* [thud][ 01/25] glibc: Security fix CVE-2019-9169
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 02/25] elfutils: Security fixes CVE-2019-7146, 7149, 7150 Armin Kuster
` (23 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2019-9169.patch | 63 +++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.28.bb | 1 +
2 files changed, 64 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
new file mode 100644
index 0000000..14cfaa3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2019-9169.patch
@@ -0,0 +1,63 @@
+From 583dd860d5b833037175247230a328f0050dbfe9 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon, 21 Jan 2019 11:08:13 -0800
+Subject: [PATCH] regex: fix read overrun [BZ #24114]
+
+Problem found by AddressSanitizer, reported by Hongxu Chen in:
+https://debbugs.gnu.org/34140
+* posix/regexec.c (proceed_next_node):
+Do not read past end of input buffer.
+
+Upstream-Status: Backport
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9
+
+CVE: CVE-2019-9169
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 10 +++++++++-
+ posix/regexec.c | 6 ++++--
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,11 @@
++2019-01-31 Paul Eggert <eggert@cs.ucla.edu>
++
++ regex: fix read overrun [BZ #24114]
++ Problem found by AddressSanitizer, reported by Hongxu Chen in:
++ https://debbugs.gnu.org/34140
++ * posix/regexec.c (proceed_next_node):
++ Do not read past end of input buffer.
++
+ 2018-09-30 Martin Jansa <Martin.Jansa@gmail.com>
+ Partial fix for [BZ #23716]
+ * locale/weight.h: Fix build with -Os.
+@@ -10917,7 +10925,7 @@
+ (CFLAGS-wcstof_l.c): Likewise.
+ (CPPFLAGS-tst-wchar-h.c): Likewise.
+ (CPPFLAGS-wcstold_l.c): Likewise.
+----
++
+ 2017-12-11 Paul A. Clarke <pc@us.ibm.com>
+
+ * sysdeps/ieee754/flt-32/s_cosf.c: New implementation.
+Index: git/posix/regexec.c
+===================================================================
+--- git.orig/posix/regexec.c
++++ git/posix/regexec.c
+@@ -1289,8 +1289,10 @@ proceed_next_node (const re_match_contex
+ else if (naccepted)
+ {
+ char *buf = (char *) re_string_get_buffer (&mctx->input);
+- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+- naccepted) != 0)
++ if (mctx->input.valid_len - *pidx < naccepted
++ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
++ naccepted)
++ != 0))
+ return -1;
+ }
+ }
diff --git a/meta/recipes-core/glibc/glibc_2.28.bb b/meta/recipes-core/glibc/glibc_2.28.bb
index 72cee04..1bcec3e 100644
--- a/meta/recipes-core/glibc/glibc_2.28.bb
+++ b/meta/recipes-core/glibc/glibc_2.28.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0032-sysdeps-ieee754-soft-fp-ignore-maybe-uninitialized-w.patch \
file://0033-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
file://0034-inject-file-assembly-directives.patch \
+ file://CVE-2019-9169.patch \
"
NATIVESDKFIXES ?= ""
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 02/25] elfutils: Security fixes CVE-2019-7146, 7149, 7150
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
2019-06-26 16:53 ` [thud][ 01/25] glibc: Security fix CVE-2019-9169 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 03/25] qemu: Several CVE fixes Armin Kuster
` (22 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: http://sourceware.org/git/elfutils.git
MR: 97563, 97568, 97558
Type: Security Fix
Disposition: Backport from http://sourceware.org/git/elfutils.git
ChangeID: 6183c2a25d5e32eec1846a428dd165e1de659f24
Description:
Affects <= 0.175
Fixes:
CVE-2019-7146
CVE-2019-7149
CVE-2019-7150
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-devtools/elfutils/elfutils_0.175.bb | 4 +
.../elfutils/files/CVE-2019-7146_p1.patch | 52 ++++++++
.../elfutils/files/CVE-2019-7146_p2.patch | 65 +++++++++
.../elfutils/files/CVE-2019-7149.patch | 148 +++++++++++++++++++++
.../elfutils/files/CVE-2019-7150.patch | 51 +++++++
5 files changed, 320 insertions(+)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index b0b9ddc..e94a48e 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -27,6 +27,10 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://debian/hurd_path.patch \
file://debian/ignore_strmerge.diff \
file://debian/disable_werror.patch \
+ file://CVE-2019-7149.patch \
+ file://CVE-2019-7150.patch \
+ file://CVE-2019-7146_p1.patch \
+ file://CVE-2019-7146_p2.patch \
"
SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
new file mode 100644
index 0000000..b6cd29a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p1.patch
@@ -0,0 +1,52 @@
+From 012018907ca05eb0ab51d424a596ef38fc87cae1 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 11:57:35 +0100
+Subject: [PATCH] libebl: Check GNU property note pr_datasz fits inside note
+ description.
+
+Before printing the data values, make sure pr_datasz doesn't go beyond
+the end of the note description data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libebl/ChangeLog | 4 ++++
+ libebl/eblobjnote.c | 7 +++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -350,6 +350,13 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ desc += 8;
+ descsz -= 8;
+
++ if (prop.pr_datasz > descsz)
++ {
++ printf ("BAD property datasz: %" PRId32 "\n",
++ prop.pr_datasz);
++ return;
++ }
++
+ int elfclass = gelf_getclass (ebl->elf);
+ char *elfident = elf_getident (ebl->elf, NULL);
+ GElf_Ehdr ehdr;
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,7 @@
++2019-01-16 Mark Wielaard <mark@klomp.org>
++
++ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
++
+ 2018-11-15 Mark Wielaard <mark@klomp.org>
+
+ * eblobjnotetypename.c (ebl_object_note_type_name): Don't update
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
new file mode 100644
index 0000000..4434b36
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7146_p2.patch
@@ -0,0 +1,65 @@
+From cd7ded3df43f655af945c869976401a602e46fcd Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 30 Jan 2019 00:04:11 +0100
+Subject: [PATCH] libebl: Check GNU property note data padding fits inside
+ note.
+
+The GNU property note data is padded. Make sure the extra padding
+still fits in the note description.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24075
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7146 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libebl/ChangeLog | 5 +++++
+ libebl/eblobjnote.c | 17 +++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+Index: elfutils-0.175/libebl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libebl/ChangeLog
++++ elfutils-0.175/libebl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-29 Mark Wielaard <mark@klomp.org>
++
++ * eblobjnote.c (ebl_object_note): Check pr_datasz padding doesn't
++ overflow descsz.
++
+ 2019-01-16 Mark Wielaard <mark@klomp.org>
+
+ * eblobjnte.c (ebl_object_note): Check pr_datasz isn't too large.
+Index: elfutils-0.175/libebl/eblobjnote.c
+===================================================================
+--- elfutils-0.175.orig/libebl/eblobjnote.c
++++ elfutils-0.175/libebl/eblobjnote.c
+@@ -486,16 +486,17 @@ ebl_object_note (Ebl *ebl, uint32_t name
+ printf ("%02" PRIx8 "\n", (uint8_t) desc[i]);
+ }
+ }
++
+ if (elfclass == ELFCLASS32)
+- {
+- desc += NOTE_ALIGN4 (prop.pr_datasz);
+- descsz -= NOTE_ALIGN4 (prop.pr_datasz);
+- }
++ prop.pr_datasz = NOTE_ALIGN4 (prop.pr_datasz);
+ else
+- {
+- desc += NOTE_ALIGN8 (prop.pr_datasz);
+- descsz -= NOTE_ALIGN8 (prop.pr_datasz);
+- }
++ prop.pr_datasz = NOTE_ALIGN8 (prop.pr_datasz);
++
++ desc += prop.pr_datasz;
++ if (descsz > prop.pr_datasz)
++ descsz -= prop.pr_datasz;
++ else
++ descsz = 0;
+ }
+ }
+ break;
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
new file mode 100644
index 0000000..215a171
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7149.patch
@@ -0,0 +1,148 @@
+From 2562759d6fe5b364fe224852e64e8bda39eb2e35 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 22:10:18 +0100
+Subject: [PATCH] libdw: Check terminating NUL byte in dwarf_getsrclines for
+ dir/file table.
+
+For DWARF version < 5 the .debug_line directory and file tables consist
+of a terminating NUL byte after all strings. The code used to just skip
+this without checking it actually existed. This could case a spurious
+read past the end of data.
+
+Fix the same issue in readelf.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24102
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7149
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libdw/ChangeLog | 5 +++++
+ libdw/dwarf_getsrclines.c | 11 ++++++++---
+ src/ChangeLog | 5 +++++
+ src/readelf.c | 8 ++++++--
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+
+Index: elfutils-0.175/libdw/dwarf_getsrclines.c
+===================================================================
+--- elfutils-0.175.orig/libdw/dwarf_getsrclines.c
++++ elfutils-0.175/libdw/dwarf_getsrclines.c
+@@ -315,7 +315,7 @@ read_srclines (Dwarf *dbg,
+ if (version < 5)
+ {
+ const unsigned char *dirp = linep;
+- while (*dirp != 0)
++ while (dirp < lineendp && *dirp != 0)
+ {
+ uint8_t *endp = memchr (dirp, '\0', lineendp - dirp);
+ if (endp == NULL)
+@@ -323,6 +323,8 @@ read_srclines (Dwarf *dbg,
+ ++ndirs;
+ dirp = endp + 1;
+ }
++ if (dirp >= lineendp || *dirp != '\0')
++ goto invalid_data;
+ ndirs = ndirs + 1; /* There is always the "unknown" dir. */
+ }
+ else
+@@ -392,11 +394,12 @@ read_srclines (Dwarf *dbg,
+ {
+ dirarray[n].dir = (char *) linep;
+ uint8_t *endp = memchr (linep, '\0', lineendp - linep);
+- assert (endp != NULL);
++ assert (endp != NULL); // Checked above when calculating ndirlist.
+ dirarray[n].len = endp - linep;
+ linep = endp + 1;
+ }
+ /* Skip the final NUL byte. */
++ assert (*linep == '\0'); // Checked above when calculating ndirlist.
+ ++linep;
+ }
+ else
+@@ -471,7 +474,7 @@ read_srclines (Dwarf *dbg,
+ {
+ if (unlikely (linep >= lineendp))
+ goto invalid_data;
+- while (*linep != 0)
++ while (linep < lineendp && *linep != '\0')
+ {
+ struct filelist *new_file = NEW_FILE ();
+
+@@ -527,6 +530,8 @@ read_srclines (Dwarf *dbg,
+ goto invalid_data;
+ get_uleb128 (new_file->info.length, linep, lineendp);
+ }
++ if (linep >= lineendp || *linep != '\0')
++ goto invalid_data;
+ /* Skip the final NUL byte. */
+ ++linep;
+ }
+Index: elfutils-0.175/src/readelf.c
+===================================================================
+--- elfutils-0.175.orig/src/readelf.c
++++ elfutils-0.175/src/readelf.c
+@@ -8444,7 +8444,7 @@ print_debug_line_section (Dwfl_Module *d
+ }
+ else
+ {
+- while (*linep != 0)
++ while (linep < lineendp && *linep != 0)
+ {
+ unsigned char *endp = memchr (linep, '\0', lineendp - linep);
+ if (unlikely (endp == NULL))
+@@ -8454,6 +8454,8 @@ print_debug_line_section (Dwfl_Module *d
+
+ linep = endp + 1;
+ }
++ if (linep >= lineendp || *linep != 0)
++ goto invalid_unit;
+ /* Skip the final NUL byte. */
+ ++linep;
+ }
+@@ -8523,7 +8525,7 @@ print_debug_line_section (Dwfl_Module *d
+ else
+ {
+ puts (gettext (" Entry Dir Time Size Name"));
+- for (unsigned int cnt = 1; *linep != 0; ++cnt)
++ for (unsigned int cnt = 1; linep < lineendp && *linep != 0; ++cnt)
+ {
+ /* First comes the file name. */
+ char *fname = (char *) linep;
+@@ -8553,6 +8555,8 @@ print_debug_line_section (Dwfl_Module *d
+ printf (" %-5u %-5u %-9u %-9u %s\n",
+ cnt, diridx, mtime, fsize, fname);
+ }
++ if (linep >= lineendp || *linep != '\0')
++ goto invalid_unit;
+ /* Skip the final NUL byte. */
+ ++linep;
+ }
+Index: elfutils-0.175/libdw/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdw/ChangeLog
++++ elfutils-0.175/libdw/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20 Mark Wielaard <mark@klomp.org>
++
++ * dwarf_getsrclines.c (read_srclines): Check terminating NUL byte
++ for dir and file lists.
++
+ 2018-10-20 Mark Wielaard <mark@klomp.org>
+
+ * libdw.map (ELFUTILS_0.175): New section. Add dwelf_elf_begin.
+Index: elfutils-0.175/src/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/src/ChangeLog
++++ elfutils-0.175/src/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20 Mark Wielaard <mark@klomp.org>
++
++ * readelf.c (print_debug_line_section): Check terminating NUL byte
++ for dir and file tables.
++
+ 2018-11-10 Mark Wielaard <mark@klomp.org>
+
+ * elflint.c (check_program_header): Allow PT_GNU_EH_FRAME segment
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
new file mode 100644
index 0000000..01a4fb1
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7150.patch
@@ -0,0 +1,51 @@
+From da5c5336a1eaf519de246f7d9f0f5585e1d4ac59 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Sun, 20 Jan 2019 23:05:56 +0100
+Subject: [PATCH] libdwfl: Sanity check partial core file dyn data read.
+
+When reading the dyn data from the core file check if we got everything,
+or just part of the data.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24103
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+
+Upstream-Status: Backport
+CVE: CVE-2019-7150
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libdwfl/ChangeLog | 5 +++++
+ libdwfl/dwfl_segment_report_module.c | 6 ++++++
+ 2 files changed, 11 insertions(+)
+
+Index: elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+===================================================================
+--- elfutils-0.175.orig/libdwfl/dwfl_segment_report_module.c
++++ elfutils-0.175/libdwfl/dwfl_segment_report_module.c
+@@ -783,6 +783,12 @@ dwfl_segment_report_module (Dwfl *dwfl,
+ if (dyn_filesz != 0 && dyn_filesz % dyn_entsize == 0
+ && ! read_portion (&dyn_data, &dyn_data_size, dyn_vaddr, dyn_filesz))
+ {
++ /* dyn_data_size will be zero if we got everything from the initial
++ buffer, otherwise it will be the size of the new buffer that
++ could be read. */
++ if (dyn_data_size != 0)
++ dyn_filesz = dyn_data_size;
++
+ void *dyns = malloc (dyn_filesz);
+ Elf32_Dyn (*d32)[dyn_filesz / sizeof (Elf32_Dyn)] = dyns;
+ Elf64_Dyn (*d64)[dyn_filesz / sizeof (Elf64_Dyn)] = dyns;
+Index: elfutils-0.175/libdwfl/ChangeLog
+===================================================================
+--- elfutils-0.175.orig/libdwfl/ChangeLog
++++ elfutils-0.175/libdwfl/ChangeLog
+@@ -1,3 +1,8 @@
++2019-01-20 Mark Wielaard <mark@klomp.org>
++
++ * dwfl_segment_report_module.c (dwfl_segment_report_module): Check
++ dyn_filesz vs dyn_data_size after read_portion call.
++
+ 2018-10-20 Mark Wielaard <mark@klomp.org>
+
+ * libdwflP.h (__libdw_open_elf): New internal function declaration.
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 03/25] qemu: Several CVE fixes
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
2019-06-26 16:53 ` [thud][ 01/25] glibc: Security fix CVE-2019-9169 Armin Kuster
2019-06-26 16:53 ` [thud][ 02/25] elfutils: Security fixes CVE-2019-7146, 7149, 7150 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 04/25] python: Update to 2.7.16 Armin Kuster
` (21 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 17163 bytes --]
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 97258, 97342, 97438, 97443
Type: Security Fix
Disposition: Backport from git.qemu.org/qemu.git
ChangeID: a5e9fd03ca5bebc880dcc3c4567e10a9ae47dba5
Description:
These issues affect qemu < 3.1.0
Fixes:
CVE-2018-16867
CVE-2018-16872
CVE-2018-18849
CVE-2018-19364
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../qemu/qemu/CVE-2018-16867.patch | 49 +++++++++
.../qemu/qemu/CVE-2018-16872.patch | 89 ++++++++++++++++
.../qemu/qemu/CVE-2018-18849.patch | 86 +++++++++++++++
.../qemu/qemu/CVE-2018-19364_p1.patch | 51 +++++++++
.../qemu/qemu/CVE-2018-19364_p2.patch | 115 +++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 5 +
6 files changed, 395 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch
new file mode 100644
index 0000000..644459e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch
@@ -0,0 +1,49 @@
+From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 Dec 2018 11:10:45 +0100
+Subject: [PATCH] usb-mtp: outlaw slashes in filenames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Slash is unix directory separator, so they are not allowed in filenames.
+Note this also stops the classic escape via "../".
+
+Fixes: CVE-2018-16867
+Reported-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20181203101045.27976-3-kraxel@redhat.com
+(cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2018-16867
+Affects: < 3.1.0
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/dev-mtp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index 1ded7ac..899c8a3 100644
+--- a/hw/usb/dev-mtp.c
++++ b/hw/usb/dev-mtp.c
+@@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s)
+
+ utf16_to_str(dataset->length, dataset->filename, filename);
+
++ if (strchr(filename, '/')) {
++ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
++ 0, 0, 0, 0);
++ return;
++ }
++
+ o = usb_mtp_object_lookup_name(p, filename, dataset->length);
+ if (o != NULL) {
+ next_handle = o->handle;
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
new file mode 100644
index 0000000..9f2c5d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch
@@ -0,0 +1,89 @@
+From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 13 Dec 2018 13:25:11 +0100
+Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
+
+Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
+While being at it also add O_CLOEXEC.
+
+usb-mtp only handles regular files and directories and ignores
+everything else, so users should not see a difference.
+
+Because qemu ignores symlinks, carrying out a successful symlink attack
+requires swapping an existing file or directory below rootdir for a
+symlink and winning the race against the inotify notification to qemu.
+
+Fixes: CVE-2018-16872
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: Bandan Das <bsd@redhat.com>
+Reported-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Message-id: 20181213122511.13853-1-kraxel@redhat.com
+(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+CVE: CVE-2018-16872
+Affects: < 3.1.0
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/usb/dev-mtp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index 899c8a3..f4223fb 100644
+--- a/hw/usb/dev-mtp.c
++++ b/hw/usb/dev-mtp.c
+@@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
+ {
+ struct dirent *entry;
+ DIR *dir;
++ int fd;
+
+ if (o->have_children) {
+ return;
+ }
+ o->have_children = true;
+
+- dir = opendir(o->path);
++ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
++ if (fd < 0) {
++ return;
++ }
++ dir = fdopendir(fd);
+ if (!dir) {
+ return;
+ }
+@@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
+
+ trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
+
+- d->fd = open(o->path, O_RDONLY);
++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+ if (d->fd == -1) {
+ usb_mtp_data_free(d);
+ return NULL;
+@@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
+ c->argv[1], c->argv[2]);
+
+ d = usb_mtp_data_alloc(c);
+- d->fd = open(o->path, O_RDONLY);
++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
+ if (d->fd == -1) {
+ usb_mtp_data_free(d);
+ return NULL;
+@@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s)
+ 0, 0, 0, 0);
+ goto done;
+ }
+- d->fd = open(path, O_CREAT | O_WRONLY, mask);
++ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
+ if (d->fd == -1) {
+ usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
+ 0, 0, 0, 0);
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
new file mode 100644
index 0000000..b632512
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch
@@ -0,0 +1,86 @@
+From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Sat, 27 Oct 2018 01:13:14 +0530
+Subject: [PATCH] lsi53c895a: check message length value is valid
+
+While writing a message in 'lsi_do_msgin', message length value
+in 'msg_len' could be invalid due to an invalid migration stream.
+Add an assertion to avoid an out of bounds access, and reject
+the incoming migration data if it contains an invalid message
+length.
+
+Discovered by Deja vu Security. Reported by Oracle.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20181026194314.18663-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6)
+*CVE-2018-18849
+*avoid context dep. on c921370b22c
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+Affects: < 3.1.0
+CVE: CVE-2018-18849
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/scsi/lsi53c895a.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 160657f..3758635 100644
+--- a/hw/scsi/lsi53c895a.c
++++ b/hw/scsi/lsi53c895a.c
+@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s)
+
+ static void lsi_do_msgin(LSIState *s)
+ {
+- int len;
++ uint8_t len;
+ DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len);
+ s->sfbr = s->msg[0];
+ len = s->msg_len;
++ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN);
+ if (len > s->dbc)
+ len = s->dbc;
+ pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len);
+@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset)
+ break;
+ case 0x58: /* SBDL */
+ /* Some drivers peek at the data bus during the MSG IN phase. */
+- if ((s->sstat1 & PHASE_MASK) == PHASE_MI)
++ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) {
++ assert(s->msg_len > 0);
+ return s->msg[0];
++ }
+ ret = 0;
+ break;
+ case 0x59: /* SBDL high */
+@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque)
+ return 0;
+ }
+
++static int lsi_post_load(void *opaque, int version_id)
++{
++ LSIState *s = opaque;
++
++ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) {
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static const VMStateDescription vmstate_lsi_scsi = {
+ .name = "lsiscsi",
+ .version_id = 0,
+ .minimum_version_id = 0,
+ .pre_save = lsi_pre_save,
++ .post_load = lsi_post_load,
+ .fields = (VMStateField[]) {
+ VMSTATE_PCI_DEVICE(parent_obj, LSIState),
+
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch
new file mode 100644
index 0000000..1d77af4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch
@@ -0,0 +1,51 @@
+From 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Wed, 7 Nov 2018 01:00:04 +0100
+Subject: [PATCH] 9p: write lock path in v9fs_co_open2()
+
+The assumption that the fid cannot be used by any other operation is
+wrong. At least, nothing prevents a misbehaving client to create a
+file with a given fid, and to pass this fid to some other operation
+at the same time (ie, without waiting for the response to the creation
+request). The call to v9fs_path_copy() performed by the worker thread
+after the file was created can race with any access to the fid path
+performed by some other thread. This causes use-after-free issues that
+can be detected by ASAN with a custom 9p client.
+
+Unlike other operations that only read the fid path, v9fs_co_open2()
+does modify it. It should hence take the write lock.
+
+Cc: P J P <ppandit@redhat.com>
+Reported-by: zhibin hu <noirfate@gmail.com>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-status: Backport
+Affects: < 3.1.0
+CVE: CVE-2018-19364 patch #1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/9pfs/cofile.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c
+index 88791bc..9c22837 100644
+--- a/hw/9pfs/cofile.c
++++ b/hw/9pfs/cofile.c
+@@ -140,10 +140,10 @@ int coroutine_fn v9fs_co_open2(V9fsPDU *pdu, V9fsFidState *fidp,
+ cred.fc_gid = gid;
+ /*
+ * Hold the directory fid lock so that directory path name
+- * don't change. Read lock is fine because this fid cannot
+- * be used by any other operation.
++ * don't change. Take the write lock to be sure this fid
++ * cannot be used by another operation.
+ */
+- v9fs_path_read_lock(s);
++ v9fs_path_write_lock(s);
+ v9fs_co_run_in_worker(
+ {
+ err = s->ops->open2(&s->ctx, &fidp->path,
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
new file mode 100644
index 0000000..b8d094c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch
@@ -0,0 +1,115 @@
+From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Tue, 20 Nov 2018 13:00:35 +0100
+Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364)
+
+Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could
+possibly overwrite a fid path with v9fs_path_copy() while it is being
+accessed by some other thread, ie, use-after-free that can be detected
+by ASAN with a custom 9p client.
+
+It turns out that the same can happen at several locations where
+v9fs_path_copy() is used to set the fid path. The fix is again to
+take the write lock.
+
+Fixes CVE-2018-19364.
+
+Cc: P J P <ppandit@redhat.com>
+Reported-by: zhibin hu <noirfate@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-status: Backport
+Affects: < 3.1.0
+CVE: CVE-2018-19364 patch #2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/9pfs/9p.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index eef289e..267a255 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque)
+ err = -EINVAL;
+ goto out;
+ }
++ v9fs_path_write_lock(s);
+ v9fs_path_copy(&fidp->path, &path);
++ v9fs_path_unlock(s);
+ } else {
+ newfidp = alloc_fid(s, newfid);
+ if (newfidp == NULL) {
+@@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque)
+ V9fsString extension;
+ int iounit;
+ V9fsPDU *pdu = opaque;
++ V9fsState *s = pdu->s;
+
+ v9fs_path_init(&path);
+ v9fs_string_init(&name);
+@@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+ if (err < 0) {
+ goto out;
+ }
++ v9fs_path_write_lock(s);
+ v9fs_path_copy(&fidp->path, &path);
++ v9fs_path_unlock(s);
+ err = v9fs_co_opendir(pdu, fidp);
+ if (err < 0) {
+ goto out;
+@@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+ if (err < 0) {
+ goto out;
+ }
++ v9fs_path_write_lock(s);
+ v9fs_path_copy(&fidp->path, &path);
++ v9fs_path_unlock(s);
+ } else if (perm & P9_STAT_MODE_LINK) {
+ int32_t ofid = atoi(extension.data);
+ V9fsFidState *ofidp = get_fid(pdu, ofid);
+@@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+ fidp->fid_type = P9_FID_NONE;
+ goto out;
+ }
++ v9fs_path_write_lock(s);
+ v9fs_path_copy(&fidp->path, &path);
++ v9fs_path_unlock(s);
+ err = v9fs_co_lstat(pdu, &fidp->path, &stbuf);
+ if (err < 0) {
+ fidp->fid_type = P9_FID_NONE;
+@@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+ if (err < 0) {
+ goto out;
+ }
++ v9fs_path_write_lock(s);
+ v9fs_path_copy(&fidp->path, &path);
++ v9fs_path_unlock(s);
+ } else if (perm & P9_STAT_MODE_NAMED_PIPE) {
+ err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
+ 0, S_IFIFO | (perm & 0777), &stbuf);
+@@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+ if (err < 0) {
+ goto out;
+ }
++ v9fs_path_write_lock(s);
+ v9fs_path_copy(&fidp->path, &path);
++ v9fs_path_unlock(s);
+ } else if (perm & P9_STAT_MODE_SOCKET) {
+ err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1,
+ 0, S_IFSOCK | (perm & 0777), &stbuf);
+@@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque)
+ if (err < 0) {
+ goto out;
+ }
++ v9fs_path_write_lock(s);
+ v9fs_path_copy(&fidp->path, &path);
++ v9fs_path_unlock(s);
+ } else {
+ err = v9fs_co_open2(pdu, fidp, &name, -1,
+ omode_to_uflags(mode)|O_CREAT, perm, &stbuf);
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 776548b..59cfc38 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -25,6 +25,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2018-17958.patch \
file://CVE-2018-17962.patch \
file://CVE-2018-17963.patch \
+ file://CVE-2018-16867.patch \
+ file://CVE-2018-16872.patch \
+ file://CVE-2018-18849.patch \
+ file://CVE-2018-19364_p1.patch \
+ file://CVE-2018-19364_p2.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 04/25] python: Update to 2.7.16
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (2 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 03/25] qemu: Several CVE fixes Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 05/25] python: add a fix for CVE-2019-9948 and CVE-2019-9636 Armin Kuster
` (20 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 27306 bytes --]
From: Armin Kuster <akuster@mvista.com>
Source: Python.org
MR: 98220
Type: Security Fix & Integration
Disposition: Backport from python.org
ChangeID: 96fdd2dee9fe9317eb72584583ae0100c0be9eaa
Description:
Bug fix update per Python.org
https://www.python.org/downloads/release/python-2716/
drop backported patch
License-update: copyright years
Helps prepare Thud for 2.7 EOL support moving forward.
Update includes:
CVE-CVE-2019-5010
https://github.com/python/cpython/commit/06b15424b0dcacb1c551b2a36e739fffa8d0c595
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...on-native_2.7.15.bb => python-native_2.7.16.bb} | 2 -
meta/recipes-devtools/python/python.inc | 18 ++--
...23-Use-XML_SetHashSalt-in-_elementtree-GH.patch | 96 -----------------
...ix-test_ssl-when-a-filename-cannot-be-enc.patch | 55 ----------
...LS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch | 120 ---------------------
...34540-Convert-shutil._call_external_zip-t.patch | 67 ------------
...dd-missing-closing-wrapper-in-test_tls1_3.patch | 37 -------
...ix-test_ssl.test_options-to-account-for-O.patch | 37 -------
...ix-test_default_ecdh_curve-needs-no-tlsv1.patch | 34 ------
.../python/{python_2.7.15.bb => python_2.7.16.bb} | 2 -
10 files changed, 6 insertions(+), 462 deletions(-)
rename meta/recipes-devtools/python/{python-native_2.7.15.bb => python-native_2.7.16.bb} (96%)
delete mode 100644 meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch
delete mode 100644 meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
delete mode 100644 meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
delete mode 100644 meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch
delete mode 100644 meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
delete mode 100644 meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
delete mode 100644 meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
rename meta/recipes-devtools/python/{python_2.7.15.bb => python_2.7.16.bb} (98%)
diff --git a/meta/recipes-devtools/python/python-native_2.7.15.bb b/meta/recipes-devtools/python/python-native_2.7.16.bb
similarity index 96%
rename from meta/recipes-devtools/python/python-native_2.7.15.bb
rename to meta/recipes-devtools/python/python-native_2.7.16.bb
index 26d67df..b744280 100644
--- a/meta/recipes-devtools/python/python-native_2.7.15.bb
+++ b/meta/recipes-devtools/python/python-native_2.7.16.bb
@@ -1,7 +1,6 @@
require python.inc
EXTRANATIVEPATH += "bzip2-native"
DEPENDS = "openssl-native bzip2-replacement-native zlib-native readline-native sqlite3-native expat-native gdbm-native db-native"
-PR = "${INC_PR}.1"
SRC_URI += "\
file://05-enable-ctypes-cross-build.patch \
@@ -17,7 +16,6 @@ SRC_URI += "\
file://parallel-makeinst-create-bindir.patch \
file://revert_use_of_sysconfigdata.patch \
file://0001-python-native-fix-one-do_populate_sysroot-warning.patch \
- file://0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch \
"
S = "${WORKDIR}/Python-${PV}"
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 6692367..e5f1981 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -5,18 +5,12 @@ SECTION = "devel/python"
# bump this on every change in contrib/python/generate-manifest-2.7.py
INC_PR = "r1"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"
-
-SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
- file://0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch \
- file://0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch \
- file://0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch \
- file://0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch \
- file://0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch \
- "
-
-SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d"
-SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e466242989bd33c1bd2b6a526a742498"
+
+SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz"
+
+SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
+SRC_URI[sha256sum] = "f222ef602647eecb6853681156d32de4450a2c39f4de93bd5b20235f2e660ed7"
# python recipe is actually python 2.x
# also, exclude pre-releases for both python 2.x and 3.x
diff --git a/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch b/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch
deleted file mode 100644
index 3c0d662..0000000
--- a/meta/recipes-devtools/python/python/0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 3ffc80959f01f9fde548f1632694b9f950c2dd7c Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Tue, 18 Sep 2018 15:13:09 +0200
-Subject: [PATCH] [2.7] bpo-34623: Use XML_SetHashSalt in _elementtree
- (GH-9146) (GH-9394)
-
-The C accelerated _elementtree module now initializes hash randomization
-salt from _Py_HashSecret instead of libexpat's default CPRNG.
-
-Signed-off-by: Christian Heimes <christian@python.org>
-
-https://bugs.python.org/issue34623.
-(cherry picked from commit cb5778f00ce48631c7140f33ba242496aaf7102b)
-
-Co-authored-by: Christian Heimes <christian@python.org>
-
-
-
-https://bugs.python.org/issue34623
-
-Upstream-Status: Backport
-CVE: CVE-2018-14647
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- Include/pyexpat.h | 4 +++-
- Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst | 2 ++
- Modules/_elementtree.c | 5 +++++
- Modules/pyexpat.c | 5 +++++
- 4 files changed, 15 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
-
-diff --git a/Include/pyexpat.h b/Include/pyexpat.h
-index 5340ef5..3fc5fa5 100644
---- a/Include/pyexpat.h
-+++ b/Include/pyexpat.h
-@@ -3,7 +3,7 @@
-
- /* note: you must import expat.h before importing this module! */
-
--#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.0"
-+#define PyExpat_CAPI_MAGIC "pyexpat.expat_CAPI 1.1"
- #define PyExpat_CAPSULE_NAME "pyexpat.expat_CAPI"
-
- struct PyExpat_CAPI
-@@ -43,6 +43,8 @@ struct PyExpat_CAPI
- XML_Parser parser, XML_UnknownEncodingHandler handler,
- void *encodingHandlerData);
- void (*SetUserData)(XML_Parser parser, void *userData);
-+ /* might be none for expat < 2.1.0 */
-+ int (*SetHashSalt)(XML_Parser parser, unsigned long hash_salt);
- /* always add new stuff to the end! */
- };
-
-diff --git a/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
-new file mode 100644
-index 0000000..31ad92e
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2018-09-10-16-05-39.bpo-34623.Ua9jMv.rst
-@@ -0,0 +1,2 @@
-+The C accelerated _elementtree module now initializes hash randomization
-+salt from _Py_HashSecret instead of libexpat's default CSPRNG.
-diff --git a/Modules/_elementtree.c b/Modules/_elementtree.c
-index 1d316a1..a19cbf7 100644
---- a/Modules/_elementtree.c
-+++ b/Modules/_elementtree.c
-@@ -2574,6 +2574,11 @@ xmlparser(PyObject* self_, PyObject* args, PyObject* kw)
- PyErr_NoMemory();
- return NULL;
- }
-+ /* expat < 2.1.0 has no XML_SetHashSalt() */
-+ if (EXPAT(SetHashSalt) != NULL) {
-+ EXPAT(SetHashSalt)(self->parser,
-+ (unsigned long)_Py_HashSecret.prefix);
-+ }
-
- ALLOC(sizeof(XMLParserObject), "create expatparser");
-
-diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
-index 2b4d312..1f8c0d7 100644
---- a/Modules/pyexpat.c
-+++ b/Modules/pyexpat.c
-@@ -2042,6 +2042,11 @@ MODULE_INITFUNC(void)
- capi.SetProcessingInstructionHandler = XML_SetProcessingInstructionHandler;
- capi.SetUnknownEncodingHandler = XML_SetUnknownEncodingHandler;
- capi.SetUserData = XML_SetUserData;
-+#if XML_COMBINED_VERSION >= 20100
-+ capi.SetHashSalt = XML_SetHashSalt;
-+#else
-+ capi.SetHashSalt = NULL;
-+#endif
-
- /* export using capsule */
- capi_object = PyCapsule_New(&capi, PyExpat_CAPSULE_NAME, NULL);
---
-2.7.4
-
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
deleted file mode 100644
index 4c0b357..0000000
--- a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 19f6bd06af3c7fc0db5f96878aaa68f5589ff13e Mon Sep 17 00:00:00 2001
-From: Pablo Galindo <Pablogsal@gmail.com>
-Date: Thu, 24 May 2018 23:20:44 +0100
-Subject: [PATCH] bpo-33354: Fix test_ssl when a filename cannot be encoded
- (GH-6613)
-
-Skip test_load_dh_params() of test_ssl when Python filesystem encoding
-cannot encode the provided path.
-
-Upstream-Status: Backport [https://github.com/python/cpython/commit/19f6bd06af3c7fc0db5f96878aaa68f5589ff13e]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/test/test_ssl.py | 9 ++++++++-
- .../next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst | 2 ++
- 2 files changed, 10 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
-
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index b59fe73f04..7ced90fdf6 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -989,6 +989,13 @@ class ContextTests(unittest.TestCase):
-
-
- def test_load_dh_params(self):
-+ filename = u'dhpäräm.pem'
-+ fs_encoding = sys.getfilesystemencoding()
-+ try:
-+ filename.encode(fs_encoding)
-+ except UnicodeEncodeError:
-+ self.skipTest("filename %r cannot be encoded to the filesystem encoding %r" % (filename, fs_encoding))
-+
- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
- ctx.load_dh_params(DHFILE)
- if os.name != 'nt':
-@@ -1001,7 +1008,7 @@ class ContextTests(unittest.TestCase):
- with self.assertRaises(ssl.SSLError) as cm:
- ctx.load_dh_params(CERTFILE)
- with support.temp_dir() as d:
-- fname = os.path.join(d, u'dhpäräm.pem')
-+ fname = os.path.join(d, filename)
- shutil.copy(DHFILE, fname)
- ctx.load_dh_params(fname)
-
-diff --git a/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
-new file mode 100644
-index 0000000000..c66cecac32
---- /dev/null
-+++ b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
-@@ -0,0 +1,2 @@
-+Skip ``test_ssl.test_load_dh_params`` when Python filesystem encoding cannot encode the
-+provided path.
---
-2.17.1
-
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
deleted file mode 100644
index 1f70562..0000000
--- a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Wed, 15 Aug 2018 09:07:28 +0200
-Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
- (GH-8760)
-
-Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
-1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
-default.
-
-Also update multissltests to test with latest OpenSSL.
-
-Signed-off-by: Christian Heimes <christian@python.org>.
-(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
-
-Co-authored-by: Christian Heimes <christian@python.org>
-
-Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]
-
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Doc/library/ssl.rst | 8 ++--
- Lib/test/test_ssl.py | 37 +++++++++++--------
- .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++
- 3 files changed, 27 insertions(+), 21 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
-
-diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
-index 0421031772..7c7c85b833 100644
---- a/Doc/library/ssl.rst
-+++ b/Doc/library/ssl.rst
-@@ -294,11 +294,6 @@ purposes.
-
- 3DES was dropped from the default cipher string.
-
-- .. versionchanged:: 2.7.15
--
-- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
-- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
--
- .. function:: _https_verify_certificates(enable=True)
-
- Specifies whether or not server certificates are verified when creating
-@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
- when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
- give the currently selected cipher.
-
-+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
-+ cannot be disabled with :meth:`~SSLContext.set_ciphers`.
-+
- .. method:: SSLContext.set_alpn_protocols(protocols)
-
- Specify which protocols the socket should advertise during the SSL/TLS
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index dc14e22ad1..f51572e319 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -2772,19 +2772,24 @@ else:
- sock.do_handshake()
- self.assertEqual(cm.exception.errno, errno.ENOTCONN)
-
-- def test_default_ciphers(self):
-- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-- try:
-- # Force a set of weak ciphers on our client context
-- context.set_ciphers("DES")
-- except ssl.SSLError:
-- self.skipTest("no DES cipher available")
-- with ThreadedEchoServer(CERTFILE,
-- ssl_version=ssl.PROTOCOL_SSLv23,
-- chatty=False) as server:
-- with closing(context.wrap_socket(socket.socket())) as s:
-- with self.assertRaises(ssl.SSLError):
-- s.connect((HOST, server.port))
-+ def test_no_shared_ciphers(self):
-+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-+ server_context.load_cert_chain(SIGNED_CERTFILE)
-+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
-+ client_context.verify_mode = ssl.CERT_REQUIRED
-+ client_context.check_hostname = True
-+
-+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
-+ client_context.options |= ssl.OP_NO_TLSv1_3
-+ # Force different suites on client and master
-+ client_context.set_ciphers("AES128")
-+ server_context.set_ciphers("AES256")
-+ with ThreadedEchoServer(context=server_context) as server:
-+ s = client_context.wrap_socket(
-+ socket.socket(),
-+ server_hostname="localhost")
-+ with self.assertRaises(ssl.SSLError):
-+ s.connect((HOST, server.port))
- self.assertIn("no shared cipher", str(server.conn_errors[0]))
-
- def test_version_basic(self):
-@@ -2815,9 +2820,9 @@ else:
- with context.wrap_socket(socket.socket()) as s:
- s.connect((HOST, server.port))
- self.assertIn(s.cipher()[0], [
-- 'TLS13-AES-256-GCM-SHA384',
-- 'TLS13-CHACHA20-POLY1305-SHA256',
-- 'TLS13-AES-128-GCM-SHA256',
-+ 'TLS_AES_256_GCM_SHA384',
-+ 'TLS_CHACHA20_POLY1305_SHA256',
-+ 'TLS_AES_128_GCM_SHA256',
- ])
-
- @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
-diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
-new file mode 100644
-index 0000000000..bd719a47e8
---- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
-@@ -0,0 +1,3 @@
-+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
-+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
-+default.
---
-2.17.1
-
diff --git a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch b/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch
deleted file mode 100644
index 125db85..0000000
--- a/meta/recipes-devtools/python/python/0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From c7e692c61dc091d07dee573f5f424b6b427ff056 Mon Sep 17 00:00:00 2001
-From: Benjamin Peterson <benjamin@python.org>
-Date: Wed, 29 Aug 2018 21:59:21 -0700
-Subject: [PATCH] closes bpo-34540: Convert shutil._call_external_zip to use
- subprocess rather than distutils.spawn. (GH-8985)
-
-Upstream-Status: Backport
-CVE: CVE-2018-1000802
-Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
----
- Lib/shutil.py | 16 ++++++++++------
- .../Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst | 3 +++
- 2 files changed, 13 insertions(+), 6 deletions(-)
- create mode 100644 Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
-
-diff --git a/Lib/shutil.py b/Lib/shutil.py
-index 3462f7c..0ab1a06 100644
---- a/Lib/shutil.py
-+++ b/Lib/shutil.py
-@@ -413,17 +413,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0,
-
- return archive_name
-
--def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
-+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
- # XXX see if we want to keep an external call here
- if verbose:
- zipoptions = "-r"
- else:
- zipoptions = "-rq"
-- from distutils.errors import DistutilsExecError
-- from distutils.spawn import spawn
-+ cmd = ["zip", zipoptions, zip_filename, base_dir]
-+ if logger is not None:
-+ logger.info(' '.join(cmd))
-+ if dry_run:
-+ return
-+ import subprocess
- try:
-- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
-- except DistutilsExecError:
-+ subprocess.check_call(cmd)
-+ except subprocess.CalledProcessError:
- # XXX really should distinguish between "couldn't find
- # external 'zip' command" and "zip failed".
- raise ExecError, \
-@@ -458,7 +462,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None):
- zipfile = None
-
- if zipfile is None:
-- _call_external_zip(base_dir, zip_filename, verbose, dry_run)
-+ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
- else:
- if logger is not None:
- logger.info("creating '%s' and adding '%s' to it",
-diff --git a/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
-new file mode 100644
-index 0000000..4f68696
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2018-08-28-22-11-54.bpo-34540.gfQ0TM.rst
-@@ -0,0 +1,3 @@
-+When ``shutil.make_archive`` falls back to the external ``zip`` problem, it
-+uses :mod:`subprocess` to invoke it rather than :mod:`distutils.spawn`. This
-+closes a possible shell injection vector.
---
-2.7.4
-
diff --git a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
deleted file mode 100644
index 9688271..0000000
--- a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0e1f3856a7e1511fb64d99646c54ddf3897cd444 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Fri, 28 Sep 2018 14:15:52 +0100
-Subject: [PATCH 2/4] bpo-34818: Add missing closing() wrapper in test_tls1_3.
-
-Python 2.7 socket classes do not implement context manager protocol,
-hence closing() is required around it. Resolves testcase error
-traceback.
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-
-https://bugs.python.org/issue34818
-
-Patch taken from Ubuntu.
-
-Upstream-Status: Submitted [https://github.com/python/cpython/pull/9622]
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/test/test_ssl.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index f51572e319..7a14053cee 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -2817,7 +2817,7 @@ else:
- ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
- )
- with ThreadedEchoServer(context=context) as server:
-- with context.wrap_socket(socket.socket()) as s:
-+ with closing(context.wrap_socket(socket.socket())) as s:
- s.connect((HOST, server.port))
- self.assertIn(s.cipher()[0], [
- 'TLS_AES_256_GCM_SHA384',
---
-2.17.1
-
diff --git a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
deleted file mode 100644
index 77016cb..0000000
--- a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 8b06d56d26eee289fec22b9b72ab4c7cc3d6c482 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Fri, 28 Sep 2018 16:34:16 +0100
-Subject: [PATCH 3/4] bpo-34834: Fix test_ssl.test_options to account for
- OP_ENABLE_MIDDLEBOX_COMPAT.
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-
-https://bugs.python.org/issue34834
-
-Patch taken from Ubuntu.
-Upstream-Status: Submitted [https://github.com/python/cpython/pull/9624]
-
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/test/test_ssl.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index 7a14053cee..efc906a5ba 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -777,6 +777,11 @@ class ContextTests(unittest.TestCase):
- default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
- default |= ssl.OP_NO_COMPRESSION
-+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
-+ # define MIDDLEBOX constant, as python2.7 does not know about it
-+ # but it is used by default.
-+ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
-+ default |= OP_ENABLE_MIDDLEBOX_COMPAT
- self.assertEqual(default, ctx.options)
- ctx.options |= ssl.OP_NO_TLSv1
- self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
---
-2.17.1
-
diff --git a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
deleted file mode 100644
index 39e1bcf..0000000
--- a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 946a7969345c6697697effd226ec396d3fea05b7 Mon Sep 17 00:00:00 2001
-From: Dimitri John Ledkov <xnox@ubuntu.com>
-Date: Fri, 28 Sep 2018 17:30:19 +0100
-Subject: [PATCH 4/4] bpo-34836: fix test_default_ecdh_curve, needs no tlsv1.3.
-
-Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
-
-https://bugs.python.org/issue34836
-
-Patch taken from Ubuntu.
-Upstream-Status: Submitted [https://github.com/python/cpython/pull/9626]
-
-Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
----
- Lib/test/test_ssl.py | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index efc906a5ba..4a3286cd5f 100644
---- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
-@@ -2836,6 +2836,9 @@ else:
- # should be enabled by default on SSL contexts.
- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
- context.load_cert_chain(CERTFILE)
-+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
-+ # cipher name.
-+ context.options |= ssl.OP_NO_TLSv1_3
- # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
- # explicitly using the 'ECCdraft' cipher alias. Otherwise,
- # our default cipher list should prefer ECDH-based ciphers
---
-2.17.1
-
diff --git a/meta/recipes-devtools/python/python_2.7.15.bb b/meta/recipes-devtools/python/python_2.7.16.bb
similarity index 98%
rename from meta/recipes-devtools/python/python_2.7.15.bb
rename to meta/recipes-devtools/python/python_2.7.16.bb
index 3f361ae..7fe16f7 100644
--- a/meta/recipes-devtools/python/python_2.7.15.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -31,8 +31,6 @@ SRC_URI += "\
file://pass-missing-libraries-to-Extension-for-mul.patch \
file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
file://float-endian.patch \
- file://0001-closes-bpo-34540-Convert-shutil._call_external_zip-t.patch \
- file://0001-2.7-bpo-34623-Use-XML_SetHashSalt-in-_elementtree-GH.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 05/25] python: add a fix for CVE-2019-9948 and CVE-2019-9636
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (3 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 04/25] python: Update to 2.7.16 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 06/25] busybox: Security fixes for CVE-2018-20679 CVE-2019-5747 Armin Kuster
` (19 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
Source: OpenEmbedded.org
MR: 98320, 98319
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/python/python_2.7.16.bb?id=9d23b982fa4e0290761b3d15f6959779fed72ad6
ChangeID: e79b6fe3b7b4253bf0d76b029070ae869d5234bd
Description:
Fixes:
CVE-2019-9948
CVE-2019-9636
CVE-2019-9940 is a dup of 9948 per python.org
CVE-2019-9947 appears to be a dup of 9940 per https://bugs.python.org/issue30458#msg295067
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Minor clean up for thud]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../python/bpo-35907-cve-2019-9948-fix.patch | 55 ++++++++++
.../python/python/bpo-35907-cve-2019-9948.patch | 55 ++++++++++
.../python/bpo-36216-cve-2019-9636-fix.patch | 28 ++++++
.../python/python/bpo-36216-cve-2019-9636.patch | 111 +++++++++++++++++++++
meta/recipes-devtools/python/python_2.7.16.bb | 4 +
5 files changed, 253 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
create mode 100644 meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
create mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
create mode 100644 meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
new file mode 100644
index 0000000..b267237
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
@@ -0,0 +1,55 @@
+From 179a5f75f1121dab271fe8f90eb35145f9dcbbda Mon Sep 17 00:00:00 2001
+From: Sihoon Lee <push0ebp@gmail.com>
+Date: Fri, 17 May 2019 02:41:06 +0900
+Subject: [PATCH] Update test_urllib.py and urllib.py\nchange assertEqual into
+ assertRasies in DummyURLopener test, and simplify mitigation
+
+Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
+
+CVE: CVE-2019-9948
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ Lib/test/test_urllib.py | 11 +++--------
+ Lib/urllib.py | 4 ++--
+ 2 files changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index e5f210e62a18..1e23dfb0bb16 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -1027,14 +1027,9 @@ def test_local_file_open(self):
+ class DummyURLopener(urllib.URLopener):
+ def open_local_file(self, url):
+ return url
+- self.assertEqual(DummyURLopener().open(
+- 'local-file://example'), '//example')
+- self.assertEqual(DummyURLopener().open(
+- 'local_file://example'), '//example')
+- self.assertRaises(IOError, urllib.urlopen,
+- 'local-file://example')
+- self.assertRaises(IOError, urllib.urlopen,
+- 'local_file://example')
++ for url in ('local_file://example', 'local-file://example'):
++ self.assertRaises(IOError, DummyURLopener().open, url)
++ self.assertRaises(IOError, urllib.urlopen, url)
+
+ # Just commented them out.
+ # Can't really tell why keep failing in windows and sparc.
+diff --git a/Lib/urllib.py b/Lib/urllib.py
+index a24e9a5c68fb..39b834054e9e 100644
+--- a/Lib/urllib.py
++++ b/Lib/urllib.py
+@@ -203,10 +203,10 @@ def open(self, fullurl, data=None):
+ name = 'open_' + urltype
+ self.type = urltype
+ name = name.replace('-', '_')
+-
++
+ # bpo-35907: # disallow the file reading with the type not allowed
+ if not hasattr(self, name) or \
+- (self == _urlopener and name == 'open_local_file'):
++ getattr(self, name) == self.open_local_file:
+ if proxy:
+ return self.open_unknown_proxy(proxy, fullurl, data)
+ else:
diff --git a/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
new file mode 100644
index 0000000..f4c225d
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
@@ -0,0 +1,55 @@
+From 8f99cc799e4393bf1112b9395b2342f81b3f45ef Mon Sep 17 00:00:00 2001
+From: push0ebp <push0ebp@shl-MacBook-Pro.local>
+Date: Thu, 14 Feb 2019 02:05:46 +0900
+Subject: [PATCH] bpo-35907: Avoid file reading as disallowing the unnecessary
+ URL scheme in urllib
+
+Upstream-Status: Submitted https://github.com/python/cpython/pull/11842
+
+CVE: CVE-2019-9948
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ Lib/test/test_urllib.py | 12 ++++++++++++
+ Lib/urllib.py | 5 ++++-
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py
+index 1ce9201c0693..e5f210e62a18 100644
+--- a/Lib/test/test_urllib.py
++++ b/Lib/test/test_urllib.py
+@@ -1023,6 +1023,18 @@ def open_spam(self, url):
+ "spam://c:|windows%/:=&?~#+!$,;'@()*[]|/path/"),
+ "//c:|windows%/:=&?~#+!$,;'@()*[]|/path/")
+
++ def test_local_file_open(self):
++ class DummyURLopener(urllib.URLopener):
++ def open_local_file(self, url):
++ return url
++ self.assertEqual(DummyURLopener().open(
++ 'local-file://example'), '//example')
++ self.assertEqual(DummyURLopener().open(
++ 'local_file://example'), '//example')
++ self.assertRaises(IOError, urllib.urlopen,
++ 'local-file://example')
++ self.assertRaises(IOError, urllib.urlopen,
++ 'local_file://example')
+
+ # Just commented them out.
+ # Can't really tell why keep failing in windows and sparc.
+diff --git a/Lib/urllib.py b/Lib/urllib.py
+index d85504a5cb7e..a24e9a5c68fb 100644
+--- a/Lib/urllib.py
++++ b/Lib/urllib.py
+@@ -203,7 +203,10 @@ def open(self, fullurl, data=None):
+ name = 'open_' + urltype
+ self.type = urltype
+ name = name.replace('-', '_')
+- if not hasattr(self, name):
++
++ # bpo-35907: # disallow the file reading with the type not allowed
++ if not hasattr(self, name) or \
++ (self == _urlopener and name == 'open_local_file'):
+ if proxy:
+ return self.open_unknown_proxy(proxy, fullurl, data)
+ else:
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
new file mode 100644
index 0000000..2ce4d2c
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
@@ -0,0 +1,28 @@
+From 06b5ee585d6e76bdbb4002f642d864d860cbbd2b Mon Sep 17 00:00:00 2001
+From: Steve Dower <steve.dower@python.org>
+Date: Tue, 12 Mar 2019 08:23:33 -0700
+Subject: [PATCH] bpo-36216: Only print test messages when verbose
+
+CVE: CVE-2019-9636
+
+Upstream-Status: Backport https://github.com/python/cpython/pull/12291/commits/06b5ee585d6e76bdbb4002f642d864d860cbbd2b
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ Lib/test/test_urlparse.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 73b0228ea8e3..1830d0b28688 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -644,7 +644,8 @@ def test_urlsplit_normalization(self):
+ for scheme in [u"http", u"https", u"ftp"]:
+ for c in denorm_chars:
+ url = u"{}://netloc{}false.netloc/path".format(scheme, c)
+- print "Checking %r" % url
++ if test_support.verbose:
++ print "Checking %r" % url
+ with self.assertRaises(ValueError):
+ urlparse.urlsplit(url)
+
diff --git a/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
new file mode 100644
index 0000000..352b13b
--- /dev/null
+++ b/meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
@@ -0,0 +1,111 @@
+From 3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e Mon Sep 17 00:00:00 2001
+From: Steve Dower <steve.dower@python.org>
+Date: Thu, 7 Mar 2019 08:25:22 -0800
+Subject: [PATCH] bpo-36216: Add check for characters in netloc that normalize
+ to separators (GH-12201)
+
+CVE: CVE-2019-9636
+
+Upstream-Status: Backport https://github.com/python/cpython/pull/12216/commits/3e3669c9c41a27e1466e2c28b3906e3dd0ce3e7e
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ Doc/library/urlparse.rst | 20 ++++++++++++++++
+ Lib/test/test_urlparse.py | 24 +++++++++++++++++++
+ Lib/urlparse.py | 17 +++++++++++++
+ .../2019-03-06-09-38-40.bpo-36216.6q1m4a.rst | 3 +++
+ 4 files changed, 64 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 4e1ded73c266..73b0228ea8e3 100644
+--- a/Lib/test/test_urlparse.py
++++ b/Lib/test/test_urlparse.py
+@@ -1,4 +1,6 @@
+ from test import test_support
++import sys
++import unicodedata
+ import unittest
+ import urlparse
+
+@@ -624,6 +626,28 @@ def test_portseparator(self):
+ self.assertEqual(urlparse.urlparse("http://www.python.org:80"),
+ ('http','www.python.org:80','','','',''))
+
++ def test_urlsplit_normalization(self):
++ # Certain characters should never occur in the netloc,
++ # including under normalization.
++ # Ensure that ALL of them are detected and cause an error
++ illegal_chars = u'/:#?@'
++ hex_chars = {'{:04X}'.format(ord(c)) for c in illegal_chars}
++ denorm_chars = [
++ c for c in map(unichr, range(128, sys.maxunicode))
++ if (hex_chars & set(unicodedata.decomposition(c).split()))
++ and c not in illegal_chars
++ ]
++ # Sanity check that we found at least one such character
++ self.assertIn(u'\u2100', denorm_chars)
++ self.assertIn(u'\uFF03', denorm_chars)
++
++ for scheme in [u"http", u"https", u"ftp"]:
++ for c in denorm_chars:
++ url = u"{}://netloc{}false.netloc/path".format(scheme, c)
++ print "Checking %r" % url
++ with self.assertRaises(ValueError):
++ urlparse.urlsplit(url)
++
+ def test_main():
+ test_support.run_unittest(UrlParseTestCase)
+
+diff --git a/Lib/urlparse.py b/Lib/urlparse.py
+index f7c2b032b097..54eda08651ab 100644
+--- a/Lib/urlparse.py
++++ b/Lib/urlparse.py
+@@ -165,6 +165,21 @@ def _splitnetloc(url, start=0):
+ delim = min(delim, wdelim) # use earliest delim position
+ return url[start:delim], url[delim:] # return (domain, rest)
+
++def _checknetloc(netloc):
++ if not netloc or not isinstance(netloc, unicode):
++ return
++ # looking for characters like \u2100 that expand to 'a/c'
++ # IDNA uses NFKC equivalence, so normalize for this check
++ import unicodedata
++ netloc2 = unicodedata.normalize('NFKC', netloc)
++ if netloc == netloc2:
++ return
++ _, _, netloc = netloc.rpartition('@') # anything to the left of '@' is okay
++ for c in '/?#@:':
++ if c in netloc2:
++ raise ValueError("netloc '" + netloc2 + "' contains invalid " +
++ "characters under NFKC normalization")
++
+ def urlsplit(url, scheme='', allow_fragments=True):
+ """Parse a URL into 5 components:
+ <scheme>://<netloc>/<path>?<query>#<fragment>
+@@ -193,6 +208,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+ url, fragment = url.split('#', 1)
+ if '?' in url:
+ url, query = url.split('?', 1)
++ _checknetloc(netloc)
+ v = SplitResult(scheme, netloc, url, query, fragment)
+ _parse_cache[key] = v
+ return v
+@@ -216,6 +232,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+ url, fragment = url.split('#', 1)
+ if '?' in url:
+ url, query = url.split('?', 1)
++ _checknetloc(netloc)
+ v = SplitResult(scheme, netloc, url, query, fragment)
+ _parse_cache[key] = v
+ return v
+diff --git a/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+new file mode 100644
+index 000000000000..1e1ad92c6feb
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2019-03-06-09-38-40.bpo-36216.6q1m4a.rst
+@@ -0,0 +1,3 @@
++Changes urlsplit() to raise ValueError when the URL contains characters that
++decompose under IDNA encoding (NFKC-normalization) into characters that
++affect how the URL is parsed.
+\ No newline at end of file
diff --git a/meta/recipes-devtools/python/python_2.7.16.bb b/meta/recipes-devtools/python/python_2.7.16.bb
index 7fe16f7..9c79faf 100644
--- a/meta/recipes-devtools/python/python_2.7.16.bb
+++ b/meta/recipes-devtools/python/python_2.7.16.bb
@@ -31,6 +31,10 @@ SRC_URI += "\
file://pass-missing-libraries-to-Extension-for-mul.patch \
file://support_SOURCE_DATE_EPOCH_in_py_compile_2.7.patch \
file://float-endian.patch \
+ file://bpo-35907-cve-2019-9948.patch \
+ file://bpo-35907-cve-2019-9948-fix.patch \
+ file://bpo-36216-cve-2019-9636.patch \
+ file://bpo-36216-cve-2019-9636-fix.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 06/25] busybox: Security fixes for CVE-2018-20679 CVE-2019-5747
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (4 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 05/25] python: add a fix for CVE-2019-9948 and CVE-2019-9636 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 07/25] sqlite3: Security fixes for CVE-2018-20505 & 20506 Armin Kuster
` (18 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
Source: busybox.git
MR: 97332
Type: Security Fix
Disposition: Backport from busybox.git
ChangeID: ec203c79e7322de1ed5721d08b6f59b1eca67c7d
Description:
Affects < 1.30.0
Fixes:
CVE-2018-20679
CVE-2019-5747
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../busybox/busybox/CVE-2018-20679.patch | 142 +++++++++++++++++++++
.../busybox/busybox/CVE-2019-5747.patch | 60 +++++++++
meta/recipes-core/busybox/busybox_1.29.3.bb | 2 +
3 files changed, 204 insertions(+)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2018-20679.patch
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
diff --git a/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch
new file mode 100644
index 0000000..e469376
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2018-20679.patch
@@ -0,0 +1,142 @@
+From 6d3b4bb24da9a07c263f3c1acf8df85382ff562c Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 17 Dec 2018 18:07:18 +0100
+Subject: [PATCH] udhcpc: check that 4-byte options are indeed 4-byte, closes
+ 11506
+
+function old new delta
+udhcp_get_option32 - 27 +27
+udhcp_get_option 231 248 +17
+------------------------------------------------------------------------------
+(add/remove: 1/0 grow/shrink: 1/0 up/down: 44/0) Total: 44 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2018-20679
+
+Affects < 1.30.0
+
+signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ networking/udhcp/common.c | 19 +++++++++++++++++++
+ networking/udhcp/common.h | 4 ++++
+ networking/udhcp/dhcpc.c | 6 +++---
+ networking/udhcp/dhcpd.c | 6 +++---
+ 4 files changed, 29 insertions(+), 6 deletions(-)
+
+Index: busybox-1.29.3/networking/udhcp/common.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.c
++++ busybox-1.29.3/networking/udhcp/common.c
+@@ -270,6 +270,15 @@ uint8_t* FAST_FUNC udhcp_get_option(stru
+ goto complain; /* complain and return NULL */
+
+ if (optionptr[OPT_CODE] == code) {
++ if (optionptr[OPT_LEN] == 0) {
++ /* So far no valid option with length 0 known.
++ * Having this check means that searching
++ * for DHCP_MESSAGE_TYPE need not worry
++ * that returned pointer might be unsafe
++ * to dereference.
++ */
++ goto complain; /* complain and return NULL */
++ }
+ log_option("option found", optionptr);
+ return optionptr + OPT_DATA;
+ }
+@@ -287,6 +296,16 @@ uint8_t* FAST_FUNC udhcp_get_option(stru
+ return NULL;
+ }
+
++uint8_t* FAST_FUNC udhcp_get_option32(struct dhcp_packet *packet, int code)
++{
++ uint8_t *r = udhcp_get_option(packet, code);
++ if (r) {
++ if (r[-1] != 4)
++ r = NULL;
++ }
++ return r;
++}
++
+ /* Return the position of the 'end' option (no bounds checking) */
+ int FAST_FUNC udhcp_end_option(uint8_t *optionptr)
+ {
+Index: busybox-1.29.3/networking/udhcp/common.h
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.h
++++ busybox-1.29.3/networking/udhcp/common.h
+@@ -204,6 +204,10 @@ extern const uint8_t dhcp_option_lengths
+ unsigned FAST_FUNC udhcp_option_idx(const char *name, const char *option_strings);
+
+ uint8_t *udhcp_get_option(struct dhcp_packet *packet, int code) FAST_FUNC;
++/* Same as above + ensures that option length is 4 bytes
++ * (returns NULL if size is different)
++ */
++uint8_t *udhcp_get_option32(struct dhcp_packet *packet, int code) FAST_FUNC;
+ int udhcp_end_option(uint8_t *optionptr) FAST_FUNC;
+ void udhcp_add_binary_option(struct dhcp_packet *packet, uint8_t *addopt) FAST_FUNC;
+ #if ENABLE_UDHCPC || ENABLE_UDHCPD
+Index: busybox-1.29.3/networking/udhcp/dhcpc.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
++++ busybox-1.29.3/networking/udhcp/dhcpc.c
+@@ -1694,7 +1694,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+ * They say ISC DHCP client supports this case.
+ */
+ server_addr = 0;
+- temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
++ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+ if (!temp) {
+ bb_error_msg("no server ID, using 0.0.0.0");
+ } else {
+@@ -1721,7 +1721,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+ struct in_addr temp_addr;
+ uint8_t *temp;
+
+- temp = udhcp_get_option(&packet, DHCP_LEASE_TIME);
++ temp = udhcp_get_option32(&packet, DHCP_LEASE_TIME);
+ if (!temp) {
+ bb_error_msg("no lease time with ACK, using 1 hour lease");
+ lease_seconds = 60 * 60;
+@@ -1817,7 +1817,7 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+ uint32_t svid;
+ uint8_t *temp;
+
+- temp = udhcp_get_option(&packet, DHCP_SERVER_ID);
++ temp = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+ if (!temp) {
+ non_matching_svid:
+ log1("received DHCP NAK with wrong"
+Index: busybox-1.29.3/networking/udhcp/dhcpd.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/dhcpd.c
++++ busybox-1.29.3/networking/udhcp/dhcpd.c
+@@ -640,7 +640,7 @@ static void add_server_options(struct dh
+ static uint32_t select_lease_time(struct dhcp_packet *packet)
+ {
+ uint32_t lease_time_sec = server_config.max_lease_sec;
+- uint8_t *lease_time_opt = udhcp_get_option(packet, DHCP_LEASE_TIME);
++ uint8_t *lease_time_opt = udhcp_get_option32(packet, DHCP_LEASE_TIME);
+ if (lease_time_opt) {
+ move_from_unaligned32(lease_time_sec, lease_time_opt);
+ lease_time_sec = ntohl(lease_time_sec);
+@@ -987,7 +987,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c
+ }
+
+ /* Get SERVER_ID if present */
+- server_id_opt = udhcp_get_option(&packet, DHCP_SERVER_ID);
++ server_id_opt = udhcp_get_option32(&packet, DHCP_SERVER_ID);
+ if (server_id_opt) {
+ uint32_t server_id_network_order;
+ move_from_unaligned32(server_id_network_order, server_id_opt);
+@@ -1011,7 +1011,7 @@ int udhcpd_main(int argc UNUSED_PARAM, c
+ }
+
+ /* Get REQUESTED_IP if present */
+- requested_ip_opt = udhcp_get_option(&packet, DHCP_REQUESTED_IP);
++ requested_ip_opt = udhcp_get_option32(&packet, DHCP_REQUESTED_IP);
+ if (requested_ip_opt) {
+ move_from_unaligned32(requested_nip, requested_ip_opt);
+ }
diff --git a/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
new file mode 100644
index 0000000..4225b11
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2019-5747.patch
@@ -0,0 +1,60 @@
+From 74d9f1ba37010face4bd1449df4d60dd84450b06 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 7 Jan 2019 15:33:42 +0100
+Subject: [PATCH] udhcpc: when decoding DHCP_SUBNET, ensure it is 4 bytes long
+
+function old new delta
+udhcp_run_script 795 801 +6
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-5747
+Affects < 1.30.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ networking/udhcp/common.c | 2 +-
+ networking/udhcp/common.h | 2 +-
+ networking/udhcp/dhcpc.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+Index: busybox-1.29.3/networking/udhcp/common.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.c
++++ busybox-1.29.3/networking/udhcp/common.c
+@@ -300,7 +300,7 @@ uint8_t* FAST_FUNC udhcp_get_option32(st
+ {
+ uint8_t *r = udhcp_get_option(packet, code);
+ if (r) {
+- if (r[-1] != 4)
++ if (r[-OPT_DATA + OPT_LEN] != 4)
+ r = NULL;
+ }
+ return r;
+Index: busybox-1.29.3/networking/udhcp/common.h
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/common.h
++++ busybox-1.29.3/networking/udhcp/common.h
+@@ -119,7 +119,7 @@ enum {
+ //#define DHCP_TIME_SERVER 0x04 /* RFC 868 time server (32-bit, 0 = 1.1.1900) */
+ //#define DHCP_NAME_SERVER 0x05 /* IEN 116 _really_ ancient kind of NS */
+ //#define DHCP_DNS_SERVER 0x06
+-//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog)
++//#define DHCP_LOG_SERVER 0x07 /* port 704 UDP log (not syslog) */
+ //#define DHCP_COOKIE_SERVER 0x08 /* "quote of the day" server */
+ //#define DHCP_LPR_SERVER 0x09
+ #define DHCP_HOST_NAME 0x0c /* either client informs server or server gives name to client */
+Index: busybox-1.29.3/networking/udhcp/dhcpc.c
+===================================================================
+--- busybox-1.29.3.orig/networking/udhcp/dhcpc.c
++++ busybox-1.29.3/networking/udhcp/dhcpc.c
+@@ -526,7 +526,7 @@ static char **fill_envp(struct dhcp_pack
+ temp = udhcp_get_option(packet, code);
+ *curr = xmalloc_optname_optval(temp, &dhcp_optflags[i], opt_name);
+ putenv(*curr++);
+- if (code == DHCP_SUBNET) {
++ if (code == DHCP_SUBNET && temp[-OPT_DATA + OPT_LEN] == 4) {
+ /* Subnet option: make things like "$ip/$mask" possible */
+ uint32_t subnet;
+ move_from_unaligned32(subnet, temp);
diff --git a/meta/recipes-core/busybox/busybox_1.29.3.bb b/meta/recipes-core/busybox/busybox_1.29.3.bb
index 6064e9f..5714d70 100644
--- a/meta/recipes-core/busybox/busybox_1.29.3.bb
+++ b/meta/recipes-core/busybox/busybox_1.29.3.bb
@@ -41,6 +41,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
file://rcS \
file://rcK \
file://makefile-libbb-race.patch \
+ file://CVE-2018-20679.patch \
+ file://CVE-2019-5747.patch \
"
SRC_URI_append_libc-musl = " file://musl.cfg "
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 07/25] sqlite3: Security fixes for CVE-2018-20505 & 20506
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (5 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 06/25] busybox: Security fixes for CVE-2018-20679 CVE-2019-5747 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 08/25] file: Multiple Secruity fixes Armin Kuster
` (17 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: sqlite.org
MR: 97484, 97490
Type: Security Fix
Disposition: Backport from sqilte.org
ChangeID: c6105b5d3ce4fb2c0f38c3cab745b769d2df38f5
Description:
Affects < 3.26.0
fixes:
CVE-2018-20505
CVE-2018-20506
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../sqlite/files/CVE-2018-20505.patch | 31 +++++++
.../sqlite/files/CVE-2018-20506.patch | 103 +++++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.23.1.bb | 2 +
3 files changed, 136 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2018-20505.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2018-20506.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20505.patch b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch
new file mode 100644
index 0000000..d1119f3
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-20505.patch
@@ -0,0 +1,31 @@
+From: D. Richard Hipp <drh@hwaci.com>
+Date: Sat, 3 Nov 2018 13:11:24 +0000 (+0000)
+Subject: Fix a assert() in the query planner that can arise when doing row-value
+X-Git-Tag: version-3.26.0~59
+X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/24298027a30cf7941f16a8cc878d0c1f9f14308f
+
+Fix a assert() in the query planner that can arise when doing row-value
+operations on a PRIMARY KEY that contains duplicate columns.
+Ticket [1a84668dcfdebaf12415d].
+
+https://sqlite.org/src/info/1a84668dcfdebaf12415d
+
+upstream-Status: Backport
+CVE: CVE-2018-20505
+affects <= 3.26.0
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: sqlite-autoconf-3230100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3230100.orig/sqlite3.c
++++ sqlite-autoconf-3230100/sqlite3.c
+@@ -131231,7 +131231,7 @@ static Expr *removeUnindexableInClauseTe
+ for(i=iEq; i<pLoop->nLTerm; i++){
+ if( pLoop->aLTerm[i]->pExpr==pX ){
+ int iField = pLoop->aLTerm[i]->iField - 1;
+- assert( pOrigRhs->a[iField].pExpr!=0 );
++ if( pOrigRhs->a[iField].pExpr==0 ) continue; /* Duplicate PK column */
+ pRhs = sqlite3ExprListAppend(pParse, pRhs, pOrigRhs->a[iField].pExpr);
+ pOrigRhs->a[iField].pExpr = 0;
+ assert( pOrigLhs->a[iField].pExpr!=0 );
diff --git a/meta/recipes-support/sqlite/files/CVE-2018-20506.patch b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch
new file mode 100644
index 0000000..7919f9b
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2018-20506.patch
@@ -0,0 +1,103 @@
+From: Dan Kennedy <danielk1977@gmail.com>
+Date: Sat, 3 Nov 2018 16:51:30 +0000 (+0000)
+Subject: Add extra defenses against strategically corrupt databases to fts3/4.
+X-Git-Tag: version-3.26.0~58
+X-Git-Url: https://repo.or.cz/sqlite.git/commitdiff_plain/19816852d4e82e115338b1997540c26a1b794d18
+
+Add extra defenses against strategically corrupt databases to fts3/4.
+
+https://sqlite.org/src/info/940f2adc8541a838
+
+Upstream-Status: Backport
+CVE: CVE-2018-20506
+Affects <= 3.26.0
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: sqlite-autoconf-3230100/sqlite3.c
+===================================================================
+--- sqlite-autoconf-3230100.orig/sqlite3.c
++++ sqlite-autoconf-3230100/sqlite3.c
+@@ -152368,7 +152368,7 @@ static int fts3ScanInteriorNode(
+ const char *zCsr = zNode; /* Cursor to iterate through node */
+ const char *zEnd = &zCsr[nNode];/* End of interior node buffer */
+ char *zBuffer = 0; /* Buffer to load terms into */
+- int nAlloc = 0; /* Size of allocated buffer */
++ i64 nAlloc = 0; /* Size of allocated buffer */
+ int isFirstTerm = 1; /* True when processing first term on page */
+ sqlite3_int64 iChild; /* Block id of child node to descend to */
+
+@@ -152406,14 +152406,14 @@ static int fts3ScanInteriorNode(
+ zCsr += fts3GetVarint32(zCsr, &nSuffix);
+
+ assert( nPrefix>=0 && nSuffix>=0 );
+- if( &zCsr[nSuffix]>zEnd ){
++ if( nPrefix>zCsr-zNode || nSuffix>zEnd-zCsr ){
+ rc = FTS_CORRUPT_VTAB;
+ goto finish_scan;
+ }
+- if( nPrefix+nSuffix>nAlloc ){
++ if( (i64)nPrefix+nSuffix>nAlloc ){
+ char *zNew;
+- nAlloc = (nPrefix+nSuffix) * 2;
+- zNew = (char *)sqlite3_realloc(zBuffer, nAlloc);
++ nAlloc = ((i64)nPrefix+nSuffix) * 2;
++ zNew = (char *)sqlite3_realloc64(zBuffer, nAlloc);
+ if( !zNew ){
+ rc = SQLITE_NOMEM;
+ goto finish_scan;
+@@ -162012,15 +162012,19 @@ static int fts3SegReaderNext(
+ ** safe (no risk of overread) even if the node data is corrupted. */
+ pNext += fts3GetVarint32(pNext, &nPrefix);
+ pNext += fts3GetVarint32(pNext, &nSuffix);
+- if( nPrefix<0 || nSuffix<=0
+- || &pNext[nSuffix]>&pReader->aNode[pReader->nNode]
++ if( nSuffix<=0
++ || (&pReader->aNode[pReader->nNode] - pNext)<nSuffix
++ || nPrefix>pReader->nTermAlloc
+ ){
+ return FTS_CORRUPT_VTAB;
+ }
+
+- if( nPrefix+nSuffix>pReader->nTermAlloc ){
+- int nNew = (nPrefix+nSuffix)*2;
+- char *zNew = sqlite3_realloc(pReader->zTerm, nNew);
++ /* Both nPrefix and nSuffix were read by fts3GetVarint32() and so are
++ ** between 0 and 0x7FFFFFFF. But the sum of the two may cause integer
++ ** overflow - hence the (i64) casts. */
++ if( (i64)nPrefix+nSuffix>(i64)pReader->nTermAlloc ){
++ i64 nNew = ((i64)nPrefix+nSuffix)*2;
++ char *zNew = sqlite3_realloc64(pReader->zTerm, nNew);
+ if( !zNew ){
+ return SQLITE_NOMEM;
+ }
+@@ -162042,7 +162046,7 @@ static int fts3SegReaderNext(
+ ** b-tree node. And that the final byte of the doclist is 0x00. If either
+ ** of these statements is untrue, then the data structure is corrupt.
+ */
+- if( &pReader->aDoclist[pReader->nDoclist]>&pReader->aNode[pReader->nNode]
++ if( (&pReader->aNode[pReader->nNode] - pReader->aDoclist)<pReader->nDoclist
+ || (pReader->nPopulate==0 && pReader->aDoclist[pReader->nDoclist-1])
+ ){
+ return FTS_CORRUPT_VTAB;
+@@ -164367,7 +164371,9 @@ static int nodeReaderNext(NodeReader *p)
+ p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nPrefix);
+ }
+ p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &nSuffix);
+-
++ if( nPrefix>p->iOff || nSuffix>p->nNode-p->iOff ){
++ return SQLITE_CORRUPT_VTAB;
++ }
+ blobGrowBuffer(&p->term, nPrefix+nSuffix, &rc);
+ if( rc==SQLITE_OK ){
+ memcpy(&p->term.a[nPrefix], &p->aNode[p->iOff], nSuffix);
+@@ -164375,6 +164381,9 @@ static int nodeReaderNext(NodeReader *p)
+ p->iOff += nSuffix;
+ if( p->iChild==0 ){
+ p->iOff += fts3GetVarint32(&p->aNode[p->iOff], &p->nDoclist);
++ if( (p->nNode-p->iOff)<p->nDoclist ){
++ return SQLITE_CORRUPT_VTAB;
++ }
+ p->aDoclist = &p->aNode[p->iOff];
+ p->iOff += p->nDoclist;
+ }
diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
index 3755761..d214ea1 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -5,6 +5,8 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
SRC_URI = "\
http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
+ file://CVE-2018-20505.patch \
+ file://CVE-2018-20506.patch \
"
SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 08/25] file: Multiple Secruity fixes
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (6 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 07/25] sqlite3: Security fixes for CVE-2018-20505 & 20506 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 09/25] cups: upgrade to 2.2.9 Armin Kuster
` (16 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: https://github.com/file
MR: 97573, 97578, 97583, 97588
Type: Security Fix
Disposition: Backport from https://github.com/file/file
ChangeID: 159e532d518623f19ba777c8edc24d2dc7e3a4e9
Description:
CVE-2019-8905 is the same fix as CVE-2019-8907
Affects < 5.36.0
Fixes:
CVE-2019-8904
CVE-2019-8906
CVE-2019-8906
CVE-2019-8907
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-devtools/file/file/CVE-2019-8904.patch | 30 ++++++
.../file/file/CVE-2019-8905_CVE-2019-8907.patch | 120 +++++++++++++++++++++
.../recipes-devtools/file/file/CVE-2019-8906.patch | 27 +++++
meta/recipes-devtools/file/file_5.34.bb | 3 +
4 files changed, 180 insertions(+)
create mode 100644 meta/recipes-devtools/file/file/CVE-2019-8904.patch
create mode 100644 meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
create mode 100644 meta/recipes-devtools/file/file/CVE-2019-8906.patch
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8904.patch b/meta/recipes-devtools/file/file/CVE-2019-8904.patch
new file mode 100644
index 0000000..5c3d6f7
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8904.patch
@@ -0,0 +1,30 @@
+From 94b7501f48e134e77716e7ebefc73d6bbe72ba55 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 18 Feb 2019 17:30:41 +0000
+Subject: [PATCH] PR/62: spinpx: Avoid non-nul-terminated string read.
+
+Upstream-Status: Backport
+CVE: CVE-2019-8904
+Affects < 5.36
+[Fixup for thud context]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/readelf.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
++++ git/src/readelf.c
+@@ -558,8 +558,8 @@ do_bid_note(struct magic_set *ms, unsign
+ }
+ if (namesz == 4 && strcmp((char *)&nbuf[noff], "Go") == 0 &&
+ type == NT_GO_BUILD_ID && descsz < 128) {
+- if (file_printf(ms, ", Go BuildID=%s",
+- (char *)&nbuf[doff]) == -1)
++ if (file_printf(ms, ", Go BuildID=%.*s",
++ CAST(int, descsz), CAST(char *, &nbuf[doff])) == -1)
+ return 1;
+ return 1;
+ }
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
new file mode 100644
index 0000000..a55b94c
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8905_CVE-2019-8907.patch
@@ -0,0 +1,120 @@
+From d65781527c8134a1202b2649695d48d5701ac60b Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 18 Feb 2019 17:46:56 +0000
+Subject: [PATCH] PR/62: spinpx: limit size of file_printable.
+
+Upstream-Status: Backport
+CVE: CVE-2019-8905
+CVE: CVE-2019-8907
+affects < 5.36
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/file.h | 4 ++--
+ src/funcs.c | 9 +++++----
+ src/readelf.c | 7 ++++---
+ src/softmagic.c | 14 ++++++++------
+ 4 files changed, 19 insertions(+), 15 deletions(-)
+
+Index: git/src/file.h
+===================================================================
+--- git.orig/src/file.h
++++ git/src/file.h
+@@ -501,7 +501,7 @@ protected int file_looks_utf8(const unsi
+ size_t *);
+ protected size_t file_pstring_length_size(const struct magic *);
+ protected size_t file_pstring_get_length(const struct magic *, const char *);
+-protected char * file_printable(char *, size_t, const char *);
++protected char * file_printable(char *, size_t, const char *, size_t);
+ #ifdef __EMX__
+ protected int file_os2_apptype(struct magic_set *, const char *, const void *,
+ size_t);
+Index: git/src/funcs.c
+===================================================================
+--- git.orig/src/funcs.c
++++ git/src/funcs.c
+@@ -595,12 +595,13 @@ file_pop_buffer(struct magic_set *ms, fi
+ * convert string to ascii printable format.
+ */
+ protected char *
+-file_printable(char *buf, size_t bufsiz, const char *str)
++file_printable(char *buf, size_t bufsiz, const char *str, size_t slen)
+ {
+- char *ptr, *eptr;
++ char *ptr, *eptr = buf + bufsiz - 1;
+ const unsigned char *s = (const unsigned char *)str;
++ const unsigned char *es = s + slen;
+
+- for (ptr = buf, eptr = ptr + bufsiz - 1; ptr < eptr && *s; s++) {
++ for (ptr = buf; ptr < eptr && s < es && *s; s++) {
+ if (isprint(*s)) {
+ *ptr++ = *s;
+ continue;
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
++++ git/src/readelf.c
+@@ -750,7 +750,7 @@ do_core_note(struct magic_set *ms, unsig
+ if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
+ file_printable(sbuf, sizeof(sbuf),
+- CAST(char *, pi.cpi_name)),
++ CAST(char *, pi.cpi_name), sizeof(pi.cpi_name)),
+ elf_getu32(swap, (uint32_t)pi.cpi_pid),
+ elf_getu32(swap, pi.cpi_euid),
+ elf_getu32(swap, pi.cpi_egid),
+@@ -1655,7 +1655,8 @@ dophn_exec(struct magic_set *ms, int cla
+ return -1;
+ if (interp[0])
+ if (file_printf(ms, ", interpreter %s",
+- file_printable(ibuf, sizeof(ibuf), interp)) == -1)
++ file_printable(ibuf, sizeof(ibuf), interp, sizeof(interp)))
++ == -1)
+ return -1;
+ return 0;
+ }
+Index: git/src/softmagic.c
+===================================================================
+--- git.orig/src/softmagic.c
++++ git/src/softmagic.c
+@@ -616,8 +616,8 @@ mprint(struct magic_set *ms, struct magi
+ case FILE_LESTRING16:
+ if (m->reln == '=' || m->reln == '!') {
+ if (file_printf(ms, F(ms, desc, "%s"),
+- file_printable(sbuf, sizeof(sbuf), m->value.s))
+- == -1)
++ file_printable(sbuf, sizeof(sbuf), m->value.s,
++ sizeof(m->value.s))) == -1)
+ return -1;
+ t = ms->offset + m->vallen;
+ }
+@@ -644,7 +644,8 @@ mprint(struct magic_set *ms, struct magi
+ }
+
+ if (file_printf(ms, F(ms, desc, "%s"),
+- file_printable(sbuf, sizeof(sbuf), str)) == -1)
++ file_printable(sbuf, sizeof(sbuf), str,
++ sizeof(p->s) - (str - p->s))) == -1)
+ return -1;
+
+ if (m->type == FILE_PSTRING)
+@@ -750,7 +751,7 @@ mprint(struct magic_set *ms, struct magi
+ return -1;
+ }
+ rval = file_printf(ms, F(ms, desc, "%s"),
+- file_printable(sbuf, sizeof(sbuf), cp));
++ file_printable(sbuf, sizeof(sbuf), cp, ms->search.rm_len));
+ free(cp);
+
+ if (rval == -1)
+@@ -777,7 +778,8 @@ mprint(struct magic_set *ms, struct magi
+ break;
+ case FILE_DER:
+ if (file_printf(ms, F(ms, desc, "%s"),
+- file_printable(sbuf, sizeof(sbuf), ms->ms_value.s)) == -1)
++ file_printable(sbuf, sizeof(sbuf), ms->ms_value.s,
++ sizeof(ms->ms_value.s))) == -1)
+ return -1;
+ t = ms->offset;
+ break;
diff --git a/meta/recipes-devtools/file/file/CVE-2019-8906.patch b/meta/recipes-devtools/file/file/CVE-2019-8906.patch
new file mode 100644
index 0000000..1079ac6
--- /dev/null
+++ b/meta/recipes-devtools/file/file/CVE-2019-8906.patch
@@ -0,0 +1,27 @@
+From 2858eaf99f6cc5aae129bcbf1e24ad160240185f Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Wed, 2 Jan 2019 19:44:14 +0000
+Subject: [PATCH] Avoid OOB read (found by ASAN reported by F. Alonso)
+
+Upstream-Status: Backport
+CVE: CVE-2019-8906
+Affects < 5.36
+[Fixup for thud context]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/readelf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: git/src/readelf.c
+===================================================================
+--- git.orig/src/readelf.c
++++ git/src/readelf.c
+@@ -745,7 +745,7 @@ do_core_note(struct magic_set *ms, unsig
+ char sbuf[512];
+ struct NetBSD_elfcore_procinfo pi;
+ memset(&pi, 0, sizeof(pi));
+- memcpy(&pi, nbuf + doff, descsz);
++ memcpy(&pi, nbuf + doff, MIN(descsz, sizeof(pi)));
+
+ if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
diff --git a/meta/recipes-devtools/file/file_5.34.bb b/meta/recipes-devtools/file/file_5.34.bb
index 5d92913..cb19642 100644
--- a/meta/recipes-devtools/file/file_5.34.bb
+++ b/meta/recipes-devtools/file/file_5.34.bb
@@ -16,6 +16,9 @@ UPSTREAM_CHECK_GITTAGREGEX = "FILE(?P<pver>(?!6_23).+)"
SRC_URI = "git://github.com/file/file.git \
file://debian-742262.patch \
+ file://CVE-2019-8906.patch \
+ file://CVE-2019-8904.patch \
+ file://CVE-2019-8905_CVE-2019-8907.patch \
"
SRCREV = "315cef2f699da3c31a54bd3c6c6070680fbaf1f5"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 09/25] cups: upgrade to 2.2.9
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (7 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 08/25] file: Multiple Secruity fixes Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 10/25] cups: upgrade to 2.2.10 Armin Kuster
` (15 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Source: OpenEmbedded.org
MR: 97351
Type: Integration
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/cups?h=warrior&id=ee57d79aec06e9b160cf2713636cda650ba68d5a
ChangeID: ee57d79aec06e9b160cf2713636cda650ba68d5a
Description:
The following patch is rebased.
0001-don-t-try-to-run-generated-binaries.patch
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CUPS 2.2.9 is a bug fix release that addresses issues in the scheduler,
IPP Everywhere support, CUPS library, and USB printer support. Changes include:
Localization changes (Issue #5348, Issue #5362, Issue #5408)
Documentation updates (Issue #5369)
The lpadmin command would create a non-working printer in some error cases
(Issue #5305)
The scheduler would crash if an empty AccessLog directive was specified
(Issue #5309)
Fixed a regression in the changes to ippValidateAttribute (Issue #5322,
Issue #5330)
Fixed a crash bug in the Epson dot matrix driver (Issue #5323)
Automatic debug logging of job errors did not work with systemd (Issue #5337)
The web interface did not list the IPP Everywhere "driver" (Issue #5338)
The IPP Everywhere "driver" now properly supports face-up printers
(Issue #5345)
Fixed some typos in the label printer drivers (Issue #5350)
Multi-file jobs could get stuck if the backend failed (Issue #5359,
Issue #5413)
The IPP Everywhere "driver" no longer does local filtering when printing to
a shared CUPS printer (Issue #5361)
The lpadmin command now correctly reports IPP errors when configuring an
IPP Everywhere printer (Issue #5370)
Fixed some memory leaks discovered by Coverity (Issue #5375)
The PPD compiler incorrectly terminated JCL options (Issue #5379)
The cupstestppd utility did not generate errors for missing/mismatched
CloseUI/JCLCloseUI keywords (Issue #5381)
The scheduler now reports the actual location of the log file (Issue #5398)
Added a USB quirk rule (Issue #5420)
The scheduler was being backgrounded on macOS, causing applications to spin
(rdar://40436080)
The scheduler did not validate that required initial request attributes were
in the operation group (rdar://41098178)
Authentication in the web interface did not work on macOS (rdar://41444473)
Fixed an issue with HTTP Digest authentication (rdar://41709086)
The scheduler could crash when job history was purged (rdar://42198057)
Dropped non-working RSS subscriptions UI from web interface templates.
Fixed a memory leak for some IPP (extension) syntaxes.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../0001-don-t-try-to-run-generated-binaries.patch | 29 +++++++++++-----------
.../cups/{cups_2.2.8.bb => cups_2.2.9.bb} | 4 +--
2 files changed, 17 insertions(+), 16 deletions(-)
rename meta/recipes-extended/cups/{cups_2.2.8.bb => cups_2.2.9.bb} (40%)
diff --git a/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch b/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch
index db013cf..d6a69f2 100644
--- a/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch
+++ b/meta/recipes-extended/cups/cups/0001-don-t-try-to-run-generated-binaries.patch
@@ -1,20 +1,21 @@
-Upstream-Status: Inappropriate [embedded specific]
-
-From 90069586167b930befce7303aea57078f04b4ed8 Mon Sep 17 00:00:00 2001
+From 1fb07162a9ed187cccf06e34c9bf841d15c6e64e Mon Sep 17 00:00:00 2001
From: Koen Kooi <koen@dominion.thruhere.net>
Date: Sun, 30 Jan 2011 16:37:27 +0100
Subject: [PATCH] don't try to run generated binaries
+Upstream-Status: Inappropriate [embedded specific]
+
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
+
---
- ppdc/Makefile | 30 +++++++++++++++---------------
- 1 files changed, 15 insertions(+), 15 deletions(-)
+ ppdc/Makefile | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
-Index: cups-2.2.6/ppdc/Makefile
-===================================================================
---- cups-2.2.6.orig/ppdc/Makefile
-+++ cups-2.2.6/ppdc/Makefile
-@@ -228,8 +228,8 @@ genstrings: genstrings.o libcupsppdc.a
+diff --git a/ppdc/Makefile b/ppdc/Makefile
+index e563988..973dd3f 100644
+--- a/ppdc/Makefile
++++ b/ppdc/Makefile
+@@ -189,8 +189,8 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \
$(LD_CXX) $(ARCHFLAGS) $(LDFLAGS) -o genstrings genstrings.o \
libcupsppdc.a ../cups/$(LIBCUPSSTATIC) $(LIBGSSAPI) $(SSLLIBS) \
$(DNSSDLIBS) $(COMMONLIBS) $(LIBZ)
@@ -25,10 +26,10 @@ Index: cups-2.2.6/ppdc/Makefile
#
-@@ -246,9 +246,9 @@ ppdc-static: ppdc.o libcupsppdc.a ../cu
- $(LD_CXX) $(ARCHFLAGS) $(LDFLAGS) -o ppdc-static ppdc.o libcupsppdc.a \
+@@ -209,9 +209,9 @@ ppdc-static: ppdc.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) foo.drv foo-fr.po
../cups/$(LIBCUPSSTATIC) $(LIBGSSAPI) $(SSLLIBS) $(DNSSDLIBS) \
$(COMMONLIBS) $(LIBZ)
+ $(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@
- echo Testing PPD compiler...
- ./ppdc-static -l en,fr -I ../data foo.drv
- ./ppdc-static -l en,fr -z -I ../data foo.drv
@@ -38,10 +39,10 @@ Index: cups-2.2.6/ppdc/Makefile
#
-@@ -274,17 +274,17 @@ ppdi-static: ppdc-static ppdi.o libcups
- $(LD_CXX) $(ARCHFLAGS) $(LDFLAGS) -o ppdi-static ppdi.o libcupsppdc.a \
+@@ -240,17 +240,17 @@ ppdi-static: ppdc-static ppdi.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC)
../cups/$(LIBCUPSSTATIC) $(LIBGSSAPI) $(SSLLIBS) $(DNSSDLIBS) \
$(COMMONLIBS) $(LIBZ)
+ $(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@
- echo Testing PPD importer...
- $(RM) -r ppd ppd2 sample-import.drv
- ./ppdc-static -l en -I ../data sample.drv
diff --git a/meta/recipes-extended/cups/cups_2.2.8.bb b/meta/recipes-extended/cups/cups_2.2.9.bb
similarity index 40%
rename from meta/recipes-extended/cups/cups_2.2.8.bb
rename to meta/recipes-extended/cups/cups_2.2.9.bb
index de1bd84..fcd96ef 100644
--- a/meta/recipes-extended/cups/cups_2.2.8.bb
+++ b/meta/recipes-extended/cups/cups_2.2.9.bb
@@ -2,5 +2,5 @@ require cups.inc
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=f212b4338db0da8cb892e94bf2949460"
-SRC_URI[md5sum] = "33150d08993a04c8e22176e93805a051"
-SRC_URI[sha256sum] = "3968fc1d26fc48727508db1c1380e36c6694ab90177fd6920aec5f6cc73af9e4"
+SRC_URI[md5sum] = "798e83bb1a240f5417a252903d83ae0c"
+SRC_URI[sha256sum] = "6d22d5da253b97643320da0bf95574acd85ff2abe3ec1a51d36093841d891156"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 10/25] cups: upgrade to 2.2.10
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (8 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 09/25] cups: upgrade to 2.2.9 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 11/25] cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462 Armin Kuster
` (14 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Source: OpenEmbedded.org
MR: 97351
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-extended/cups?h=warrior&id=fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd
ChangeID: fbe7a0c9bab7c9be7fd2c0da8b2af61e66de1ebd
Description:
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CUPS 2.2.10 is a bug fix release that addresses issues in the scheduler, IPP Everywhere support, CUPS library, and USB printer support. Changes include:
CVE-2018-4300: Linux session cookies used a predictable random number seed.
The lpoptions command now works with IPP Everywhere printers that have not yet been added as local queues (Issue #5045)
Added USB quirk rules (Issue #5395, Issue #5443)
The generated PPD files for IPP Everywhere printers did not contain the cupsManualCopies keyword (Issue #5433)
Kerberos credentials might be truncated (Issue #5435)
The handling of MaxJobTime 0 did not match the documentation (Issue #5438)
Incorporated the page accounting changes from CUPS 2.3 (Issue #5439)
Fixed a bug adding a queue with the -E option (Issue #5440)
Fixed a crash bug when mapping PPD duplex options to IPP attributes (rdar://46183976)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-extended/cups/{cups_2.2.9.bb => cups_2.2.10.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-extended/cups/{cups_2.2.9.bb => cups_2.2.10.bb} (40%)
diff --git a/meta/recipes-extended/cups/cups_2.2.9.bb b/meta/recipes-extended/cups/cups_2.2.10.bb
similarity index 40%
rename from meta/recipes-extended/cups/cups_2.2.9.bb
rename to meta/recipes-extended/cups/cups_2.2.10.bb
index fcd96ef..490c84e 100644
--- a/meta/recipes-extended/cups/cups_2.2.9.bb
+++ b/meta/recipes-extended/cups/cups_2.2.10.bb
@@ -2,5 +2,5 @@ require cups.inc
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=f212b4338db0da8cb892e94bf2949460"
-SRC_URI[md5sum] = "798e83bb1a240f5417a252903d83ae0c"
-SRC_URI[sha256sum] = "6d22d5da253b97643320da0bf95574acd85ff2abe3ec1a51d36093841d891156"
+SRC_URI[md5sum] = "3d22d747403ec5dcd0b66d1332564816"
+SRC_URI[sha256sum] = "77c8b2b3bb7fe8b5fbfffc307f2c817b2d7ec67b657f261a1dd1c61ab81205bb"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 11/25] cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (9 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 10/25] cups: upgrade to 2.2.10 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 12/25] go-target.inc: fix go not found while multilib enabled Armin Kuster
` (13 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
Source: OpenEmbedded.org
MR: 97538, 97543
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-graphics/cairo?h=warrior&id=078e4d5c2114d942806cd0d5ad501805a011e841
ChangeID: fa8bdd44ad8613bb0679a1f6d9d670c3b47a0677
Description:
CVE-2018-19876 is a backport from upstream.
CVE-2019-6461 and CVE-2019-6462 are patches taken from Clear Linux.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Dropped CVE-2018-19876, not affected]
Issue was introduced in 1.15.8 by:
commit 721b7ea0a785afaa04b6da63f970c3c57666fdfe
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-graphics/cairo/cairo/CVE-2019-6461.patch | 19 +++++++++++++++++++
.../recipes-graphics/cairo/cairo/CVE-2019-6462.patch | 20 ++++++++++++++++++++
meta/recipes-graphics/cairo/cairo_1.14.12.bb | 2 ++
3 files changed, 41 insertions(+)
create mode 100644 meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
create mode 100644 meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
new file mode 100644
index 0000000..5232cf7
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch
@@ -0,0 +1,19 @@
+There is a potential infinite-loop in function _arc_error_normalized().
+
+CVE: CVE-2019-6461
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..f9249dbeb 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance)
+ do {
+ angle = M_PI / i++;
+ error = _arc_error_normalized (angle);
+- } while (error > tolerance);
++ } while (error > tolerance && error > __DBL_EPSILON__);
+
+ return angle;
+ }
diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
new file mode 100644
index 0000000..4e4598c
--- /dev/null
+++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch
@@ -0,0 +1,20 @@
+There is an assertion in function _cairo_arc_in_direction().
+
+CVE: CVE-2019-6462
+Upstream-Status: Pending
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+
+diff --git a/src/cairo-arc.c b/src/cairo-arc.c
+index 390397bae..1bde774a4 100644
+--- a/src/cairo-arc.c
++++ b/src/cairo-arc.c
+@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr,
+ if (cairo_status (cr))
+ return;
+
+- assert (angle_max >= angle_min);
++ if (angle_max < angle_min)
++ return;
+
+ if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) {
+ angle_max = fmod (angle_max - angle_min, 2 * M_PI);
diff --git a/meta/recipes-graphics/cairo/cairo_1.14.12.bb b/meta/recipes-graphics/cairo/cairo_1.14.12.bb
index 18b9479..08026c4 100644
--- a/meta/recipes-graphics/cairo/cairo_1.14.12.bb
+++ b/meta/recipes-graphics/cairo/cairo_1.14.12.bb
@@ -25,6 +25,8 @@ DEPENDS = "fontconfig glib-2.0 libpng pixman zlib"
SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \
file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \
file://0001-cairo-Fix-CVE-2017-9814.patch \
+ file://CVE-2019-6461.patch \
+ file://CVE-2019-6462.patch \
"
SRC_URI[md5sum] = "9f0db9dbfca0966be8acd682e636d165"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 12/25] go-target.inc: fix go not found while multilib enabled
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (10 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 11/25] cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 13/25] go-crosssdk: PN should use SDK_SYS, not TARGET_ARCH Armin Kuster
` (12 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
Go binaries were installed to ${libdir}/go/bin, and create symlink
in ${bindir}, while enabling multilib, libdir was extended (such as
/usr/lib64), but BASELIB was not (still /lib), so use
baselib (such as /lib64)) to replace
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/go/go-target.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/go/go-target.inc b/meta/recipes-devtools/go/go-target.inc
index c229ab2..379f87b 100644
--- a/meta/recipes-devtools/go/go-target.inc
+++ b/meta/recipes-devtools/go/go-target.inc
@@ -40,7 +40,7 @@ do_install() {
for f in ${B}/${GO_BUILD_BINDIR}/*; do
name=`basename $f`
install -m 0755 $f ${D}${libdir}/go/bin/
- ln -sf ../${BASELIB}/go/bin/$name ${D}${bindir}/
+ ln -sf ../${baselib}/go/bin/$name ${D}${bindir}/
done
}
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 13/25] go-crosssdk: PN should use SDK_SYS, not TARGET_ARCH
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (11 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 12/25] go-target.inc: fix go not found while multilib enabled Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 14/25] go: Upgrade 1.11.1 -> 1.11.4 minor release Armin Kuster
` (11 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
The crosssdk dependencies are handled using the virtual/ namespace so
this name doesn't matter in the general sense. We want to be able to provide
recipe maintainer information through overrides though, so this standardises it
with the behaviour from gcc-crosssdk and ensures the maintainer overrides work.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/go/go-crosssdk.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/go/go-crosssdk.inc b/meta/recipes-devtools/go/go-crosssdk.inc
index 4391b32..94f6fb8 100644
--- a/meta/recipes-devtools/go/go-crosssdk.inc
+++ b/meta/recipes-devtools/go/go-crosssdk.inc
@@ -1,7 +1,7 @@
inherit crosssdk
DEPENDS = "go-native virtual/${TARGET_PREFIX}gcc-crosssdk virtual/nativesdk-${TARGET_PREFIX}compilerlibs virtual/${TARGET_PREFIX}binutils-crosssdk"
-PN = "go-crosssdk-${TARGET_ARCH}"
+PN = "go-crosssdk-${SDK_SYS}"
PROVIDES = "virtual/${TARGET_PREFIX}go-crosssdk"
export GOHOSTOS = "${BUILD_GOOS}"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 14/25] go: Upgrade 1.11.1 -> 1.11.4 minor release
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (12 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 13/25] go-crosssdk: PN should use SDK_SYS, not TARGET_ARCH Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 15/25] go: update to minor update 1.11.10 Armin Kuster
` (10 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
Source: OpenEmbedded.org
MR: 98328, 98329, 98330
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/go?h=warrior&id=b964551a0d08aa921d4e0ceea2f1e28a5e83510e
ChangeID: 0b4cc69c357ba14c4e7a6c7ff926cfc6f09489b2
Description:
include:
CVE-2018-16873
CVE-2018-16874
CVE-2018-16875
Changes: https://golang.org/doc/devel/release.html#go1.11
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Bug fix only update]
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/go/go-1.11.inc | 7 +++----
.../0007-cmd-go-make-GOROOT-precious-by-default.patch | 6 +++---
.../go/go-1.11/0008-use-GOBUILDMODE-to-set-buildmode.patch | 13 +++++--------
3 files changed, 11 insertions(+), 15 deletions(-)
diff --git a/meta/recipes-devtools/go/go-1.11.inc b/meta/recipes-devtools/go/go-1.11.inc
index d626514..d03e26c 100644
--- a/meta/recipes-devtools/go/go-1.11.inc
+++ b/meta/recipes-devtools/go/go-1.11.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.11"
-GO_MINOR = ".1"
+GO_MINOR = ".4"
PV .= "${GO_MINOR}"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
@@ -17,8 +17,7 @@ SRC_URI += "\
file://0007-cmd-go-make-GOROOT-precious-by-default.patch \
file://0008-use-GOBUILDMODE-to-set-buildmode.patch \
"
-
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
-SRC_URI[main.md5sum] = "eb9e9792247143705a7aacea9398cde0"
-SRC_URI[main.sha256sum] = "558f8c169ae215e25b81421596e8de7572bd3ba824b79add22fba6e284db1117"
+SRC_URI[main.md5sum] = "a77697673215be465d1b583680ef2318"
+SRC_URI[main.sha256sum] = "4cfd42720a6b1e79a8024895fa6607b69972e8e32446df76d6ce79801bbadb15"
diff --git a/meta/recipes-devtools/go/go-1.11/0007-cmd-go-make-GOROOT-precious-by-default.patch b/meta/recipes-devtools/go/go-1.11/0007-cmd-go-make-GOROOT-precious-by-default.patch
index f317e48..29ef947 100644
--- a/meta/recipes-devtools/go/go-1.11/0007-cmd-go-make-GOROOT-precious-by-default.patch
+++ b/meta/recipes-devtools/go/go-1.11/0007-cmd-go-make-GOROOT-precious-by-default.patch
@@ -65,8 +65,8 @@ Index: go/src/cmd/go/internal/work/exec.go
===================================================================
--- go.orig/src/cmd/go/internal/work/exec.go
+++ go/src/cmd/go/internal/work/exec.go
-@@ -440,6 +440,23 @@ func (b *Builder) build(a *Action) (err
- return fmt.Errorf("module requires Go %s", p.Module.GoVersion)
+@@ -436,6 +436,23 @@ func (b *Builder) build(a *Action) (err
+ return fmt.Errorf("missing or invalid binary-only package; expected file %q", a.Package.Target)
}
+ if goRootPrecious && (a.Package.Standard || a.Package.Goroot) {
@@ -89,7 +89,7 @@ Index: go/src/cmd/go/internal/work/exec.go
if err := b.Mkdir(a.Objdir); err != nil {
return err
}
-@@ -1435,6 +1452,14 @@ func BuildInstallFunc(b *Builder, a *Act
+@@ -1438,6 +1455,14 @@ func BuildInstallFunc(b *Builder, a *Act
return nil
}
diff --git a/meta/recipes-devtools/go/go-1.11/0008-use-GOBUILDMODE-to-set-buildmode.patch b/meta/recipes-devtools/go/go-1.11/0008-use-GOBUILDMODE-to-set-buildmode.patch
index b6ab504..225cf43 100644
--- a/meta/recipes-devtools/go/go-1.11/0008-use-GOBUILDMODE-to-set-buildmode.patch
+++ b/meta/recipes-devtools/go/go-1.11/0008-use-GOBUILDMODE-to-set-buildmode.patch
@@ -18,11 +18,11 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
src/cmd/go/internal/work/build.go | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
-diff --git a/src/cmd/go/internal/work/build.go b/src/cmd/go/internal/work/build.go
-index 145b875..595d703 100644
---- a/src/cmd/go/internal/work/build.go
-+++ b/src/cmd/go/internal/work/build.go
-@@ -218,7 +218,11 @@ func AddBuildFlags(cmd *base.Command) {
+Index: go/src/cmd/go/internal/work/build.go
+===================================================================
+--- go.orig/src/cmd/go/internal/work/build.go
++++ go/src/cmd/go/internal/work/build.go
+@@ -223,7 +223,11 @@ func AddBuildFlags(cmd *base.Command) {
cmd.Flag.Var(&load.BuildAsmflags, "asmflags", "")
cmd.Flag.Var(buildCompiler{}, "compiler", "")
@@ -35,6 +35,3 @@ index 145b875..595d703 100644
cmd.Flag.Var(&load.BuildGcflags, "gcflags", "")
cmd.Flag.Var(&load.BuildGccgoflags, "gccgoflags", "")
cmd.Flag.StringVar(&cfg.BuildMod, "mod", "", "")
---
-2.7.4
-
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 15/25] go: update to minor update 1.11.10
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (13 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 14/25] go: Upgrade 1.11.1 -> 1.11.4 minor release Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 16/25] wpa_supplicant: Changed systemd template units Armin Kuster
` (9 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: golang.org
MR: 97548,
Type: Security Fix
Disposition: Backport from https://github.com/golang/go/issues?q=milestone%3AGo1.11.5
ChangeID: 54377c454f038a41bf35dd447a784e3e66db6268
Description:
Bug fix updates only
https://golang.org/doc/devel/release.html#go1.11
Fixes:
Affects <= 1.11.6
CVE-2019-6486
CVE-2019-9741
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/go/go-1.11.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-devtools/go/go-1.11.inc b/meta/recipes-devtools/go/go-1.11.inc
index d03e26c..401e71f 100644
--- a/meta/recipes-devtools/go/go-1.11.inc
+++ b/meta/recipes-devtools/go/go-1.11.inc
@@ -1,7 +1,7 @@
require go-common.inc
GO_BASEVERSION = "1.11"
-GO_MINOR = ".4"
+GO_MINOR = ".10"
PV .= "${GO_MINOR}"
FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:"
@@ -19,5 +19,5 @@ SRC_URI += "\
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
-SRC_URI[main.md5sum] = "a77697673215be465d1b583680ef2318"
-SRC_URI[main.sha256sum] = "4cfd42720a6b1e79a8024895fa6607b69972e8e32446df76d6ce79801bbadb15"
+SRC_URI[main.md5sum] = "f2d2e44b9954b827daa8ad4d936a7a82"
+SRC_URI[main.sha256sum] = "df27e96a9d1d362c46ecd975f1faa56b8c300f5c529074e9ea79bdd885493c1b"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 16/25] wpa_supplicant: Changed systemd template units
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (14 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 15/25] go: update to minor update 1.11.10 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 17/25] qemu: Security fix for CVE-2018-19489 Armin Kuster
` (8 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Joshua DeWeese <jdeweese@hennypenny.com>
I goofed up the scissor line on the last attempt. Not sure how much it matters,
but here it is correct this time.
Here it is, updated to work with wpa-supplicant_2.6.bb.
-- >8 --
https://www.freedesktop.org/software/systemd/man/systemd.unit.html#WantedBy=
When building root filesystems with any of the wpa_supplicant systemd
template service files enabled (current default is to have them disabled) the
systemd-native-fake script would not process the line:
Alias=multi-user.target.wants/wpa_supplicant@%i.service
appropriately due the the use of "%i."
According to the systemd documentation "WantedBy=foo.service in a service
bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in
the same file." However, this is not really the intended purpose of install
Aliases.
All lines of the form:
Alias=multi-user.target.wants/*%i.service
Were replaced with the following lines:
WantedBy=multi-user.target
Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...place-systemd-install-Alias-with-WantedBy.patch | 52 ++++++++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.6.bb | 1 +
2 files changed, 53 insertions(+)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
new file mode 100644
index 0000000..a476cf0
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-replace-systemd-install-Alias-with-WantedBy.patch
@@ -0,0 +1,52 @@
+From 94c401733a5a3d294cc412671166e6adfb409f53 Mon Sep 17 00:00:00 2001
+From: Joshua DeWeese <jdeweese@hennypenny.com>
+Date: Wed, 30 Jan 2019 16:19:47 -0500
+Subject: [PATCH] replace systemd install Alias with WantedBy
+
+According to the systemd documentation "WantedBy=foo.service in a
+service bar.service is mostly equivalent to
+Alias=foo.service.wants/bar.service in the same file." However,
+this is not really the intended purpose of install Aliases.
+
+Upstream-Status: Submitted [hostap@lists.infradead.org]
+
+Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
+---
+ wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 2 +-
+ wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in | 2 +-
+ wpa_supplicant/systemd/wpa_supplicant.service.arg.in | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
+index 03ac507..da69a87 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
++++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
+@@ -12,4 +12,4 @@ Type=simple
+ ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I
+
+ [Install]
+-Alias=multi-user.target.wants/wpa_supplicant-nl80211@%i.service
++WantedBy=multi-user.target
+diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
+index c8a744d..ca3054b 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
++++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
+@@ -12,4 +12,4 @@ Type=simple
+ ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I
+
+ [Install]
+-Alias=multi-user.target.wants/wpa_supplicant-wired@%i.service
++WantedBy=multi-user.target
+diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
+index 7788b38..55d2b9c 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
++++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
+@@ -12,4 +12,4 @@ Type=simple
+ ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I
+
+ [Install]
+-Alias=multi-user.target.wants/wpa_supplicant@%i.service
++WantedBy=multi-user.target
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
index aa4c4c2..c92ed4a 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.6.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
file://key-replay-cve-multiple7.patch \
file://key-replay-cve-multiple8.patch \
file://wpa_supplicant-CVE-2018-14526.patch \
+ file://0001-replace-systemd-install-Alias-with-WantedBy.patch \
"
SRC_URI[md5sum] = "091569eb4440b7d7f2b4276dbfc03c3c"
SRC_URI[sha256sum] = "b4936d34c4e6cdd44954beba74296d964bc2c9668ecaa5255e499636fe2b1450"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 17/25] qemu: Security fix for CVE-2018-19489
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (15 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 16/25] wpa_supplicant: Changed systemd template units Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 18/25] Tar: Security fix CVE-2019-0023 Armin Kuster
` (7 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: Qemu.org
MR: 97453
Type: Security Fix
Disposition: Backport from git.qemu.org/gemu.git
ChangeID: a06fcb432d447cec2ed1caf112822dd1b4831ace
Description:
In the spirt of YP Compatible, sending change upstream.
fixes CVE CVE-2018-19489
Affect < = 4.0.0
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../qemu/qemu/CVE-2018-19489.patch | 83 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 1 +
2 files changed, 84 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch
new file mode 100644
index 0000000..7619e2a
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch
@@ -0,0 +1,83 @@
+From 1d20398694a3b67a388d955b7a945ba4aa90a8a8 Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Fri, 23 Nov 2018 13:28:03 +0100
+Subject: [PATCH] 9p: fix QEMU crash when renaming files
+
+When using the 9P2000.u version of the protocol, the following shell
+command line in the guest can cause QEMU to crash:
+
+ while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done
+
+With 9P2000.u, file renaming is handled by the WSTAT command. The
+v9fs_wstat() function calls v9fs_complete_rename(), which calls
+v9fs_fix_path() for every fid whose path is affected by the change.
+The involved calls to v9fs_path_copy() may race with any other access
+to the fid path performed by some worker thread, causing a crash like
+shown below:
+
+Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
+0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0,
+ flags=65536, mode=0) at hw/9pfs/9p-local.c:59
+59 while (*path && fd != -1) {
+(gdb) bt
+#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8,
+ path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59
+#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8,
+ path=0x0) at hw/9pfs/9p-local.c:92
+#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8,
+ fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185
+#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498,
+ path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53
+#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498)
+ at hw/9pfs/9p.c:1083
+#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767)
+ at util/coroutine-ucontext.c:116
+#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6
+#7 0x0000000000000000 in ()
+(gdb)
+
+The fix is to take the path write lock when calling v9fs_complete_rename(),
+like in v9fs_rename().
+
+Impact: DoS triggered by unprivileged guest users.
+
+Fixes: CVE-2018-19489
+Cc: P J P <ppandit@redhat.com>
+Reported-by: zhibin hu <noirfate@gmail.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+
+Upstream-Status: Backport
+Affects: < 4.0.0
+CVE: CVE-2018-19489
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/9pfs/9p.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 267a255..bdf7919 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque)
+ struct stat stbuf;
+ V9fsFidState *fidp;
+ V9fsPDU *pdu = opaque;
++ V9fsState *s = pdu->s;
+
+ v9fs_stat_init(&v9stat);
+ err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat);
+@@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque)
+ }
+ }
+ if (v9stat.name.size != 0) {
++ v9fs_path_write_lock(s);
+ err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name);
++ v9fs_path_unlock(s);
+ if (err < 0) {
+ goto out;
+ }
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 59cfc38..992cf7b 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -30,6 +30,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2018-18849.patch \
file://CVE-2018-19364_p1.patch \
file://CVE-2018-19364_p2.patch \
+ file://CVE-2018-19489.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 18/25] Tar: Security fix CVE-2019-0023
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (16 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 17/25] qemu: Security fix for CVE-2018-19489 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 19/25] glib-2.0: Security fix for CVE-2019-12450 Armin Kuster
` (6 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: tar.git
MR: 97928
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
ChangeID: 7aee4c0daf8ce813242fe7b872583560a32bc4e3
Description:
Affects tar < 1.32
fixes CVE-2019-9923
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-extended/tar/tar/CVE-2019-9923.patch | 38 +++++++++++++++++++++++
meta/recipes-extended/tar/tar_1.30.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-extended/tar/tar/CVE-2019-9923.patch
diff --git a/meta/recipes-extended/tar/tar/CVE-2019-9923.patch b/meta/recipes-extended/tar/tar/CVE-2019-9923.patch
new file mode 100644
index 0000000..146cbff
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2019-9923.patch
@@ -0,0 +1,38 @@
+From cb07844454d8cc9fb21f53ace75975f91185a120 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Mon, 14 Jan 2019 15:22:09 +0200
+Subject: [PATCH] Fix possible NULL dereference (savannah bug #55369)
+
+* src/sparse.c (pax_decode_header): Check return from find_next_block.
+
+Upstream-Status: Backport
+CVE: CVE-2019-9923
+Affects: tar < 1.32
+Signed-off-by: Armin kuster <akuster@mvista.com>
+
+---
+ src/sparse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+Index: tar-1.30/src/sparse.c
+===================================================================
+--- tar-1.30.orig/src/sparse.c
++++ tar-1.30/src/sparse.c
+@@ -1231,6 +1231,8 @@ pax_decode_header (struct tar_sparse_fil
+ set_next_block_after (b); \
+ file->dumped_size += BLOCKSIZE; \
+ b = find_next_block (); \
++ if (!b) \
++ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \
+ src = b->buffer; \
+ endp = b->buffer + BLOCKSIZE; \
+ } \
+@@ -1243,6 +1245,8 @@ pax_decode_header (struct tar_sparse_fil
+ set_next_block_after (current_header);
+ file->dumped_size += BLOCKSIZE;
+ blk = find_next_block ();
++ if (!blk)
++ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive")));
+ p = blk->buffer;
+ COPY_BUF (blk,nbuf,p);
+ if (!decode_num (&u, nbuf, TYPE_MAXIMUM (size_t)))
diff --git a/meta/recipes-extended/tar/tar_1.30.bb b/meta/recipes-extended/tar/tar_1.30.bb
index bd24f47..ab1b33b 100644
--- a/meta/recipes-extended/tar/tar_1.30.bb
+++ b/meta/recipes-extended/tar/tar_1.30.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
file://remove-gets.patch \
file://musl_dirent.patch \
+ file://CVE-2019-9923.patch \
"
SRC_URI[md5sum] = "8404e4c1fc5a3000228ab2b8ad674a65"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 19/25] glib-2.0: Security fix for CVE-2019-12450
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (17 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 18/25] Tar: Security fix CVE-2019-0023 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 20/25] wget: Security fix for CVE-2019-5953 Armin Kuster
` (5 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: glib-2.0
MR: 98443
Type: Security Fix
Disposition: Backport from https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
ChangeID: 880b9b349cb8d82c7c1314a3657ec9094baba741
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../glib-2.0/glib-2.0/CVE-2019-12450.patch | 59 ++++++++++++++++++++++
meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
new file mode 100644
index 0000000..37ad580
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2019-12450.patch
@@ -0,0 +1,59 @@
+From d8f8f4d637ce43f8699ba94c9b7648beda0ca174 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:41:53 +0200
+Subject: [PATCH] gfile: Limit access to files when copying
+
+file_copy_fallback creates new files with default permissions and
+set the correct permissions after the operation is finished. This
+might cause that the files can be accessible by more users during
+the operation than expected. Use G_FILE_CREATE_PRIVATE for the new
+files to limit access to those files.
+
+Upstream-Status: Backport
+https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
+CVE: CVE-2019-12450
+Signed-off-by: Armin kuster <akuster@mvista.com>
+
+---
+ gio/gfile.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/gio/gfile.c b/gio/gfile.c
+index 24b136d..74b5804 100644
+--- a/gio/gfile.c
++++ b/gio/gfile.c
+@@ -3284,12 +3284,12 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream*)_g_local_file_output_stream_replace (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+ FALSE, NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
+- info,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ else
+ out = (GOutputStream*)_g_local_file_output_stream_create (_g_local_file_get_filename (G_LOCAL_FILE (destination)),
+- FALSE, 0, info,
++ FALSE, G_FILE_CREATE_PRIVATE, info,
+ cancellable, error);
+ }
+ else if (flags & G_FILE_COPY_OVERWRITE)
+@@ -3297,12 +3297,13 @@ file_copy_fallback (GFile *source,
+ out = (GOutputStream *)g_file_replace (destination,
+ NULL,
+ flags & G_FILE_COPY_BACKUP,
+- G_FILE_CREATE_REPLACE_DESTINATION,
++ G_FILE_CREATE_REPLACE_DESTINATION |
++ G_FILE_CREATE_PRIVATE,
+ cancellable, error);
+ }
+ else
+ {
+- out = (GOutputStream *)g_file_create (destination, 0, cancellable, error);
++ out = (GOutputStream *)g_file_create (destination, G_FILE_CREATE_PRIVATE, cancellable, error);
+ }
+
+ if (!out)
+--
+2.7.4
+
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
index 1271a7c..879bc48 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.58.0.bb
@@ -14,6 +14,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
file://0001-Do-not-ignore-return-value-of-write.patch \
file://0010-Do-not-hardcode-python-path-into-various-tools.patch \
file://date-lt.patch \
+ file://CVE-2019-12450.patch \
"
SRC_URI_append_class-native = " file://relocate-modules.patch"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 20/25] wget: Security fix for CVE-2019-5953
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (18 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 19/25] glib-2.0: Security fix for CVE-2019-12450 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 21/25] Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436 Armin Kuster
` (4 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: http://git.savannah.gnu.org/cgit/wget.git
MR: 89341
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
ChangeID: 1c19a2fd7ead88cc4ee92d425179d60d4635864b
Description:
Fixes CVE-2019-5953
Affects: < 1.20.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../recipes-extended/wget/wget/CVE-2019-5953.patch | 51 ++++++++++++++++++++++
meta/recipes-extended/wget/wget_1.19.5.bb | 1 +
2 files changed, 52 insertions(+)
create mode 100644 meta/recipes-extended/wget/wget/CVE-2019-5953.patch
diff --git a/meta/recipes-extended/wget/wget/CVE-2019-5953.patch b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch
new file mode 100644
index 0000000..e43e8e5
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2019-5953.patch
@@ -0,0 +1,51 @@
+From 692d5c5215de0db482c252492a92fc424cc6a97c Mon Sep 17 00:00:00 2001
+From: Tim Ruehsen <tim.ruehsen@gmx.de>
+Date: Fri, 5 Apr 2019 11:50:44 +0200
+Subject: [PATCH] Fix a buffer overflow vulnerability
+
+* src/iri.c(do_conversion): Reallocate the output buffer to a larger
+ size if it is already full
+
+Upstream-Status: Backport
+http://git.savannah.gnu.org/cgit/wget.git/commit/?id=692d5c5215de0db482c252492a92fc424cc6a97c
+CVE: CVE-2019-5953
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/iri.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+Index: wget-1.19.5/src/iri.c
+===================================================================
+--- wget-1.19.5.orig/src/iri.c
++++ wget-1.19.5/src/iri.c
+@@ -151,8 +151,11 @@ do_conversion (const char *tocode, const
+ *out = s = xmalloc (outlen + 1);
+ done = 0;
+
++ DEBUGP (("iconv %s -> %s\n", tocode, fromcode));
++
+ for (;;)
+ {
++ DEBUGP (("iconv outlen=%d inlen=%d\n", outlen, inlen));
+ if (iconv (cd, (ICONV_CONST char **) &in, &inlen, out, &outlen) != (size_t)(-1) &&
+ iconv (cd, NULL, NULL, out, &outlen) != (size_t)(-1))
+ {
+@@ -187,11 +190,14 @@ do_conversion (const char *tocode, const
+ }
+ else if (errno == E2BIG) /* Output buffer full */
+ {
++ logprintf (LOG_VERBOSE,
++ _("Reallocate output buffer len=%d outlen=%d inlen=%d\n"), len, outlen, inlen);
+ tooshort++;
+ done = len;
+- len = outlen = done + inlen * 2;
+- s = xrealloc (s, outlen + 1);
+- *out = s + done;
++ len = done + inlen * 2;
++ s = xrealloc (s, len + 1);
++ *out = s + done - outlen;
++ outlen += inlen * 2;
+ }
+ else /* Weird, we got an unspecified error */
+ {
diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb
index e37d8c7..920b74d 100644
--- a/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -1,6 +1,7 @@
SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0002-improve-reproducibility.patch \
+ file://CVE-2019-5953.patch \
"
SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 21/25] Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (19 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 20/25] wget: Security fix for CVE-2019-5953 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 22/25] qemu: Security fix for CVE-2019-12155 Armin Kuster
` (3 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: CUrl.org
MR: 98455
Type: Security Fix
Disposition: Backport from https://curl.haxx.se/
ChangeID: 86b094a440ea473b114764e8d64df8142d561609
Description:
Fixes CVE-2019-5435 CVE-2019-5436
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-support/curl/curl/CVE-2019-5435.patch | 200 +++++++++++++++++++++
meta/recipes-support/curl/curl/CVE-2019-5436.patch | 32 ++++
meta/recipes-support/curl/curl_7.61.0.bb | 2 +
3 files changed, 234 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2019-5435.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2019-5436.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5435.patch b/meta/recipes-support/curl/curl/CVE-2019-5435.patch
new file mode 100644
index 0000000..8ac5554
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-5435.patch
@@ -0,0 +1,200 @@
+From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 29 Apr 2019 08:00:49 +0200
+Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size
+
+This limits all accepted input strings passed to libcurl to be less than
+CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
+curl_easy_setopt() and curl_url_set().
+
+The 8000000 number is arbitrary picked and is meant to detect mistakes
+or abuse, not to limit actual practical use cases. By limiting the
+acceptable string lengths we also reduce the risk of integer overflows
+all over.
+
+NOTE: This does not apply to `CURLOPT_POSTFIELDS`.
+
+Test 1559 verifies.
+
+Closes #3805
+
+Upstream-Status: Backport
+Dropped a few changes to apply against this version
+https://github.com/curl/curl/commit/5fc28510a4664f4
+
+CVE: CVE-2019-5435
+affects: libcurl 7.19.4 to and including 7.64.1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ lib/setopt.c | 7 +++++
+ lib/urldata.h | 4 +++
+ 7 files changed, 146 insertions(+), 3 deletions(-)
+ create mode 100644 tests/data/test1559
+ create mode 100644 tests/libtest/lib1559.c
+
+Index: curl-7.61.0/lib/setopt.c
+===================================================================
+--- curl-7.61.0.orig/lib/setopt.c
++++ curl-7.61.0/lib/setopt.c
+@@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, co
+ if(s) {
+ char *str = strdup(s);
+
++ if(str) {
++ size_t len = strlen(str);
++ if(len > CURL_MAX_INPUT_LENGTH) {
++ free(str);
++ return CURLE_BAD_FUNCTION_ARGUMENT;
++ }
++ }
+ if(!str)
+ return CURLE_OUT_OF_MEMORY;
+
+Index: curl-7.61.0/lib/urldata.h
+===================================================================
+--- curl-7.61.0.orig/lib/urldata.h
++++ curl-7.61.0/lib/urldata.h
+@@ -79,6 +79,10 @@
+ */
+ #define RESP_TIMEOUT (1800*1000)
+
++/* Max string intput length is a precaution against abuse and to detect junk
++ input easier and better. */
++#define CURL_MAX_INPUT_LENGTH 8000000
++
+ #include "cookie.h"
+ #include "psl.h"
+ #include "formdata.h"
+Index: curl-7.61.0/tests/data/test1559
+===================================================================
+--- /dev/null
++++ curl-7.61.0/tests/data/test1559
+@@ -0,0 +1,44 @@
++<testcase>
++<info>
++<keywords>
++CURLOPT_URL
++</keywords>
++</info>
++
++<reply>
++</reply>
++
++<client>
++<server>
++none
++</server>
++
++# require HTTP so that CURLOPT_POSTFIELDS works as assumed
++<features>
++http
++</features>
++<tool>
++lib1559
++</tool>
++
++<name>
++Set excessive URL lengths
++</name>
++</client>
++
++#
++# Verify that the test runs to completion without crashing
++<verify>
++<errorcode>
++0
++</errorcode>
++<stdout>
++CURLOPT_URL 10000000 bytes URL == 43
++CURLOPT_POSTFIELDS 10000000 bytes data == 0
++CURLUPART_URL 10000000 bytes URL == 3
++CURLUPART_SCHEME 10000000 bytes scheme == 3
++CURLUPART_USER 10000000 bytes user == 3
++</stdout>
++</verify>
++
++</testcase>
+Index: curl-7.61.0/tests/libtest/lib1559.c
+===================================================================
+--- /dev/null
++++ curl-7.61.0/tests/libtest/lib1559.c
+@@ -0,0 +1,78 @@
++/***************************************************************************
++ * _ _ ____ _
++ * Project ___| | | | _ \| |
++ * / __| | | | |_) | |
++ * | (__| |_| | _ <| |___
++ * \___|\___/|_| \_\_____|
++ *
++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.haxx.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ ***************************************************************************/
++#include "test.h"
++
++#include "testutil.h"
++#include "warnless.h"
++#include "memdebug.h"
++
++#define EXCESSIVE 10*1000*1000
++int test(char *URL)
++{
++ CURLcode res = 0;
++ CURL *curl = NULL;
++ char *longurl = malloc(EXCESSIVE);
++ CURLU *u;
++ (void)URL;
++
++ memset(longurl, 'a', EXCESSIVE);
++ longurl[EXCESSIVE-1] = 0;
++
++ global_init(CURL_GLOBAL_ALL);
++ easy_init(curl);
++
++ res = curl_easy_setopt(curl, CURLOPT_URL, longurl);
++ printf("CURLOPT_URL %d bytes URL == %d\n",
++ EXCESSIVE, (int)res);
++
++ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl);
++ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n",
++ EXCESSIVE, (int)res);
++
++ u = curl_url();
++ if(u) {
++ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0);
++ printf("CURLUPART_URL %d bytes URL == %d\n",
++ EXCESSIVE, (int)uc);
++ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME);
++ printf("CURLUPART_SCHEME %d bytes scheme == %d\n",
++ EXCESSIVE, (int)uc);
++ uc = curl_url_set(u, CURLUPART_USER, longurl, 0);
++ printf("CURLUPART_USER %d bytes user == %d\n",
++ EXCESSIVE, (int)uc);
++ curl_url_cleanup(u);
++ }
++
++ free(longurl);
++
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++
++ return 0;
++
++test_cleanup:
++
++ curl_easy_cleanup(curl);
++ curl_global_cleanup();
++
++ return res; /* return the final return code */
++}
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5436.patch b/meta/recipes-support/curl/curl/CVE-2019-5436.patch
new file mode 100644
index 0000000..05fd8e9
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-5436.patch
@@ -0,0 +1,32 @@
+From 2576003415625d7b5f0e390902f8097830b82275 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 3 May 2019 22:20:37 +0200
+Subject: [PATCH] tftp: use the current blksize for recvfrom()
+
+bug: https://curl.haxx.se/docs/CVE-2019-5436.html
+Reported-by: l00p3r on hackerone
+CVE-2019-5436
+
+Upstream-Status: Backport
+https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
+CVE: CVE-2019-5436
+affects: libcurl 7.19.4 to and including 7.64.1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ lib/tftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: curl-7.61.0/lib/tftp.c
+===================================================================
+--- curl-7.61.0.orig/lib/tftp.c
++++ curl-7.61.0/lib/tftp.c
+@@ -1005,7 +1005,7 @@ static CURLcode tftp_connect(struct conn
+ state->sockfd = state->conn->sock[FIRSTSOCKET];
+ state->state = TFTP_STATE_START;
+ state->error = TFTP_ERR_NONE;
+- state->blksize = TFTP_BLKSIZE_DEFAULT;
++ state->blksize = blksize;
+ state->requested_blksize = blksize;
+
+ ((struct sockaddr *)&state->local_addr)->sa_family =
diff --git a/meta/recipes-support/curl/curl_7.61.0.bb b/meta/recipes-support/curl/curl_7.61.0.bb
index 56327a6..1027f75 100644
--- a/meta/recipes-support/curl/curl_7.61.0.bb
+++ b/meta/recipes-support/curl/curl_7.61.0.bb
@@ -11,6 +11,8 @@ SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2018-16839.patch \
file://CVE-2018-16840.patch \
file://CVE-2018-16842.patch \
+ file://CVE-2019-5435.patch \
+ file://CVE-2019-5436.patch \
"
SRC_URI[md5sum] = "31d0a9f48dc796a7db351898a1e5058a"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 22/25] qemu: Security fix for CVE-2019-12155
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (20 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 21/25] Curl: Securiyt fix CVE-2019-5435 CVE-2019-5436 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 23/25] yocto-uninative: Update to 2.5 release Armin Kuster
` (2 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 98382
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
ChangeID: e4e5983ec1fa489eb8a0db08d1afa0606e59dde3
Description:
Fixes CVE-2019-12155
Affects: <= 4.0.0
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../qemu/qemu/CVE-2019-12155.patch | 38 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
new file mode 100644
index 0000000..8a5ece5
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch
@@ -0,0 +1,38 @@
+From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 25 Apr 2019 12:05:34 +0530
+Subject: [PATCH] qxl: check release info object
+
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99
+
+CVE: CVE-2019-12155
+Affects: <= 4.0.0
+Signed-off-by: Armin Kuster <akuster@mvistra.com>
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: qemu-3.0.0/hw/display/qxl.c
+===================================================================
+--- qemu-3.0.0.orig/hw/display/qxl.c
++++ qemu-3.0.0/hw/display/qxl.c
+@@ -764,6 +764,9 @@ static void interface_release_resource(Q
+ QXLReleaseRing *ring;
+ uint64_t *item, id;
+
++ if (!ext.info) {
++ return;
++ }
+ if (ext.group_id == MEMSLOT_GROUP_HOST) {
+ /* host group -> vga mode update request */
+ QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 992cf7b..63a6468 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -31,6 +31,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2018-19364_p1.patch \
file://CVE-2018-19364_p2.patch \
file://CVE-2018-19489.patch \
+ file://CVE-2019-12155.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 23/25] yocto-uninative: Update to 2.5 release
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (21 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 22/25] qemu: Security fix for CVE-2019-12155 Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 24/25] uninative: Switch from bz2 to xz Armin Kuster
2019-06-26 16:53 ` [thud][ 25/25] uninative: Update to 2.6 release Armin Kuster
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes libstdc++ changes from gcc 9.X.
It also switches uninative from bz2 to xz compression.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 59ccd69..0bb8f7a 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -8,7 +8,7 @@
UNINATIVE_MAXGLIBCVERSION = "2.29"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.4/"
-UNINATIVE_CHECKSUM[aarch64] ?= "af2e2faf6cf00ff45cc1bcd5e3fb00cee7f79b3ec7c3be15917ad4ff8c154cfe"
-UNINATIVE_CHECKSUM[i686] ?= "fafacfc537a6ce2bd122bd16c146881ab5ac69bd575abf6cb68a0dd33fa70ea2"
-UNINATIVE_CHECKSUM[x86_64] ?= "06f91685b782f2ccfedf3070b3ba0fe4a5ba2f0766dad5c9d1642dccf95accd0"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.5/"
+UNINATIVE_CHECKSUM[aarch64] ?= "ca977ff95c77f983570141908d451ff7d78add2864471605af404302bb36a1fa"
+UNINATIVE_CHECKSUM[i686] ?= "7b5822891c293795faf8a4a80586b36f8cde405387524916a24f9055ea82f7ca"
+UNINATIVE_CHECKSUM[x86_64] ?= "ed0ac07c710b711925cb976685dd855fb1d442dd840d00194751c18bf480c4ed"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 24/25] uninative: Switch from bz2 to xz
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (22 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 23/25] yocto-uninative: Update to 2.5 release Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
2019-06-26 16:53 ` [thud][ 25/25] uninative: Update to 2.6 release Armin Kuster
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/uninative.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/uninative.bbclass b/meta/classes/uninative.bbclass
index ba99fb6..3326c0d 100644
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -2,7 +2,7 @@ UNINATIVE_LOADER ?= "${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/lib/
UNINATIVE_STAGING_DIR ?= "${STAGING_DIR}"
UNINATIVE_URL ?= "unset"
-UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc.tar.bz2"
+UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc.tar.xz"
# Example checksums
#UNINATIVE_CHECKSUM[aarch64] = "dead"
#UNINATIVE_CHECKSUM[i686] = "dead"
@@ -89,7 +89,7 @@ python uninative_event_fetchloader() {
cmd = d.expand("\
mkdir -p ${UNINATIVE_STAGING_DIR}-uninative; \
cd ${UNINATIVE_STAGING_DIR}-uninative; \
-tar -xjf ${UNINATIVE_DLDIR}/%s/${UNINATIVE_TARBALL}; \
+tar -xJf ${UNINATIVE_DLDIR}/%s/${UNINATIVE_TARBALL}; \
${UNINATIVE_STAGING_DIR}-uninative/relocate_sdk.py \
${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux \
${UNINATIVE_LOADER} \
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread* [thud][ 25/25] uninative: Update to 2.6 release
2019-06-26 16:53 [thud][ 00/25] Patch review Armin Kuster
` (23 preceding siblings ...)
2019-06-26 16:53 ` [thud][ 24/25] uninative: Switch from bz2 to xz Armin Kuster
@ 2019-06-26 16:53 ` Armin Kuster
24 siblings, 0 replies; 26+ messages in thread
From: Armin Kuster @ 2019-06-26 16:53 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes
compatibility with recent fedora/suse releases.
The difference is one is built with obsolete APIs enabled and one disabled.
We now ship both in uninative for compatibility regardless of which distro
a binary is built on.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 0bb8f7a..df24346 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -8,7 +8,7 @@
UNINATIVE_MAXGLIBCVERSION = "2.29"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.5/"
-UNINATIVE_CHECKSUM[aarch64] ?= "ca977ff95c77f983570141908d451ff7d78add2864471605af404302bb36a1fa"
-UNINATIVE_CHECKSUM[i686] ?= "7b5822891c293795faf8a4a80586b36f8cde405387524916a24f9055ea82f7ca"
-UNINATIVE_CHECKSUM[x86_64] ?= "ed0ac07c710b711925cb976685dd855fb1d442dd840d00194751c18bf480c4ed"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.6/"
+UNINATIVE_CHECKSUM[aarch64] ?= "a37118fc8b423f48146120707b81dd15017512c3e8ef9e6ca2cb3a033f4f4046"
+UNINATIVE_CHECKSUM[i686] ?= "3234fc3ded810225071f23a0e9a99f4f8c2480059945a848eff076ce78122ade"
+UNINATIVE_CHECKSUM[x86_64] ?= "133387753a9acf3e1b788103c59fac91e968e2ee331d7a4b9498e926ada7be57"
--
2.7.4
^ permalink raw reply related [flat|nested] 26+ messages in thread