* [PATCH 2/4] libpng: Security fix CVE-2015-8126
2016-02-05 14:53 [PATCH 0/4][jethro] Secuirty Fixes pull request Armin Kuster
2016-02-05 14:53 ` [PATCH 1/4] foomatic-filters: Security fixes CVE-2015-8327 Armin Kuster
@ 2016-02-05 14:53 ` Armin Kuster
2016-02-05 14:53 ` [PATCH 3/4] libpng: Security fix CVE-2015-8472 Armin Kuster
2016-02-05 14:53 ` [PATCH 4/4] socat: Security fix CVE-2016-2217 Armin Kuster
3 siblings, 0 replies; 5+ messages in thread
From: Armin Kuster @ 2016-02-05 14:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../libpng/libpng-1.6.17/CVE-2015-8126_1.patch | 91 ++++++++++++++
.../libpng/libpng-1.6.17/CVE-2015-8126_2.patch | 134 +++++++++++++++++++++
.../libpng/libpng-1.6.17/CVE-2015-8126_3.patch | 79 ++++++++++++
.../libpng/libpng-1.6.17/CVE-2015-8126_4.patch | 48 ++++++++
meta/recipes-multimedia/libpng/libpng_1.6.17.bb | 7 ++
5 files changed, 359 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
create mode 100644 meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
create mode 100644 meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
create mode 100644 meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
new file mode 100644
index 0000000..25fe136
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
@@ -0,0 +1,91 @@
+From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 29 Oct 2015 09:26:41 -0500
+Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
+
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
+
+CVE: CVE-2015-8126 patch #1
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libpng-manual.txt | 5 +++++
+ libpng.3 | 5 +++++
+ pngwrite.c | 4 ++--
+ pngwutil.c | 7 +++++--
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+
+Index: libpng-1.6.17/libpng-manual.txt
+===================================================================
+--- libpng-1.6.17.orig/libpng-manual.txt
++++ libpng-1.6.17/libpng-manual.txt
+@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
+ chunk. This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+
++Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
++is an error. Previously this requirement of the PNG specification was not
++enforced. Libpng continues to accept over-length PLTE chunks when reading,
++but does not make any use of the extra entries.
++
+ XIII. Detecting libpng
+
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+Index: libpng-1.6.17/libpng.3
+===================================================================
+--- libpng-1.6.17.orig/libpng.3
++++ libpng-1.6.17/libpng.3
+@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
+ chunk. This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+
++Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
++is an error. Previously this requirement of the PNG specification was not
++enforced. Libpng continues to accept over-length PLTE chunks when reading,
++but does not make any use of the extra entries.
++
+ .SH XIII. Detecting libpng
+
+ The png_get_io_ptr() function has been present since libpng-0.88, has never
+Index: libpng-1.6.17/pngwrite.c
+===================================================================
+--- libpng-1.6.17.orig/pngwrite.c
++++ libpng-1.6.17/pngwrite.c
+@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
+ png_write_PLTE(png_ptr, info_ptr->palette,
+ (png_uint_32)info_ptr->num_palette);
+
+- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
++ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ png_error(png_ptr, "Valid palette required for paletted images");
+
+ #ifdef PNG_WRITE_tRNS_SUPPORTED
+Index: libpng-1.6.17/pngwutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngwutil.c
++++ libpng-1.6.17/pngwutil.c
+@@ -922,17 +922,20 @@ void /* PRIVATE */
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+ png_uint_32 num_pal)
+ {
+- png_uint_32 i;
++ png_uint_32 max_num_pal, i;
+ png_const_colorp pal_ptr;
+ png_byte buf[3];
+
+ png_debug(1, "in png_write_PLTE");
+
++ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
++
+ if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+ (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
+ #endif
+- num_pal == 0) || num_pal > 256)
++ num_pal == 0) || num_pal > max_num_pal)
+ {
+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
new file mode 100644
index 0000000..4aa9170
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
@@ -0,0 +1,134 @@
+From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 07:57:49 -0500
+Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
+ Truta).
+
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
+
+Many changes involved date and version updates with don't apply in this case.
+
+CVE: CVE-2015-8126 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ANNOUNCE | 6 +++---
+ CHANGES | 4 ++--
+ libpng-manual.txt | 11 +++++------
+ libpng.3 | 19 +++++++++----------
+ pngrutil.c | 3 +++
+ pngset.c | 13 +++++++++----
+ pngwutil.c | 6 +++---
+ 7 files changed, 34 insertions(+), 28 deletions(-)
+
+Index: libpng-1.6.17/libpng-manual.txt
+===================================================================
+--- libpng-1.6.17.orig/libpng-manual.txt
++++ libpng-1.6.17/libpng-manual.txt
+@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that
+ chunk. This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+
+-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
++Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
+ is an error. Previously this requirement of the PNG specification was not
+-enforced. Libpng continues to accept over-length PLTE chunks when reading,
+-but does not make any use of the extra entries.
++enforced, and the palette was always limited to 256 entries.
+
+ XIII. Detecting libpng
+
+Index: libpng-1.6.17/libpng.3
+===================================================================
+--- libpng-1.6.17.orig/libpng.3
++++ libpng-1.6.17/libpng.3
+@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that
+ chunk. This error was fixed in libpng-1.6.3, and a tool (called
+ contrib/tools/png-fix-itxt) has been added to the libpng distribution.
+
+-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
++Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
+ is an error. Previously this requirement of the PNG specification was not
+-enforced. Libpng continues to accept over-length PLTE chunks when reading,
+-but does not make any use of the extra entries.
++enforced, and the palette was always limited to 256 entries.
+
+ .SH XIII. Detecting libpng
+
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
++++ libpng-1.6.17/pngrutil.c
+@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn
+ * confusing.
+ *
+ * Fix this by not sharing the palette in this way.
++ *
++ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
++ * it attempts to set a palette length that is too large for the bit depth.
+ */
+ png_set_PLTE(png_ptr, info_ptr, palette, num);
+
+Index: libpng-1.6.17/pngset.c
+===================================================================
+--- libpng-1.6.17.orig/pngset.c
++++ libpng-1.6.17/pngset.c
+@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i
+ png_const_colorp palette, int num_palette)
+ {
+
++ png_uint_32 max_palette_length;
++
+ png_debug1(1, "in %s storage function", "PLTE");
+
+ if (png_ptr == NULL || info_ptr == NULL)
+ return;
+
+- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
++
++ if (num_palette < 0 || num_palette > max_palette_length)
+ {
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ png_error(png_ptr, "Invalid palette length");
+@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i
+ png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
+
+ /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
+- * of num_palette entries, in case of an invalid PNG file that has
+- * too-large sample values.
++ * of num_palette entries, in case of an invalid PNG file or incorrect
++ * call to png_set_PLTE() with too-large sample values.
+ */
+ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
+ PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
+Index: libpng-1.6.17/pngwutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngwutil.c
++++ libpng-1.6.17/pngwutil.c
+@@ -922,20 +922,20 @@ void /* PRIVATE */
+ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
+ png_uint_32 num_pal)
+ {
+- png_uint_32 max_num_pal, i;
++ png_uint_32 max_palette_length, i;
+ png_const_colorp pal_ptr;
+ png_byte buf[3];
+
+ png_debug(1, "in png_write_PLTE");
+
+- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+ if ((
+ #ifdef PNG_MNG_FEATURES_SUPPORTED
+ (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
+ #endif
+- num_pal == 0) || num_pal > max_num_pal)
++ num_pal == 0) || num_pal > max_palette_length)
+ {
+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
new file mode 100644
index 0000000..0e0ad23
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
+From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Fri, 30 Oct 2015 11:34:37 -0500
+Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
+ reading.
+
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
+
+Normal Issues is date and version conflicts not applied.
+
+CVE: CVE-2015-8i26 patch #3
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+---
+ ANNOUNCE | 3 ++-
+ CHANGES | 3 ++-
+ pngrutil.c | 15 +++++++++++----
+ pngset.c | 2 +-
+ 4 files changed, 16 insertions(+), 7 deletions(-)
+
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
++++ libpng-1.6.17/pngrutil.c
+@@ -867,7 +867,7 @@ void /* PRIVATE */
+ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+ {
+ png_color palette[PNG_MAX_PALETTE_LENGTH];
+- int num, i;
++ int max_palette_length, num, i;
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+ png_colorp pal_ptr;
+ #endif
+@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
+ return;
+ }
+
++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
++
+ /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+ num = (int)length / 3;
+
++ /* If the palette has 256 or fewer entries but is too large for the bit depth,
++ * we don't issue an error, to preserve the behavior of previous libpng versions.
++ * We silently truncate the unused extra palette entries here.
++ */
++ if (num > max_palette_length)
++ num = max_palette_length;
++
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+ for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
+ {
+@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
+ * confusing.
+ *
+ * Fix this by not sharing the palette in this way.
+- *
+- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
+- * it attempts to set a palette length that is too large for the bit depth.
+ */
+ png_set_PLTE(png_ptr, info_ptr, palette, num);
+
+Index: libpng-1.6.17/pngset.c
+===================================================================
+--- libpng-1.6.17.orig/pngset.c
++++ libpng-1.6.17/pngset.c
+@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+- if (num_palette < 0 || num_palette > max_palette_length)
++ if (num_palette < 0 || num_palette > (int) max_palette_length)
+ {
+ if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
+ png_error(png_ptr, "Invalid palette length");
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
new file mode 100644
index 0000000..2622630
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
+From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Thu, 5 Nov 2015 11:18:44 -0600
+Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
+
+Upstream-Status: Backport
+https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
+
+CVE: CVE-2015-8126 patch #4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ pngrutil.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+Index: libpng-1.6.17/pngrutil.c
+===================================================================
+--- libpng-1.6.17.orig/pngrutil.c
++++ libpng-1.6.17/pngrutil.c
+@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
+ return;
+ }
+
+- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+-
+ /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
+ num = (int)length / 3;
+
+- /* If the palette has 256 or fewer entries but is too large for the bit depth,
+- * we don't issue an error, to preserve the behavior of previous libpng versions.
+- * We silently truncate the unused extra palette entries here.
++ /* If the palette has 256 or fewer entries but is too large for the bit
++ * depth, we don't issue an error, to preserve the behavior of previous
++ * libpng versions. We silently truncate the unused extra palette entries
++ * here.
+ */
++ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
++ max_palette_length = (1 << png_ptr->bit_depth);
++ else
++ max_palette_length = PNG_MAX_PALETTE_LENGTH;
++
+ if (num > max_palette_length)
+- num = max_palette_length;
++ num = max_palette_length;
+
+ #ifdef PNG_POINTER_INDEXING_SUPPORTED
+ for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.17.bb b/meta/recipes-multimedia/libpng/libpng_1.6.17.bb
index 2d9835c..110c43d 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.17.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.17.bb
@@ -10,6 +10,13 @@ LIBV = "16"
SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/older-releases/${PV}/libpng-${PV}.tar.xz \
"
+SRC_URI += "\
+ file://CVE-2015-8126_1.patch \
+ file://CVE-2015-8126_2.patch \
+ file://CVE-2015-8126_3.patch \
+ file://CVE-2015-8126_4.patch \
+ "
+
SRC_URI[md5sum] = "430a9b76b78533235cd4b9b26ce75c7e"
SRC_URI[sha256sum] = "98507b55fbe5cd43c51981f2924e4671fd81fe35d52dc53357e20f2c77fa5dfd"
--
2.3.5
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH 4/4] socat: Security fix CVE-2016-2217
2016-02-05 14:53 [PATCH 0/4][jethro] Secuirty Fixes pull request Armin Kuster
` (2 preceding siblings ...)
2016-02-05 14:53 ` [PATCH 3/4] libpng: Security fix CVE-2015-8472 Armin Kuster
@ 2016-02-05 14:53 ` Armin Kuster
3 siblings, 0 replies; 5+ messages in thread
From: Armin Kuster @ 2016-02-05 14:53 UTC (permalink / raw)
To: openembedded-core, liezhi.yang
From: Armin Kuster <akuster@mvista.com>
this address both
Socat security advisory 7 and MSVR-1499: "Bad DH p parameter in OpenSSL"
and Socat security advisory 8: "Stack overflow in arguments parser
[Yocto # 9024]
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../socat/socat/CVE-2016-2217.patch | 372 +++++++++++++++++++++
meta/recipes-connectivity/socat/socat_1.7.3.0.bb | 1 +
2 files changed, 373 insertions(+)
create mode 100644 meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
diff --git a/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch b/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
new file mode 100644
index 0000000..0cd4179
--- /dev/null
+++ b/meta/recipes-connectivity/socat/socat/CVE-2016-2217.patch
@@ -0,0 +1,372 @@
+Upstream-Status: Backport
+
+http://www.dest-unreach.org/socat/download/socat-1.7.3.1.patch
+
+CVE: CVE-2016-2217
+[Yocto # 9024]
+Singed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: socat-1.7.3.0/CHANGES
+===================================================================
+--- socat-1.7.3.0.orig/CHANGES
++++ socat-1.7.3.0/CHANGES
+@@ -1,8 +1,39 @@
+
++####################### V 1.7.3.1:
++
++security:
++ Socat security advisory 8
++ A stack overflow in vulnerability was found that can be triggered when
++ command line arguments (complete address specifications, host names,
++ file names) are longer than 512 bytes.
++ Successful exploitation might allow an attacker to execute arbitrary
++ code with the privileges of the socat process.
++ This vulnerability can only be exploited when an attacker is able to
++ inject data into socat's command line.
++ A vulnerable scenario would be a CGI script that reads data from clients
++ and uses (parts of) this data as hostname for a Socat invocation.
++ Test: NESTEDOVFL
++ Credits to Takumi Akiyama for finding and reporting this issue.
++
++ Socat security advisory 7
++ MSVR-1499
++ In the OpenSSL address implementation the hard coded 1024 bit DH p
++ parameter was not prime. The effective cryptographic strength of a key
++ exchange using these parameters was weaker than the one one could get by
++ using a prime p. Moreover, since there is no indication of how these
++ parameters were chosen, the existence of a trapdoor that makes possible
++ for an eavesdropper to recover the shared secret from a key exchange
++ that uses them cannot be ruled out.
++ Futhermore, 1024bit is not considered sufficiently secure.
++ Fix: generated a new 2048bit prime.
++ Thanks to Santiago Zanella-Beguelin and Microsoft Vulnerability
++ Research (MSVR) for finding and reporting this issue.
++
+ ####################### V 1.7.3.0:
+
+ security:
+- (CVE Id pending)
++ Socat security advisory 6
++ CVE-2015-1379: Possible DoS with fork
+ Fixed problems with signal handling caused by use of not async signal
+ safe functions in signal handlers that could freeze socat, allowing
+ denial of service attacks.
+@@ -240,6 +271,7 @@ docu:
+ ####################### V 1.7.2.3:
+
+ security:
++ Socat security advisory 5
+ CVE-2014-0019: socats PROXY-CONNECT address was vulnerable to a buffer
+ overflow with data from command line (see socat-secadv5.txt)
+ Credits to Florian Weimer of the Red Hat Product Security Team
+@@ -247,6 +279,7 @@ security:
+ ####################### V 1.7.2.2:
+
+ security:
++ Socat security advisory 4
+ CVE-2013-3571:
+ after refusing a client connection due to bad source address or source
+ port socat shutdown() the socket but did not close() it, resulting in
+@@ -258,6 +291,7 @@ security:
+ ####################### V 1.7.2.1:
+
+ security:
++ Socat security advisory 3
+ CVE-2012-0219:
+ fixed a possible heap buffer overflow in the readline address. This bug
+ could be exploited when all of the following conditions were met:
+@@ -391,6 +425,7 @@ docu:
+ ####################### V 1.7.1.3:
+
+ security:
++ Socat security advisory 2
+ CVE-2010-2799:
+ fixed a stack overflow vulnerability that occurred when command
+ line arguments (whole addresses, host names, file names) were longer
+@@ -892,6 +927,7 @@ further corrections:
+ ####################### V 1.4.0.3:
+
+ security:
++ Socat security advisory 1
+ CVE-2004-1484:
+ fix to a syslog() based format string vulnerability that can lead to
+ remote code execution. See advisory socat-adv-1.txt
+Index: socat-1.7.3.0/VERSION
+===================================================================
+--- socat-1.7.3.0.orig/VERSION
++++ socat-1.7.3.0/VERSION
+@@ -1 +1 @@
+-"1.7.3.0"
++"1.7.3.1"
+Index: socat-1.7.3.0/nestlex.c
+===================================================================
+--- socat-1.7.3.0.orig/nestlex.c
++++ socat-1.7.3.0/nestlex.c
+@@ -1,5 +1,5 @@
+ /* source: nestlex.c */
+-/* Copyright Gerhard Rieger 2006-2010 */
++/* Copyright Gerhard Rieger */
+ /* Published under the GNU General Public License V.2, see file COPYING */
+
+ /* a function for lexical scanning of nested character patterns */
+@@ -9,6 +9,17 @@
+
+ #include "sysincludes.h"
+
++static int _nestlex(const char **addr,
++ char **token,
++ ptrdiff_t *len,
++ const char *ends[],
++ const char *hquotes[],
++ const char *squotes[],
++ const char *nests[],
++ bool dropquotes,
++ bool c_esc,
++ bool html_esc
++ );
+
+ /* sub: scan a string and copy its value to output string
+ end scanning when an unescaped, unnested string from ends array is found
+@@ -33,6 +44,22 @@ int nestlex(const char **addr, /* input
+ bool c_esc, /* solve C char escapes: \n \t \0 etc */
+ bool html_esc /* solve HTML char escapes: %0d %08 etc */
+ ) {
++ return
++ _nestlex(addr, token, (ptrdiff_t *)len, ends, hquotes, squotes, nests,
++ dropquotes, c_esc, html_esc);
++}
++
++static int _nestlex(const char **addr,
++ char **token,
++ ptrdiff_t *len,
++ const char *ends[],
++ const char *hquotes[],
++ const char *squotes[],
++ const char *nests[],
++ bool dropquotes,
++ bool c_esc,
++ bool html_esc
++ ) {
+ const char *in = *addr; /* pointer into input string */
+ const char **endx; /* loops over end patterns */
+ const char **quotx; /* loops over quote patterns */
+@@ -77,16 +104,18 @@ int nestlex(const char **addr, /* input
+ if (--*len <= 0) { *addr = in; *token = out; return -1; }
+ }
+ }
+- /* we call nestlex recursively */
++ /* we call _nestlex recursively */
+ endnest[0] = *quotx;
+ endnest[1] = NULL;
+ result =
+- nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
++ _nestlex(&in, &out, len, endnest, NULL/*hquotes*/,
+ NULL/*squotes*/, NULL/*nests*/,
+ false, c_esc, html_esc);
+ if (result == 0 && dropquotes) {
+ /* we strip this quote */
+ in += strlen(*quotx);
++ } else if (result < 0) {
++ *addr = in; *token = out; return result;
+ } else {
+ /* we copy the trailing quote */
+ for (i = strlen(*quotx); i > 0; --i) {
+@@ -110,7 +139,7 @@ int nestlex(const char **addr, /* input
+ if (!strncmp(in, *quotx, strlen(*quotx))) {
+ /* this quote pattern matches */
+ /* we strip this quote */
+- /* we call nestlex recursively */
++ /* we call _nestlex recursively */
+ const char *endnest[2];
+ if (dropquotes) {
+ /* we strip this quote */
+@@ -124,13 +153,15 @@ int nestlex(const char **addr, /* input
+ endnest[0] = *quotx;
+ endnest[1] = NULL;
+ result =
+- nestlex(&in, &out, len, endnest, hquotes,
++ _nestlex(&in, &out, len, endnest, hquotes,
+ squotes, nests,
+ false, c_esc, html_esc);
+
+ if (result == 0 && dropquotes) {
+ /* we strip the trailing quote */
+ in += strlen(*quotx);
++ } else if (result < 0) {
++ *addr = in; *token = out; return result;
+ } else {
+ /* we copy the trailing quote */
+ for (i = strlen(*quotx); i > 0; --i) {
+@@ -162,7 +193,7 @@ int nestlex(const char **addr, /* input
+ }
+
+ result =
+- nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
++ _nestlex(&in, &out, len, endnest, hquotes, squotes, nests,
+ false, c_esc, html_esc);
+ if (result == 0) {
+ /* copy endnest */
+@@ -175,6 +206,8 @@ int nestlex(const char **addr, /* input
+ }
+ --i;
+ }
++ } else if (result < 0) {
++ *addr = in; *token = out; return result;
+ }
+ break;
+ }
+@@ -211,7 +244,7 @@ int nestlex(const char **addr, /* input
+ }
+ *out++ = c;
+ --*len;
+- if (*len == 0) {
++ if (*len <= 0) {
+ *addr = in;
+ *token = out;
+ return -1; /* output overflow */
+@@ -222,7 +255,7 @@ int nestlex(const char **addr, /* input
+ /* just a simple char */
+ *out++ = c;
+ --*len;
+- if (*len == 0) {
++ if (*len <= 0) {
+ *addr = in;
+ *token = out;
+ return -1; /* output overflow */
+Index: socat-1.7.3.0/nestlex.h
+===================================================================
+--- socat-1.7.3.0.orig/nestlex.h
++++ socat-1.7.3.0/nestlex.h
+@@ -1,5 +1,5 @@
+ /* source: nestlex.h */
+-/* Copyright Gerhard Rieger 2006 */
++/* Copyright Gerhard Rieger */
+ /* Published under the GNU General Public License V.2, see file COPYING */
+
+ #ifndef __nestlex_h_included
+Index: socat-1.7.3.0/socat.spec
+===================================================================
+--- socat-1.7.3.0.orig/socat.spec
++++ socat-1.7.3.0/socat.spec
+@@ -1,6 +1,6 @@
+
+ %define majorver 1.7
+-%define minorver 3.0
++%define minorver 3.1
+
+ Summary: socat - multipurpose relay
+ Name: socat
+Index: socat-1.7.3.0/test.sh
+===================================================================
+--- socat-1.7.3.0.orig/test.sh
++++ socat-1.7.3.0/test.sh
+@@ -2266,8 +2266,8 @@ gentestcert () {
+ gentestdsacert () {
+ local name="$1"
+ if [ -s $name.key -a -s $name.crt -a -s $name.pem ]; then return; fi
+- openssl dsaparam -out $name-dsa.pem 512 >/dev/null 2>&1
+- openssl dhparam -dsaparam -out $name-dh.pem 512 >/dev/null 2>&1
++ openssl dsaparam -out $name-dsa.pem 1024 >/dev/null 2>&1
++ openssl dhparam -dsaparam -out $name-dh.pem 1024 >/dev/null 2>&1
+ openssl req -newkey dsa:$name-dsa.pem -keyout $name.key -nodes -x509 -config $TESTCERT_CONF -out $name.crt -days 3653 >/dev/null 2>&1
+ cat $name-dsa.pem $name-dh.pem $name.key $name.crt >$name.pem
+ }
+@@ -10973,6 +10973,42 @@ CMD0="$TRACE $SOCAT $opts OPENSSL:localh
+ printf "test $F_n $TEST... " $N
+ $CMD0 </dev/null 1>&0 2>"${te}0"
+ rc0=$?
++if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
++ $PRINTF "$OK\n"
++ numOK=$((numOK+1))
++else
++ $PRINTF "$FAILED\n"
++ echo "$CMD0"
++ cat "${te}0"
++ numFAIL=$((numFAIL+1))
++ listFAIL="$listFAIL $N"
++fi
++fi # NUMCOND
++ ;;
++esac
++PORT=$((PORT+1))
++N=$((N+1))
++
++# socat up to 1.7.3.0 had a stack overflow vulnerability that occurred when
++# command line arguments (whole addresses, host names, file names) were longer
++# than 512 bytes and specially crafted.
++NAME=NESTEDOVFL
++case "$TESTS" in
++*%$N%*|*%functions%*|*%bugs%*|*%security%*|*%exec%*|*%$NAME%*)
++TEST="$NAME: stack overflow on overly long nested arg"
++# provide a long host name to TCP-CONNECT and check socats exit code
++if ! eval $NUMCOND; then :; else
++tf="$td/test$N.stdout"
++te="$td/test$N.stderr"
++tdiff="$td/test$N.diff"
++da="test$N $(date) $RANDOM"
++# prepare long data - perl might not be installed
++rm -f "$td/test$N.dat"
++i=0; while [ $i -lt 64 ]; do echo -n "AAAAAAAAAAAAAAAA" >>"$td/test$N.dat"; i=$((i+1)); done
++CMD0="$TRACE $SOCAT $opts EXEC:[$(cat "$td/test$N.dat")] STDIO"
++printf "test $F_n $TEST... " $N
++$CMD0 </dev/null 1>&0 2>"${te}0"
++rc0=$?
+ if [ $rc0 -lt 128 ] || [ $rc0 -eq 255 ]; then
+ $PRINTF "$OK\n"
+ numOK=$((numOK+1))
+Index: socat-1.7.3.0/xio-openssl.c
+===================================================================
+--- socat-1.7.3.0.orig/xio-openssl.c
++++ socat-1.7.3.0/xio-openssl.c
+@@ -912,20 +912,27 @@ int
+ }
+
+ {
+- static unsigned char dh1024_p[] = {
+- 0xCC,0x17,0xF2,0xDC,0x96,0xDF,0x59,0xA4,0x46,0xC5,0x3E,0x0E,
+- 0xB8,0x26,0x55,0x0C,0xE3,0x88,0xC1,0xCE,0xA7,0xBC,0xB3,0xBF,
+- 0x16,0x94,0xD8,0xA9,0x45,0xA2,0xCE,0xA9,0x5B,0x22,0x25,0x5F,
+- 0x92,0x59,0x94,0x1C,0x22,0xBF,0xCB,0xC8,0xC8,0x57,0xCB,0xBF,
+- 0xBC,0x0E,0xE8,0x40,0xF9,0x87,0x03,0xBF,0x60,0x9B,0x08,0xC6,
+- 0x8E,0x99,0xC6,0x05,0xFC,0x00,0xD6,0x6D,0x90,0xA8,0xF5,0xF8,
+- 0xD3,0x8D,0x43,0xC8,0x8F,0x7A,0xBD,0xBB,0x28,0xAC,0x04,0x69,
+- 0x4A,0x0B,0x86,0x73,0x37,0xF0,0x6D,0x4F,0x04,0xF6,0xF5,0xAF,
+- 0xBF,0xAB,0x8E,0xCE,0x75,0x53,0x4D,0x7F,0x7D,0x17,0x78,0x0E,
+- 0x12,0x46,0x4A,0xAF,0x95,0x99,0xEF,0xBC,0xA6,0xC5,0x41,0x77,
+- 0x43,0x7A,0xB9,0xEC,0x8E,0x07,0x3C,0x6D,
++ static unsigned char dh2048_p[] = {
++ 0x00,0xdc,0x21,0x64,0x56,0xbd,0x9c,0xb2,0xac,0xbe,0xc9,0x98,0xef,0x95,0x3e,
++ 0x26,0xfa,0xb5,0x57,0xbc,0xd9,0xe6,0x75,0xc0,0x43,0xa2,0x1c,0x7a,0x85,0xdf,
++ 0x34,0xab,0x57,0xa8,0xf6,0xbc,0xf6,0x84,0x7d,0x05,0x69,0x04,0x83,0x4c,0xd5,
++ 0x56,0xd3,0x85,0x09,0x0a,0x08,0xff,0xb5,0x37,0xa1,0xa3,0x8a,0x37,0x04,0x46,
++ 0xd2,0x93,0x31,0x96,0xf4,0xe4,0x0d,0x9f,0xbd,0x3e,0x7f,0x9e,0x4d,0xaf,0x08,
++ 0xe2,0xe8,0x03,0x94,0x73,0xc4,0xdc,0x06,0x87,0xbb,0x6d,0xae,0x66,0x2d,0x18,
++ 0x1f,0xd8,0x47,0x06,0x5c,0xcf,0x8a,0xb5,0x00,0x51,0x57,0x9b,0xea,0x1e,0xd8,
++ 0xdb,0x8e,0x3c,0x1f,0xd3,0x2f,0xba,0x1f,0x5f,0x3d,0x15,0xc1,0x3b,0x2c,0x82,
++ 0x42,0xc8,0x8c,0x87,0x79,0x5b,0x38,0x86,0x3a,0xeb,0xfd,0x81,0xa9,0xba,0xf7,
++ 0x26,0x5b,0x93,0xc5,0x3e,0x03,0x30,0x4b,0x00,0x5c,0xb6,0x23,0x3e,0xea,0x94,
++ 0xc3,0xb4,0x71,0xc7,0x6e,0x64,0x3b,0xf8,0x92,0x65,0xad,0x60,0x6c,0xd4,0x7b,
++ 0xa9,0x67,0x26,0x04,0xa8,0x0a,0xb2,0x06,0xeb,0xe0,0x7d,0x90,0xdd,0xdd,0xf5,
++ 0xcf,0xb4,0x11,0x7c,0xab,0xc1,0xa3,0x84,0xbe,0x27,0x77,0xc7,0xde,0x20,0x57,
++ 0x66,0x47,0xa7,0x35,0xfe,0x0d,0x6a,0x1c,0x52,0xb8,0x58,0xbf,0x26,0x33,0x81,
++ 0x5e,0xb7,0xa9,0xc0,0xee,0x58,0x11,0x74,0x86,0x19,0x08,0x89,0x1c,0x37,0x0d,
++ 0x52,0x47,0x70,0x75,0x8b,0xa8,0x8b,0x30,0x11,0x71,0x36,0x62,0xf0,0x73,0x41,
++ 0xee,0x34,0x9d,0x0a,0x2b,0x67,0x4e,0x6a,0xa3,0xe2,0x99,0x92,0x1b,0xf5,0x32,
++ 0x73,0x63
+ };
+- static unsigned char dh1024_g[] = {
++ static unsigned char dh2048_g[] = {
+ 0x02,
+ };
+ DH *dh;
+@@ -938,8 +945,8 @@ int
+ }
+ Error("DH_new() failed");
+ } else {
+- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
++ dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
++ dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+ if ((dh->p == NULL) || (dh->g == NULL)) {
+ while (err = ERR_get_error()) {
+ Warn1("BN_bin2bn(): %s",
diff --git a/meta/recipes-connectivity/socat/socat_1.7.3.0.bb b/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
index b58e0a7..6d76d0f 100644
--- a/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
+++ b/meta/recipes-connectivity/socat/socat_1.7.3.0.bb
@@ -14,6 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
file://Makefile.in-fix-for-parallel-build.patch \
+ file://CVE-2016-2217.patch \
"
SRC_URI[md5sum] = "b607edb65bc6c57f4a43f06247504274"
--
2.3.5
^ permalink raw reply related [flat|nested] 5+ messages in thread