 +3930,17 @@ rsvg_filter_primitive_image_render_in (R
+     if (!upself->href)
+         return NULL;
+ 
+-    drawable = rsvg_defs_lookup (ctx->defs, upself->href->str);
++    drawable = rsvg_acquire_node (ctx, upself->href->str);
+     if (!drawable)
+         return NULL;
+ 
+     rsvg_current_state (ctx)->affine = context->paffine;
+ 
+-    return rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
++    result = rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
++
++    rsvg_release_node (ctx, drawable);
++
++    return result;
+ }
+ 
+ static cairo_surface_t *
+Index: librsvg-2.40.10/rsvg-private.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-private.h
++++ librsvg-2.40.10/rsvg-private.h
+@@ -200,6 +200,7 @@ struct RsvgDrawingCtx {
+     GSList *vb_stack;
+     GSList *drawsub_stack;
+     GSList *ptrs;
++    GSList *acquired_nodes;
+ };
+ 
+ /*Abstract base class for context for our backends (one as yet)*/
+@@ -360,6 +361,10 @@ void rsvg_pop_discrete_layer    (RsvgDra
+ G_GNUC_INTERNAL
+ void rsvg_push_discrete_layer   (RsvgDrawingCtx * ctx);
+ G_GNUC_INTERNAL
++RsvgNode *rsvg_acquire_node     (RsvgDrawingCtx * ctx, const char *url);
++G_GNUC_INTERNAL
++void rsvg_release_node          (RsvgDrawingCtx * ctx, RsvgNode *node);
++G_GNUC_INTERNAL
+ void rsvg_render_path           (RsvgDrawingCtx * ctx, const cairo_path_t *path);
+ G_GNUC_INTERNAL
+ void rsvg_render_surface        (RsvgDrawingCtx * ctx, cairo_surface_t *surface,
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb b/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb
index 06552c2..cb8a73c 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb
@@ -12,7 +12,11 @@ BBCLASSEXTEND = "native"
 
 inherit autotools pkgconfig gnomebase gtk-doc pixbufcache
 
-SRC_URI += "file://gtk-option.patch"
+SRC_URI += "file://gtk-option.patch \
+            file://CVE-2015-7558_1.patch \
+            file://CVE-2015-7558_2.patch \
+            file://CVE-2015-7558_3.patch \
+            "
 
 SRC_URI[archive.md5sum] = "fadebe2e799ab159169ee3198415ff85"
 SRC_URI[archive.sha256sum] = "965c807438ce90b204e930ff80c92eba1606a2f6fd5ccfd09335c99896dd3479"
-- 
2.3.5

[jethro-next 7/8] gdk-pixbuf: Security fix CVE-2015-7674

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-7674 Heap overflow with a gif file in gdk-pixbuf < 2.32.1

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 .../gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch      | 39 ++++++++++++++++++++++
 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch

diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch
new file mode 100644
index 0000000..d516e88
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch
@@ -0,0 +1,39 @@
+From e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Tue, 22 Sep 2015 22:44:51 +0200
+Subject: [PATCH] pixops: Don't overflow variables when shifting them
+
+If we shift by 16 bits we need to be sure those 16 bits actually exist.
+They do now.
+
+Upstream-status: Backport
+https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa
+
+CVE:  CVE-2015-7674
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ gdk-pixbuf/pixops/pixops.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+Index: gdk-pixbuf-2.30.8/gdk-pixbuf/pixops/pixops.c
+===================================================================
+--- gdk-pixbuf-2.30.8.orig/gdk-pixbuf/pixops/pixops.c
++++ gdk-pixbuf-2.30.8/gdk-pixbuf/pixops/pixops.c
+@@ -264,11 +264,11 @@ pixops_scale_nearest (guchar        *des
+ 		      double         scale_x,
+ 		      double         scale_y)
+ {
+-  int i;
+-  int x;
+-  int x_step = (1 << SCALE_SHIFT) / scale_x;
+-  int y_step = (1 << SCALE_SHIFT) / scale_y;
+-  int xmax, xstart, xstop, x_pos, y_pos;
++  gint64 i;
++  gint64 x;
++  gint64 x_step = (1 << SCALE_SHIFT) / scale_x;
++  gint64 y_step = (1 << SCALE_SHIFT) / scale_y;
++  gint64 xmax, xstart, xstop, x_pos, y_pos;
+   const guchar *p;
+ 
+ #define INNER_LOOP(SRC_CHANNELS,DEST_CHANNELS,ASSIGN_PIXEL)     \
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
index 68f3850..dcd01b1 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
            file://run-ptest \
            file://fatal-loader.patch \
            file://0001-pixops-Be-more-careful-about-integer-overflow.patch \
+           file://CVE-2015-7674.patch \
            "
 
 SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542"
-- 
2.3.5

[jethro-next 8/8] grub: Security fix CVE-2015-8370

[Armin Kuster]

From: Armin Kuster <akuster@mvista.com>

CVE-2015-8370 grub2: buffer overflow when checking password entered during bootup

Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 meta/recipes-bsp/grub/files/CVE-2015-8370.patch | 59 +++++++++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc                 |  1 +
 2 files changed, 60 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2015-8370.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2015-8370.patch b/meta/recipes-bsp/grub/files/CVE-2015-8370.patch
new file mode 100644
index 0000000..78f514e
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2015-8370.patch
@@ -0,0 +1,59 @@
+From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Wed, 16 Dec 2015 07:57:18 +0300
+Subject: [PATCH] Fix security issue when reading username and password
+
+This patch fixes two integer underflows at:
+  * grub-core/lib/crypto.c
+  * grub-core/normal/auth.c
+
+CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
+
+Upstream-Status: Backport
+
+http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2
+
+CVE: CVE-2015-8370
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ grub-core/lib/crypto.c  | 3 ++-
+ grub-core/normal/auth.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+Index: git/grub-core/lib/crypto.c
+===================================================================
+--- git.orig/grub-core/lib/crypto.c
++++ git/grub-core/lib/crypto.c
+@@ -458,7 +458,8 @@ grub_password_get (char buf[], unsigned
+ 
+       if (key == '\b')
+ 	{
+-	  cur_len--;
++	  if (cur_len)
++	    cur_len--;
+ 	  continue;
+ 	}
+ 
+Index: git/grub-core/normal/auth.c
+===================================================================
+--- git.orig/grub-core/normal/auth.c
++++ git/grub-core/normal/auth.c
+@@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned
+ 
+       if (key == '\b')
+ 	{
+-	  cur_len--;
+-	  grub_printf ("\b");
++	  if (cur_len)
++	    {
++	      cur_len--;
++	      grub_printf ("\b");
++	    }
+ 	  continue;
+ 	}
+ 
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 312771b..fe2407c 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -27,6 +27,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
            file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
            file://0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch \
            file://grub2-fix-initrd-size-bug.patch \
+           file://CVE-2015-8370.patch \
             "
 
 DEPENDS = "flex-native bison-native xz"
-- 
2.3.5