* [jethro-next 1/8] dpkg: Security fix CVE-2015-0860
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
2016-01-31 19:53 ` [jethro-next 2/8] libxml2: Security fix CVE-2015-8241 Armin Kuster
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=a, Size: 3238 bytes --]
From: Armin Kuster <akuster@mvista.com>
CVE-2015-0860 dpkg: stack overflows and out of bounds read
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch | 52 ++++++++++++++++++++++
meta/recipes-devtools/dpkg/dpkg_1.18.2.bb | 1 +
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch
diff --git a/meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch b/meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch
new file mode 100644
index 0000000..1f259d3
--- /dev/null
+++ b/meta/recipes-devtools/dpkg/dpkg/CVE-2015-0860.patch
@@ -0,0 +1,52 @@
+From f1aac7d933819569bf6f347c3c0d5a64a90bbce0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Hanno=20B=C3=B6ck?= <hanno@hboeck.de>
+Date: Thu, 19 Nov 2015 20:03:10 +0100
+Subject: [PATCH] dpkg-deb: Fix off-by-one write access on ctrllenbuf variable
+
+This affects old format .deb packages.
+
+Fixes: CVE-2015-0860
+Warned-by: afl
+Signed-off-by: Guillem Jover <guillem@debian.org>
+
+Upstream-Status: Backport
+
+https://anonscm.debian.org/cgit/dpkg/dpkg.git/commit/?h=wheezy&id=f1aac7d933819569bf6f347c3c0d5a64a90bbce0
+
+CVE: CVE-2015-0860
+
+hand merge Changelog
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ debian/changelog | 3 +++
+ dpkg-deb/extract.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+Index: dpkg-1.18.2/dpkg-deb/extract.c
+===================================================================
+--- dpkg-1.18.2.orig/dpkg-deb/extract.c
++++ dpkg-1.18.2/dpkg-deb/extract.c
+@@ -247,7 +247,7 @@ extracthalf(const char *debar, const cha
+ if (errstr)
+ ohshit(_("archive has invalid format version: %s"), errstr);
+
+- r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf));
++ r = read_line(arfd, ctrllenbuf, 1, sizeof(ctrllenbuf) - 1);
+ if (r < 0)
+ read_fail(r, debar, _("archive control member size"));
+ if (sscanf(ctrllenbuf, "%jd%c%d", &ctrllennum, &nlc, &dummy) != 2 ||
+Index: dpkg-1.18.2/ChangeLog
+===================================================================
+--- dpkg-1.18.2.orig/ChangeLog
++++ dpkg-1.18.2/ChangeLog
+@@ -1,3 +1,8 @@
++[ Guillem Jover ]
++ * Fix an off-by-one write access in dpkg-deb when parsing the old format
++ .deb control member size. Thanks to Hanno Böck <hanno@hboeck.de>.
++ Fixes CVE-2015-0860.
++
+ commit 5459d330c73cdcfd1327bc93c0ebddc2da4a3a3a (HEAD -> master, tag: 1.18.2)
+ Author: Guillem Jover <guillem@debian.org>
+ Date: Mon Aug 3 15:41:05 2015 +0200
diff --git a/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb b/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb
index 4c3fa4f..2fc096d 100644
--- a/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb
+++ b/meta/recipes-devtools/dpkg/dpkg_1.18.2.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://noman.patch \
file://0003-Our-pre-postinsts-expect-D-to-be-set-when-running-in.patch \
file://0004-The-lutimes-function-doesn-t-work-properly-for-all-s.patch \
file://0005-dpkg-compiler.m4-remove-Wvla.patch \
+ file://CVE-2015-0860.patch \
"
SRC_URI[md5sum] = "63b9d869081ec49adeef6c5ff62d6576"
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread* [jethro-next 2/8] libxml2: Security fix CVE-2015-8241
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
2016-01-31 19:53 ` [jethro-next 1/8] dpkg: Security fix CVE-2015-0860 Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
2016-01-31 19:53 ` [jethro-next 3/8] libxml2: Security fix CVE-2015-8710 Armin Kuster
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-8241 libxml2: Buffer overread with XML parser in xmlNextChar
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/libxml/libxml2.inc | 1 +
.../libxml/libxml2/CVE-2015-8241.patch | 40 ++++++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index b9ce0f0..bced950f 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -35,6 +35,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch \
file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
+ file://CVE-2015-8241.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
new file mode 100644
index 0000000..89a46ad
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8241.patch
@@ -0,0 +1,40 @@
+From ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Mon Sep 17 00:00:00 2001
+From: Hugh Davenport <hugh@allthethings.co.nz>
+Date: Tue, 3 Nov 2015 20:40:49 +0800
+Subject: [PATCH] Avoid extra processing of MarkupDecl when EOF
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=756263
+
+One place where ctxt->instate == XML_PARSER_EOF whic was set up
+by entity detection issues doesn't get noticed, and even overrided
+
+Upstream-status: Backport
+
+https://git.gnome.org/browse/libxml2/commit/?id=ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe
+
+CVE: CVE-2015-8241
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -6999,6 +6999,14 @@ xmlParseMarkupDecl(xmlParserCtxtPtr ctxt
+ xmlParsePI(ctxt);
+ }
+ }
++
++ /*
++ * detect requirement to exit there and act accordingly
++ * and avoid having instate overriden later on
++ */
++ if (ctxt->instate == XML_PARSER_EOF)
++ return;
++
+ /*
+ * This is only for internal subset. On external entities,
+ * the replacement is done before parsing stage
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread* [jethro-next 3/8] libxml2: Security fix CVE-2015-8710
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
2016-01-31 19:53 ` [jethro-next 1/8] dpkg: Security fix CVE-2015-0860 Armin Kuster
2016-01-31 19:53 ` [jethro-next 2/8] libxml2: Security fix CVE-2015-8241 Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
2016-01-31 19:53 ` [jethro-next 4/8] bind: Security fix CVE-2015-8000 Armin Kuster
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-8710 libxml2: out-of-bounds memory access when parsing an unclosed HTML comment
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/libxml/libxml2.inc | 1 +
.../libxml/libxml2/CVE-2015-8710.patch | 71 ++++++++++++++++++++++
2 files changed, 72 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index bced950f..310d5bb 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -36,6 +36,7 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch \
file://0001-CVE-2015-5312-Another-entity-expansion-issue.patch \
file://CVE-2015-8241.patch \
+ file://CVE-2015-8710.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
new file mode 100644
index 0000000..be06cc2
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8710.patch
@@ -0,0 +1,71 @@
+From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 30 Oct 2015 21:14:55 +0800
+Subject: [PATCH] Fix parsing short unclosed comment uninitialized access
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=746048
+The HTML parser was too optimistic when processing comments and
+didn't check for the end of the stream on the first 2 characters
+
+Upstream-Status: Backport
+
+https://git.gnome.org/browse/libxml2/commit/?id=e724879d964d774df9b7969fc846605aa1bac54c
+
+CVE: CVE-2015-8710
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ HTMLparser.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+Index: libxml2-2.9.2/HTMLparser.c
+===================================================================
+--- libxml2-2.9.2.orig/HTMLparser.c
++++ libxml2-2.9.2/HTMLparser.c
+@@ -3245,12 +3245,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ ctxt->instate = state;
+ return;
+ }
++ len = 0;
++ buf[len] = 0;
+ q = CUR_CHAR(ql);
++ if (!IS_CHAR(q))
++ goto unfinished;
+ NEXTL(ql);
+ r = CUR_CHAR(rl);
++ if (!IS_CHAR(r))
++ goto unfinished;
+ NEXTL(rl);
+ cur = CUR_CHAR(l);
+- len = 0;
+ while (IS_CHAR(cur) &&
+ ((cur != '>') ||
+ (r != '-') || (q != '-'))) {
+@@ -3281,18 +3286,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt)
+ }
+ }
+ buf[len] = 0;
+- if (!IS_CHAR(cur)) {
+- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
+- "Comment not terminated \n<!--%.50s\n", buf, NULL);
+- xmlFree(buf);
+- } else {
++ if (IS_CHAR(cur)) {
+ NEXT;
+ if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) &&
+ (!ctxt->disableSAX))
+ ctxt->sax->comment(ctxt->userData, buf);
+ xmlFree(buf);
++ ctxt->instate = state;
++ return;
+ }
+- ctxt->instate = state;
++
++unfinished:
++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED,
++ "Comment not terminated \n<!--%.50s\n", buf, NULL);
++ xmlFree(buf);
+ }
+
+ /**
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread* [jethro-next 4/8] bind: Security fix CVE-2015-8000
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
` (2 preceding siblings ...)
2016-01-31 19:53 ` [jethro-next 3/8] libxml2: Security fix CVE-2015-8710 Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
2016-01-31 19:53 ` [jethro-next 5/8] bind: Security fix CVE-2015-8461 Armin Kuster
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-8000 bind: responses with a malformed class attribute can trigger an assertion failure in db.c
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../bind/bind/CVE-2015-8000.patch | 278 +++++++++++++++++++++
meta/recipes-connectivity/bind/bind_9.10.2-P4.bb | 1 +
2 files changed, 279 insertions(+)
create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
new file mode 100644
index 0000000..e1c8052
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8000.patch
@@ -0,0 +1,278 @@
+From 8259daad7242ab2af8731681177ef7e948a15ece Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 16 Nov 2015 13:12:20 +1100
+Subject: [PATCH] 4260. [security] Insufficient testing when parsing a
+ message allowed records with an incorrect class to be
+ be accepted, triggering a REQUIRE failure when those
+ records were subsequently cached. (CVE-2015-8000) [RT
+ #4098]
+
+(cherry picked from commit c8821d124c532e0a65752b378f924d4259499fd3)
+(cherry picked from commit 3a4c24c4a52d4a2d21d2decbde3d4e514e27d51c)
+
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=8259daad7242ab2af8731681177ef7e948a15ece
+
+CVE: CVE-2015-8000
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES | 5 +++++
+ bin/tests/system/start.pl | 5 ++++-
+ doc/arm/notes.xml | 9 +++++++++
+ lib/dns/include/dns/message.h | 13 +++++++++++--
+ lib/dns/message.c | 45 ++++++++++++++++++++++++++++++++++++++-----
+ lib/dns/resolver.c | 9 +++++++++
+ lib/dns/xfrin.c | 2 ++
+ 7 files changed, 80 insertions(+), 8 deletions(-)
+
+Index: bind-9.10.2-P4/bin/tests/system/start.pl
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/start.pl
++++ bind-9.10.2-P4/bin/tests/system/start.pl
+@@ -68,6 +68,7 @@ my $NAMED = $ENV{'NAMED'};
+ my $LWRESD = $ENV{'LWRESD'};
+ my $DIG = $ENV{'DIG'};
+ my $PERL = $ENV{'PERL'};
++my $PYTHON = $ENV{'PYTHON'};
+
+ # Start the server(s)
+
+@@ -213,7 +214,9 @@ sub start_server {
+ $pid_file = "lwresd.pid";
+ } elsif ($server =~ /^ans/) {
+ $cleanup_files = "{ans.run}";
+- if (-e "$testdir/$server/ans.pl") {
++ if (-e "$testdir/$server/ans.py") {
++ $command = "$PYTHON ans.py 10.53.0.$' 5300";
++ } elsif (-e "$testdir/$server/ans.pl") {
+ $command = "$PERL ans.pl";
+ } else {
+ $command = "$PERL $topdir/ans.pl 10.53.0.$'";
+Index: bind-9.10.2-P4/doc/arm/notes.xml
+===================================================================
+--- bind-9.10.2-P4.orig/doc/arm/notes.xml
++++ bind-9.10.2-P4/doc/arm/notes.xml
+@@ -62,6 +62,15 @@
+ <itemizedlist>
+ <listitem>
+ <para>
++ Insufficient testing when parsing a message allowed
++ records with an incorrect class to be be accepted,
++ triggering a REQUIRE failure when those records
++ were subsequently cached. This flaw is disclosed
++ in CVE-2015-8000. [RT #4098]
++ </para>
++ </listitem>
++ <listitem>
++ <para>
+ An incorrect boundary check in the OPENPGPKEY rdatatype
+ could trigger an assertion failure. This flaw is disclosed
+ in CVE-2015-5986. [RT #40286]
+Index: bind-9.10.2-P4/lib/dns/include/dns/message.h
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/include/dns/message.h
++++ bind-9.10.2-P4/lib/dns/include/dns/message.h
+@@ -15,8 +15,6 @@
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+-/* $Id$ */
+-
+ #ifndef DNS_MESSAGE_H
+ #define DNS_MESSAGE_H 1
+
+@@ -221,6 +219,8 @@ struct dns_message {
+ unsigned int free_saved : 1;
+ unsigned int sitok : 1;
+ unsigned int sitbad : 1;
++ unsigned int tkey : 1;
++ unsigned int rdclass_set : 1;
+
+ unsigned int opt_reserved;
+ unsigned int sig_reserved;
+@@ -1400,6 +1400,15 @@ dns_message_buildopt(dns_message_t *msg,
+ * \li other.
+ */
+
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
++/*%<
++ * Set the expected class of records in the response.
++ *
++ * Requires:
++ * \li msg be a valid message with parsing intent.
++ */
++
+ ISC_LANG_ENDDECLS
+
+ #endif /* DNS_MESSAGE_H */
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
++++ bind-9.10.2-P4/lib/dns/message.c
+@@ -439,6 +439,8 @@ msginit(dns_message_t *m) {
+ m->free_saved = 0;
+ m->sitok = 0;
+ m->sitbad = 0;
++ m->tkey = 0;
++ m->rdclass_set = 0;
+ m->querytsig = NULL;
+ }
+
+@@ -1091,13 +1093,19 @@ getquestions(isc_buffer_t *source, dns_m
+ * If this class is different than the one we already read,
+ * this is an error.
+ */
+- if (msg->state == DNS_SECTION_ANY) {
+- msg->state = DNS_SECTION_QUESTION;
++ if (msg->rdclass_set == 0) {
+ msg->rdclass = rdclass;
++ msg->rdclass_set = 1;
+ } else if (msg->rdclass != rdclass)
+ DO_FORMERR;
+
+ /*
++ * Is this a TKEY query?
++ */
++ if (rdtype == dns_rdatatype_tkey)
++ msg->tkey = 1;
++
++ /*
+ * Can't ask the same question twice.
+ */
+ result = dns_message_find(name, rdclass, rdtype, 0, NULL);
+@@ -1241,12 +1249,12 @@ getsection(isc_buffer_t *source, dns_mes
+ * If there was no question section, we may not yet have
+ * established a class. Do so now.
+ */
+- if (msg->state == DNS_SECTION_ANY &&
++ if (msg->rdclass_set == 0 &&
+ rdtype != dns_rdatatype_opt && /* class is UDP SIZE */
+ rdtype != dns_rdatatype_tsig && /* class is ANY */
+ rdtype != dns_rdatatype_tkey) { /* class is undefined */
+ msg->rdclass = rdclass;
+- msg->state = DNS_SECTION_QUESTION;
++ msg->rdclass_set = 1;
+ }
+
+ /*
+@@ -1256,7 +1264,7 @@ getsection(isc_buffer_t *source, dns_mes
+ if (msg->opcode != dns_opcode_update
+ && rdtype != dns_rdatatype_tsig
+ && rdtype != dns_rdatatype_opt
+- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
++ && rdtype != dns_rdatatype_key /* in a TKEY query */
+ && rdtype != dns_rdatatype_sig /* SIG(0) */
+ && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+ && msg->rdclass != dns_rdataclass_any
+@@ -1264,6 +1272,16 @@ getsection(isc_buffer_t *source, dns_mes
+ DO_FORMERR;
+
+ /*
++ * If this is not a TKEY query/response then the KEY
++ * record's class needs to match.
++ */
++ if (msg->opcode != dns_opcode_update && !msg->tkey &&
++ rdtype == dns_rdatatype_key &&
++ msg->rdclass != dns_rdataclass_any &&
++ msg->rdclass != rdclass)
++ DO_FORMERR;
++
++ /*
+ * Special type handling for TSIG, OPT, and TKEY.
+ */
+ if (rdtype == dns_rdatatype_tsig) {
+@@ -1377,6 +1395,10 @@ getsection(isc_buffer_t *source, dns_mes
+ skip_name_search = ISC_TRUE;
+ skip_type_search = ISC_TRUE;
+ issigzero = ISC_TRUE;
++ } else {
++ if (msg->rdclass != dns_rdataclass_any &&
++ msg->rdclass != rdclass)
++ DO_FORMERR;
+ }
+ } else
+ covers = 0;
+@@ -1625,6 +1647,7 @@ dns_message_parse(dns_message_t *msg, is
+ msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+
+ msg->header_ok = 1;
++ msg->state = DNS_SECTION_QUESTION;
+
+ /*
+ * -1 means no EDNS.
+@@ -3706,3 +3729,15 @@ dns_message_buildopt(dns_message_t *mess
+ dns_message_puttemprdatalist(message, &rdatalist);
+ return (result);
+ }
++
++void
++dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
++
++ REQUIRE(DNS_MESSAGE_VALID(msg));
++ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
++ REQUIRE(msg->state == DNS_SECTION_ANY);
++ REQUIRE(msg->rdclass_set == 0);
++
++ msg->rdclass = rdclass;
++ msg->rdclass_set = 1;
++}
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -7309,6 +7309,8 @@ resquery_response(isc_task_t *task, isc_
+ goto done;
+ }
+
++ dns_message_setclass(message, fctx->res->rdclass);
++
+ if ((options & DNS_FETCHOPT_TCP) == 0) {
+ if ((options & DNS_FETCHOPT_NOEDNS0) == 0)
+ dns_adb_setudpsize(fctx->adb, query->addrinfo,
+@@ -7391,6 +7393,13 @@ resquery_response(isc_task_t *task, isc_
+ &dns_master_style_comment,
+ ISC_LOG_DEBUG(10),
+ fctx->res->mctx);
++
++ if (message->rdclass != fctx->res->rdclass) {
++ resend = ISC_TRUE;
++ FCTXTRACE("bad class");
++ goto done;
++ }
++
+ /*
+ * Process receive opt record.
+ */
+Index: bind-9.10.2-P4/lib/dns/xfrin.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/xfrin.c
++++ bind-9.10.2-P4/lib/dns/xfrin.c
+@@ -1225,6 +1225,8 @@ xfrin_recv_done(isc_task_t *task, isc_ev
+ msg->tsigctx = xfr->tsigctx;
+ xfr->tsigctx = NULL;
+
++ dns_message_setclass(msg, xfr->rdclass);
++
+ if (xfr->nmsg > 0)
+ msg->tcp_continuation = 1;
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,4 +1,9 @@
+- --- 9.10.2-P4 released ---
++4260. [security] Insufficient testing when parsing a message allowed
++ records with an incorrect class to be be accepted,
++ triggering a REQUIRE failure when those records
++ were subsequently cached. (CVE-2015-8000) [RT #4098]
++
++ --- 9.10.2-P4 released ---
+
+ 4170. [security] An incorrect boundary check in the OPENPGPKEY
+ rdatatype could trigger an assertion failure.
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index c9a7acd..b22dbf3 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -23,6 +23,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://0001-lib-dns-gen.c-fix-too-long-error.patch \
file://CVE-2015-8704.patch \
file://CVE-2015-8705.patch \
+ file://CVE-2015-8000.patch \
"
SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread* [jethro-next 5/8] bind: Security fix CVE-2015-8461
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
` (3 preceding siblings ...)
2016-01-31 19:53 ` [jethro-next 4/8] bind: Security fix CVE-2015-8000 Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
2016-01-31 19:53 ` [jethro-next 6/8] librsvg: Security fix CVE-2015-7558 Armin Kuster
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-8461 bind: race condition when handling socket errors can lead to an assertion failure in resolver.c\
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../bind/bind/CVE-2015-8461.patch | 44 ++++++++++++++++++++++
meta/recipes-connectivity/bind/bind_9.10.2-P4.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch b/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
new file mode 100644
index 0000000..88e9c83
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2015-8461.patch
@@ -0,0 +1,44 @@
+From adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 25 Jun 2015 18:36:27 +1000
+Subject: [PATCH] 4146. [bug] Address reference leak that could
+ prevent a clean shutdown. [RT #37125]
+
+Upstream-Status: Backport
+
+https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=adbf81335b67be0cebdcf9f1f4fcb38ef4814f4d
+
+CVE: CVE-2015-8461
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ CHANGES | 3 +++
+ lib/dns/resolver.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
++4146. [bug] Address reference leak that could prevent a clean
++ shutdown. [RT #37125]
++
+ 4260. [security] Insufficient testing when parsing a message allowed
+ records with an incorrect class to be be accepted,
+ triggering a REQUIRE failure when those records
+Index: bind-9.10.2-P4/lib/dns/resolver.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/resolver.c
++++ bind-9.10.2-P4/lib/dns/resolver.c
+@@ -1649,6 +1649,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
+ if (query->dispatch != NULL)
+ dns_dispatch_detach(&query->dispatch);
+
++ LOCK(&res->buckets[fctx->bucketnum].lock);
++ INSIST(fctx->references > 1);
++ fctx->references--;
++ UNLOCK(&res->buckets[fctx->bucketnum].lock);
++
+ cleanup_query:
+ if (query->connects == 0) {
+ query->magic = 0;
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index b22dbf3..19f87d7 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2015-8704.patch \
file://CVE-2015-8705.patch \
file://CVE-2015-8000.patch \
+ file://CVE-2015-8461.patch \
"
SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread* [jethro-next 6/8] librsvg: Security fix CVE-2015-7558
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
` (4 preceding siblings ...)
2016-01-31 19:53 ` [jethro-next 5/8] bind: Security fix CVE-2015-8461 Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
2016-01-31 19:53 ` [jethro-next 7/8] gdk-pixbuf: Security fix CVE-2015-7674 Armin Kuster
2016-01-31 19:53 ` [jethro-next 8/8] grub: Security fix CVE-2015-8370 Armin Kuster
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-7558 librsvg2: Stack exhaustion causing DoS
including two supporting patches.
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../librsvg/librsvg/CVE-2015-7558_1.patch | 139 +++++++++++++
.../librsvg/librsvg/CVE-2015-7558_2.patch | 230 +++++++++++++++++++++
.../librsvg/librsvg/CVE-2015-7558_3.patch | 223 ++++++++++++++++++++
meta/recipes-gnome/librsvg/librsvg_2.40.10.bb | 6 +-
4 files changed, 597 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
create mode 100644 meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
new file mode 100644
index 0000000..a3ba41f
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_1.patch
@@ -0,0 +1,139 @@
+From d1c9191949747f6dcfd207831d15dd4ba00e31f2 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 05:31:08 +0200
+Subject: [PATCH] state: Store mask as reference
+
+Instead of immediately looking up the mask, store the reference and look
+it up on use.
+
+Upstream-status: Backport
+
+supporting patch
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=d1c9191949747f6dcfd207831d15dd4ba00e31f2
+
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ rsvg-cairo-draw.c | 6 +++++-
+ rsvg-mask.c | 17 -----------------
+ rsvg-mask.h | 2 --
+ rsvg-styles.c | 12 ++++++++----
+ rsvg-styles.h | 2 +-
+ 5 files changed, 14 insertions(+), 25 deletions(-)
+
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
++++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -825,7 +825,11 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ cairo_set_operator (render->cr, state->comp_op);
+
+ if (state->mask) {
+- rsvg_cairo_generate_mask (render->cr, state->mask, ctx, &render->bbox);
++ RsvgNode *mask;
++
++ mask = rsvg_defs_lookup (ctx->defs, state->mask);
++ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
++ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
+ } else if (state->opacity != 0xFF)
+ cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
+ else
+Index: librsvg-2.40.10/rsvg-mask.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.c
++++ librsvg-2.40.10/rsvg-mask.c
+@@ -103,23 +103,6 @@ rsvg_get_url_string (const char *str)
+ }
+
+ RsvgNode *
+-rsvg_mask_parse (const RsvgDefs * defs, const char *str)
+-{
+- char *name;
+-
+- name = rsvg_get_url_string (str);
+- if (name) {
+- RsvgNode *val;
+- val = rsvg_defs_lookup (defs, name);
+- g_free (name);
+-
+- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_MASK)
+- return val;
+- }
+- return NULL;
+-}
+-
+-RsvgNode *
+ rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
+ {
+ char *name;
+Index: librsvg-2.40.10/rsvg-mask.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.h
++++ librsvg-2.40.10/rsvg-mask.h
+@@ -48,8 +48,6 @@ struct _RsvgMask {
+
+ G_GNUC_INTERNAL
+ RsvgNode *rsvg_new_mask (void);
+-G_GNUC_INTERNAL
+-RsvgNode *rsvg_mask_parse (const RsvgDefs * defs, const char *str);
+
+ typedef struct _RsvgClipPath RsvgClipPath;
+
+Index: librsvg-2.40.10/rsvg-styles.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.c
++++ librsvg-2.40.10/rsvg-styles.c
+@@ -221,6 +221,7 @@ rsvg_state_clone (RsvgState * dst, const
+
+ *dst = *src;
+ dst->parent = parent;
++ dst->mask = g_strdup (src->mask);
+ dst->font_family = g_strdup (src->font_family);
+ dst->lang = g_strdup (src->lang);
+ rsvg_paint_server_ref (dst->fill);
+@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
+
+ if (inherituninheritables) {
+ dst->clip_path_ref = src->clip_path_ref;
+- dst->mask = src->mask;
++ g_free (dst->mask);
++ dst->mask = g_strdup (src->mask);
+ dst->enable_background = src->enable_background;
+ dst->adobe_blend = src->adobe_blend;
+ dst->opacity = src->opacity;
+@@ -444,6 +446,7 @@ rsvg_state_inherit (RsvgState * dst, con
+ void
+ rsvg_state_finalize (RsvgState * state)
+ {
++ g_free (state->mask);
+ g_free (state->font_family);
+ g_free (state->lang);
+ rsvg_paint_server_unref (state->fill);
+@@ -517,9 +520,10 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
+ state->adobe_blend = 11;
+ else
+ state->adobe_blend = 0;
+- } else if (g_str_equal (name, "mask"))
+- state->mask = rsvg_mask_parse (ctx->priv->defs, value);
+- else if (g_str_equal (name, "clip-path")) {
++ } else if (g_str_equal (name, "mask")) {
++ g_free (state->mask);
++ state->mask = rsvg_get_url_string (value);
++ } else if (g_str_equal (name, "clip-path")) {
+ state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
+ } else if (g_str_equal (name, "overflow")) {
+ if (!g_str_equal (value, "inherit")) {
+Index: librsvg-2.40.10/rsvg-styles.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.h
++++ librsvg-2.40.10/rsvg-styles.h
+@@ -80,7 +80,7 @@ struct _RsvgState {
+ cairo_matrix_t personal_affine;
+
+ RsvgFilter *filter;
+- void *mask;
++ char *mask;
+ void *clip_path_ref;
+ guint8 adobe_blend; /* 0..11 */
+ guint8 opacity; /* 0..255 */
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
new file mode 100644
index 0000000..9f6820e
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_2.patch
@@ -0,0 +1,230 @@
+From 6cfaab12c70cd4a34c4730837f1ecdf792593c90 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 07:57:39 +0200
+Subject: [PATCH] state: Look up clip path lazily
+
+Upstream-status: Backport
+
+supporting patch
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=6cfaab12c70cd4a34c4730837f1ecdf792593c90
+
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ rsvg-cairo-draw.c | 56 +++++++++++++++++++++++++++++++++----------------------
+ rsvg-mask.c | 17 -----------------
+ rsvg-mask.h | 2 --
+ rsvg-styles.c | 10 +++++++---
+ rsvg-styles.h | 2 +-
+ 5 files changed, 42 insertions(+), 45 deletions(-)
+
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
++++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -461,7 +461,7 @@ rsvg_cairo_render_path (RsvgDrawingCtx *
+ return;
+
+ need_tmpbuf = ((state->fill != NULL) && (state->stroke != NULL) && state->opacity != 0xff)
+- || state->clip_path_ref || state->mask || state->filter
++ || state->clip_path || state->mask || state->filter
+ || (state->comp_op != CAIRO_OPERATOR_OVER);
+
+ if (need_tmpbuf)
+@@ -708,18 +708,6 @@ rsvg_cairo_generate_mask (cairo_t * cr,
+ }
+
+ static void
+-rsvg_cairo_push_early_clips (RsvgDrawingCtx * ctx)
+-{
+- RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
+-
+- cairo_save (render->cr);
+- if (rsvg_current_state (ctx)->clip_path_ref)
+- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == userSpaceOnUse)
+- rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, NULL);
+-
+-}
+-
+-static void
+ rsvg_cairo_push_render_stack (RsvgDrawingCtx * ctx)
+ {
+ /* XXX: Untested, probably needs help wrt filters */
+@@ -731,9 +719,27 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+ RsvgState *state = rsvg_current_state (ctx);
+ gboolean lateclip = FALSE;
+
+- if (rsvg_current_state (ctx)->clip_path_ref)
+- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
+- lateclip = TRUE;
++ if (rsvg_current_state (ctx)->clip_path) {
++ RsvgNode *node;
++ node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
++ RsvgClipPath *clip_path = (RsvgClipPath *) node;
++
++ switch (clip_path->units) {
++ case userSpaceOnUse:
++ rsvg_cairo_clip (ctx, clip_path, NULL);
++ break;
++ case objectBoundingBox:
++ lateclip = TRUE;
++ break;
++
++ default:
++ g_assert_not_reached ();
++ break;
++ }
++
++ }
++ }
+
+ if (state->opacity == 0xFF
+ && !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
+@@ -774,7 +780,9 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+ void
+ rsvg_cairo_push_discrete_layer (RsvgDrawingCtx * ctx)
+ {
+- rsvg_cairo_push_early_clips (ctx);
++ RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
++
++ cairo_save (render->cr);
+ rsvg_cairo_push_render_stack (ctx);
+ }
+
+@@ -783,14 +791,18 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ {
+ RsvgCairoRender *render = RSVG_CAIRO_RENDER (ctx->render);
+ cairo_t *child_cr = render->cr;
+- gboolean lateclip = FALSE;
++ RsvgClipPath *lateclip = NULL;
+ cairo_surface_t *surface = NULL;
+ RsvgState *state = rsvg_current_state (ctx);
+ gboolean nest;
+
+- if (rsvg_current_state (ctx)->clip_path_ref)
+- if (((RsvgClipPath *) rsvg_current_state (ctx)->clip_path_ref)->units == objectBoundingBox)
+- lateclip = TRUE;
++ if (rsvg_current_state (ctx)->clip_path) {
++ RsvgNode *node;
++ node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
++ && ((RsvgClipPath *) node)->units == objectBoundingBox)
++ lateclip = (RsvgClipPath *) node;
++ }
+
+ if (state->opacity == 0xFF
+ && !state->filter && !state->mask && !lateclip && (state->comp_op == CAIRO_OPERATOR_OVER)
+@@ -820,7 +832,7 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ nest ? 0 : render->offset_y);
+
+ if (lateclip)
+- rsvg_cairo_clip (ctx, rsvg_current_state (ctx)->clip_path_ref, &render->bbox);
++ rsvg_cairo_clip (ctx, lateclip, &render->bbox);
+
+ cairo_set_operator (render->cr, state->comp_op);
+
+Index: librsvg-2.40.10/rsvg-mask.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.c
++++ librsvg-2.40.10/rsvg-mask.c
+@@ -102,23 +102,6 @@ rsvg_get_url_string (const char *str)
+ return NULL;
+ }
+
+-RsvgNode *
+-rsvg_clip_path_parse (const RsvgDefs * defs, const char *str)
+-{
+- char *name;
+-
+- name = rsvg_get_url_string (str);
+- if (name) {
+- RsvgNode *val;
+- val = rsvg_defs_lookup (defs, name);
+- g_free (name);
+-
+- if (val && RSVG_NODE_TYPE (val) == RSVG_NODE_TYPE_CLIP_PATH)
+- return val;
+- }
+- return NULL;
+-}
+-
+ static void
+ rsvg_clip_path_set_atts (RsvgNode * self, RsvgHandle * ctx, RsvgPropertyBag * atts)
+ {
+Index: librsvg-2.40.10/rsvg-mask.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-mask.h
++++ librsvg-2.40.10/rsvg-mask.h
+@@ -58,8 +58,6 @@ struct _RsvgClipPath {
+
+ G_GNUC_INTERNAL
+ RsvgNode *rsvg_new_clip_path (void);
+-G_GNUC_INTERNAL
+-RsvgNode *rsvg_clip_path_parse (const RsvgDefs * defs, const char *str);
+
+ G_END_DECLS
+ #endif
+Index: librsvg-2.40.10/rsvg-styles.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.c
++++ librsvg-2.40.10/rsvg-styles.c
+@@ -149,7 +149,7 @@ rsvg_state_init (RsvgState * state)
+ state->visible = TRUE;
+ state->cond_true = TRUE;
+ state->filter = NULL;
+- state->clip_path_ref = NULL;
++ state->clip_path = NULL;
+ state->startMarker = NULL;
+ state->middleMarker = NULL;
+ state->endMarker = NULL;
+@@ -222,6 +222,7 @@ rsvg_state_clone (RsvgState * dst, const
+ *dst = *src;
+ dst->parent = parent;
+ dst->mask = g_strdup (src->mask);
++ dst->clip_path = g_strdup (src->clip_path);
+ dst->font_family = g_strdup (src->font_family);
+ dst->lang = g_strdup (src->lang);
+ rsvg_paint_server_ref (dst->fill);
+@@ -356,7 +357,8 @@ rsvg_state_inherit_run (RsvgState * dst,
+ }
+
+ if (inherituninheritables) {
+- dst->clip_path_ref = src->clip_path_ref;
++ g_free (dst->clip_path);
++ dst->clip_path = g_strdup (src->clip_path);
+ g_free (dst->mask);
+ dst->mask = g_strdup (src->mask);
+ dst->enable_background = src->enable_background;
+@@ -447,6 +449,7 @@ void
+ rsvg_state_finalize (RsvgState * state)
+ {
+ g_free (state->mask);
++ g_free (state->clip_path);
+ g_free (state->font_family);
+ g_free (state->lang);
+ rsvg_paint_server_unref (state->fill);
+@@ -524,7 +527,8 @@ rsvg_parse_style_pair (RsvgHandle * ctx,
+ g_free (state->mask);
+ state->mask = rsvg_get_url_string (value);
+ } else if (g_str_equal (name, "clip-path")) {
+- state->clip_path_ref = rsvg_clip_path_parse (ctx->priv->defs, value);
++ g_free (state->clip_path);
++ state->clip_path = rsvg_get_url_string (value);
+ } else if (g_str_equal (name, "overflow")) {
+ if (!g_str_equal (value, "inherit")) {
+ state->overflow = rsvg_css_parse_overflow (value, &state->has_overflow);
+Index: librsvg-2.40.10/rsvg-styles.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-styles.h
++++ librsvg-2.40.10/rsvg-styles.h
+@@ -81,7 +81,7 @@ struct _RsvgState {
+
+ RsvgFilter *filter;
+ char *mask;
+- void *clip_path_ref;
++ char *clip_path;
+ guint8 adobe_blend; /* 0..11 */
+ guint8 opacity; /* 0..255 */
+
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
new file mode 100644
index 0000000..dd67ab7
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
@@ -0,0 +1,223 @@
+From a51919f7e1ca9c535390a746fbf6e28c8402dc61 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 08:45:37 +0200
+Subject: [PATCH] rsvg: Add rsvg_acquire_node()
+
+This function does proper recursion checks when looking up resources
+from URLs and thereby helps avoiding infinite loops when cyclic
+references span multiple types of elements.
+
+Upstream-status: Backport
+
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61
+
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ rsvg-base.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ rsvg-cairo-draw.c | 15 +++++++++++----
+ rsvg-cairo-render.c | 1 +
+ rsvg-filter.c | 9 +++++++--
+ rsvg-private.h | 5 +++++
+ 5 files changed, 79 insertions(+), 6 deletions(-)
+
+Index: librsvg-2.40.10/rsvg-base.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-base.c
++++ librsvg-2.40.10/rsvg-base.c
+@@ -1236,6 +1236,8 @@ rsvg_drawing_ctx_free (RsvgDrawingCtx *
+ g_slist_free (handle->drawsub_stack);
+
+ g_slist_free (handle->ptrs);
++ g_warn_if_fail (handle->acquired_nodes == NULL);
++ g_slist_free (handle->acquired_nodes);
+
+ if (handle->base_uri)
+ g_free (handle->base_uri);
+@@ -2018,6 +2020,59 @@ rsvg_push_discrete_layer (RsvgDrawingCtx
+ ctx->render->push_discrete_layer (ctx);
+ }
+
++/*
++ * rsvg_acquire_node:
++ * @ctx: The drawing context in use
++ * @url: The IRI to lookup
++ *
++ * Use this function when looking up urls to other nodes. This
++ * function does proper recursion checking and thereby avoids
++ * infinite loops.
++ *
++ * Nodes acquired by this function must be released using
++ * rsvg_release_node() in reverse acquiring order.
++ *
++ * Returns: The node referenced by @url or %NULL if the @url
++ * does not reference a node.
++ */
++RsvgNode *
++rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url)
++{
++ RsvgNode *node;
++
++ node = rsvg_defs_lookup (ctx->defs, url);
++ if (node == NULL)
++ return NULL;
++
++ if (g_slist_find (ctx->acquired_nodes, node))
++ return NULL;
++
++ ctx->acquired_nodes = g_slist_prepend (ctx->acquired_nodes, node);
++
++ return node;
++}
++
++/*
++ * rsvg_release_node:
++ * @ctx: The drawing context the node was acquired from
++ * @node: Node to release
++ *
++ * Releases a node previously acquired via rsvg_acquire_node().
++ *
++ * if @node is %NULL, this function does nothing.
++ */
++void
++rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node)
++{
++ if (node == NULL)
++ return;
++
++ g_return_if_fail (ctx->acquired_nodes != NULL);
++ g_return_if_fail (ctx->acquired_nodes->data == node);
++
++ ctx->acquired_nodes = g_slist_remove (ctx->acquired_nodes, node);
++}
++
+ void
+ rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path)
+ {
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
++++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -721,7 +721,7 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+
+ if (rsvg_current_state (ctx)->clip_path) {
+ RsvgNode *node;
+- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
+ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
+ RsvgClipPath *clip_path = (RsvgClipPath *) node;
+
+@@ -739,6 +739,8 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+ }
+
+ }
++
++ rsvg_release_node (ctx, node);
+ }
+
+ if (state->opacity == 0xFF
+@@ -798,10 +800,12 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+
+ if (rsvg_current_state (ctx)->clip_path) {
+ RsvgNode *node;
+- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
++ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
+ if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
+ && ((RsvgClipPath *) node)->units == objectBoundingBox)
+ lateclip = (RsvgClipPath *) node;
++ else
++ rsvg_release_node (ctx, node);
+ }
+
+ if (state->opacity == 0xFF
+@@ -831,17 +835,20 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ nest ? 0 : render->offset_x,
+ nest ? 0 : render->offset_y);
+
+- if (lateclip)
++ if (lateclip) {
+ rsvg_cairo_clip (ctx, lateclip, &render->bbox);
++ rsvg_release_node (ctx, (RsvgNode *) lateclip);
++ }
+
+ cairo_set_operator (render->cr, state->comp_op);
+
+ if (state->mask) {
+ RsvgNode *mask;
+
+- mask = rsvg_defs_lookup (ctx->defs, state->mask);
++ mask = rsvg_acquire_node (ctx, state->mask);
+ if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
+ rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
++ rsvg_release_node (ctx, mask);
+ } else if (state->opacity != 0xFF)
+ cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
+ else
+Index: librsvg-2.40.10/rsvg-cairo-render.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-render.c
++++ librsvg-2.40.10/rsvg-cairo-render.c
+@@ -155,6 +155,7 @@ rsvg_cairo_new_drawing_ctx (cairo_t * cr
+ draw->pango_context = NULL;
+ draw->drawsub_stack = NULL;
+ draw->ptrs = NULL;
++ draw->acquired_nodes = NULL;
+
+ rsvg_state_push (draw);
+ state = rsvg_current_state (draw);
+Index: librsvg-2.40.10/rsvg-filter.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-filter.c
++++ librsvg-2.40.10/rsvg-filter.c
+@@ -3921,6 +3921,7 @@ rsvg_filter_primitive_image_render_in (R
+ RsvgDrawingCtx *ctx;
+ RsvgFilterPrimitiveImage *upself;
+ RsvgNode *drawable;
++ cairo_surface_t *result;
+
+ ctx = context->ctx;
+
+@@ -3929,13 +3930,17 @@ rsvg_filter_primitive_image_render_in (R
+ if (!upself->href)
+ return NULL;
+
+- drawable = rsvg_defs_lookup (ctx->defs, upself->href->str);
++ drawable = rsvg_acquire_node (ctx, upself->href->str);
+ if (!drawable)
+ return NULL;
+
+ rsvg_current_state (ctx)->affine = context->paffine;
+
+- return rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
++ result = rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
++
++ rsvg_release_node (ctx, drawable);
++
++ return result;
+ }
+
+ static cairo_surface_t *
+Index: librsvg-2.40.10/rsvg-private.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-private.h
++++ librsvg-2.40.10/rsvg-private.h
+@@ -200,6 +200,7 @@ struct RsvgDrawingCtx {
+ GSList *vb_stack;
+ GSList *drawsub_stack;
+ GSList *ptrs;
++ GSList *acquired_nodes;
+ };
+
+ /*Abstract base class for context for our backends (one as yet)*/
+@@ -360,6 +361,10 @@ void rsvg_pop_discrete_layer (RsvgDra
+ G_GNUC_INTERNAL
+ void rsvg_push_discrete_layer (RsvgDrawingCtx * ctx);
+ G_GNUC_INTERNAL
++RsvgNode *rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url);
++G_GNUC_INTERNAL
++void rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node);
++G_GNUC_INTERNAL
+ void rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path);
+ G_GNUC_INTERNAL
+ void rsvg_render_surface (RsvgDrawingCtx * ctx, cairo_surface_t *surface,
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb b/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb
index 06552c2..cb8a73c 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.40.10.bb
@@ -12,7 +12,11 @@ BBCLASSEXTEND = "native"
inherit autotools pkgconfig gnomebase gtk-doc pixbufcache
-SRC_URI += "file://gtk-option.patch"
+SRC_URI += "file://gtk-option.patch \
+ file://CVE-2015-7558_1.patch \
+ file://CVE-2015-7558_2.patch \
+ file://CVE-2015-7558_3.patch \
+ "
SRC_URI[archive.md5sum] = "fadebe2e799ab159169ee3198415ff85"
SRC_URI[archive.sha256sum] = "965c807438ce90b204e930ff80c92eba1606a2f6fd5ccfd09335c99896dd3479"
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread* [jethro-next 7/8] gdk-pixbuf: Security fix CVE-2015-7674
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
` (5 preceding siblings ...)
2016-01-31 19:53 ` [jethro-next 6/8] librsvg: Security fix CVE-2015-7558 Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
2016-01-31 19:53 ` [jethro-next 8/8] grub: Security fix CVE-2015-8370 Armin Kuster
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-7674 Heap overflow with a gif file in gdk-pixbuf < 2.32.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch | 39 ++++++++++++++++++++++
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch
new file mode 100644
index 0000000..d516e88
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2015-7674.patch
@@ -0,0 +1,39 @@
+From e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Tue, 22 Sep 2015 22:44:51 +0200
+Subject: [PATCH] pixops: Don't overflow variables when shifting them
+
+If we shift by 16 bits we need to be sure those 16 bits actually exist.
+They do now.
+
+Upstream-status: Backport
+https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa
+
+CVE: CVE-2015-7674
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ gdk-pixbuf/pixops/pixops.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+Index: gdk-pixbuf-2.30.8/gdk-pixbuf/pixops/pixops.c
+===================================================================
+--- gdk-pixbuf-2.30.8.orig/gdk-pixbuf/pixops/pixops.c
++++ gdk-pixbuf-2.30.8/gdk-pixbuf/pixops/pixops.c
+@@ -264,11 +264,11 @@ pixops_scale_nearest (guchar *des
+ double scale_x,
+ double scale_y)
+ {
+- int i;
+- int x;
+- int x_step = (1 << SCALE_SHIFT) / scale_x;
+- int y_step = (1 << SCALE_SHIFT) / scale_y;
+- int xmax, xstart, xstop, x_pos, y_pos;
++ gint64 i;
++ gint64 x;
++ gint64 x_step = (1 << SCALE_SHIFT) / scale_x;
++ gint64 y_step = (1 << SCALE_SHIFT) / scale_y;
++ gint64 xmax, xstart, xstop, x_pos, y_pos;
+ const guchar *p;
+
+ #define INNER_LOOP(SRC_CHANNELS,DEST_CHANNELS,ASSIGN_PIXEL) \
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
index 68f3850..dcd01b1 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://run-ptest \
file://fatal-loader.patch \
file://0001-pixops-Be-more-careful-about-integer-overflow.patch \
+ file://CVE-2015-7674.patch \
"
SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542"
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread* [jethro-next 8/8] grub: Security fix CVE-2015-8370
2016-01-31 19:53 [jethro-next 0/8] pull request for jethro Armin Kuster
` (6 preceding siblings ...)
2016-01-31 19:53 ` [jethro-next 7/8] gdk-pixbuf: Security fix CVE-2015-7674 Armin Kuster
@ 2016-01-31 19:53 ` Armin Kuster
7 siblings, 0 replies; 9+ messages in thread
From: Armin Kuster @ 2016-01-31 19:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
CVE-2015-8370 grub2: buffer overflow when checking password entered during bootup
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-bsp/grub/files/CVE-2015-8370.patch | 59 +++++++++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2015-8370.patch
diff --git a/meta/recipes-bsp/grub/files/CVE-2015-8370.patch b/meta/recipes-bsp/grub/files/CVE-2015-8370.patch
new file mode 100644
index 0000000..78f514e
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2015-8370.patch
@@ -0,0 +1,59 @@
+From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001
+From: Hector Marco-Gisbert <hecmargi@upv.es>
+Date: Wed, 16 Dec 2015 07:57:18 +0300
+Subject: [PATCH] Fix security issue when reading username and password
+
+This patch fixes two integer underflows at:
+ * grub-core/lib/crypto.c
+ * grub-core/normal/auth.c
+
+CVE-2015-8370
+
+Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
+Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
+Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
+
+Upstream-Status: Backport
+
+http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2
+
+CVE: CVE-2015-8370
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ grub-core/lib/crypto.c | 3 ++-
+ grub-core/normal/auth.c | 7 +++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+Index: git/grub-core/lib/crypto.c
+===================================================================
+--- git.orig/grub-core/lib/crypto.c
++++ git/grub-core/lib/crypto.c
+@@ -458,7 +458,8 @@ grub_password_get (char buf[], unsigned
+
+ if (key == '\b')
+ {
+- cur_len--;
++ if (cur_len)
++ cur_len--;
+ continue;
+ }
+
+Index: git/grub-core/normal/auth.c
+===================================================================
+--- git.orig/grub-core/normal/auth.c
++++ git/grub-core/normal/auth.c
+@@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned
+
+ if (key == '\b')
+ {
+- cur_len--;
+- grub_printf ("\b");
++ if (cur_len)
++ {
++ cur_len--;
++ grub_printf ("\b");
++ }
+ continue;
+ }
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 312771b..fe2407c 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -27,6 +27,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch \
file://grub2-fix-initrd-size-bug.patch \
+ file://CVE-2015-8370.patch \
"
DEPENDS = "flex-native bison-native xz"
--
2.3.5
^ permalink raw reply related [flat|nested] 9+ messages in thread