* [thud 00/18] thud pull request
@ 2019-12-16 15:59 Armin Kuster
2019-12-16 15:59 ` [thud 01/18] at-spi2: fix dbus-daemon path Armin Kuster
` (18 more replies)
0 siblings, 19 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
Here are the next series for thud. Passed A-full
The following changes since commit cd7cf933b3235560ec71576d8f3836dff736a39f:
build-appliance-image: Update to thud head revision (2019-10-17 16:45:34 +0100)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/thud-next
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/thud-next
Armin Kuster (1):
linux-yocto/4.14: update to 4.14.154
Dan Tran (2):
tar: Fix CVE-2018-20482
sudo: Fix CVE-2019-14287
Jed (1):
at-spi2: fix dbus-daemon path
Khem Raj (1):
sdk: Install nativesdk locales for all TCLIBC variants
Ross Burton (12):
cve-check: backport rewrite from master
cve-check: ensure all known CVEs are in the report
cve-check: failure to parse versions should be more visible
cve-check: we don't actually need to unpack to check
cve-update-db-native: don't refresh more than once an hour
cve-update-db-native: don't hardcode the database name
cve-update-db-native: add an index on the CVE ID column
cve-update-db-native: clean up proxy handling
cve-check: rewrite look to fix false negatives
cve-check: neaten get_cve_info
cve-check: fetch CVE data once at a time instead of in a single call
glibc: finish incomplete fix for CVE-2016-10739
Shubham Agrawal (1):
libgcrypt: CVE-2019-12904
meta/classes/cve-check.bbclass | 181 ++--
meta/conf/distro/include/maintainers.inc | 1 +
meta/lib/oe/sdk.py | 4 -
meta/recipes-core/glibc/glibc-locale.inc | 3 +
meta/recipes-core/glibc/glibc-mtrace.inc | 3 +
meta/recipes-core/glibc/glibc-scripts.inc | 3 +
meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | 910 ++++++++++++++++++++-
meta/recipes-core/meta/cve-update-db-native.bb | 185 +++++
.../cve-check-tool/cve-check-tool_5.6.4.bb | 62 --
...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 --
...ow-overriding-default-CA-certificate-file.patch | 215 -----
...ogress-in-percent-when-downloading-CVE-db.patch | 135 ---
...are-computed-vs-expected-sha256-digit-str.patch | 52 --
.../check-for-malloc_trim-before-using-it.patch | 51 --
.../sudo/sudo/CVE-2019-14287_p1.patch | 170 ++++
.../sudo/sudo/CVE-2019-14287_p2.patch | 98 +++
meta/recipes-extended/sudo/sudo_1.8.23.bb | 2 +
meta/recipes-extended/tar/tar/CVE-2018-20482.patch | 405 +++++++++
meta/recipes-extended/tar/tar_1.30.bb | 1 +
meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_4.14.bb | 20 +-
meta/recipes-support/atk/at-spi2-core_2.28.0.bb | 2 +-
.../libgcrypt/files/CVE-2019-12904_p1.patch | 176 ++++
.../libgcrypt/files/CVE-2019-12904_p2.patch | 330 ++++++++
meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb | 2 +
26 files changed, 2410 insertions(+), 663 deletions(-)
create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb
delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
create mode 100644 meta/recipes-extended/tar/tar/CVE-2018-20482.patch
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
--
2.7.4
^ permalink raw reply [flat|nested] 20+ messages in thread
* [thud 01/18] at-spi2: fix dbus-daemon path
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 02/18] sdk: Install nativesdk locales for all TCLIBC variants Armin Kuster
` (17 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Jed <jed.openxt@gmail.com>
"dbus_daemon" is supposed to be set to the full dbus-daemon file
path, not just its directory.
Signed-off-by: Jed <jed.openxt@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
meta/recipes-support/atk/at-spi2-core_2.28.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/atk/at-spi2-core_2.28.0.bb b/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
index 7975f58..0bdb1e3 100644
--- a/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
+++ b/meta/recipes-support/atk/at-spi2-core_2.28.0.bb
@@ -18,7 +18,7 @@ inherit meson gtk-doc gettext systemd pkgconfig distro_features_check upstream-v
REQUIRED_DISTRO_FEATURES = "x11"
EXTRA_OEMESON = " -Dsystemd_user_dir=${systemd_user_unitdir} \
- -Ddbus_daemon=${bindir}"
+ -Ddbus_daemon=${bindir}/dbus-daemon"
GTKDOC_ENABLE_FLAG = "-Denable_docs=true"
GTKDOC_DISABLE_FLAG = "-Denable_docs=false"
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 02/18] sdk: Install nativesdk locales for all TCLIBC variants
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
2019-12-16 15:59 ` [thud 01/18] at-spi2: fix dbus-daemon path Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 03/18] libgcrypt: CVE-2019-12904 Armin Kuster
` (16 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
install_locales() here is actually operating on nativesdk and only glibc
is the default library for nativesdk, since thats what most of
desktop/server distros use, therefore bailing out based on TCLIBC is not
needed here, since nativesdk-glibc would be required for all non-glibc
targetting SDKs as well.
Fixes SDK install time error
ERROR: OE-core's config sanity checker detected a potential misconfiguration.
Either fix the cause of this error or at your own risk disable the checker (see sanity.conf).
Following is the list of potential problems / advisories:
Your system needs to support the en_US.UTF-8 locale.
ERROR: SDK preparation failed
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/lib/oe/sdk.py | 4 ----
1 file changed, 4 deletions(-)
diff --git a/meta/lib/oe/sdk.py b/meta/lib/oe/sdk.py
index 153b07d..ef81f8c 100644
--- a/meta/lib/oe/sdk.py
+++ b/meta/lib/oe/sdk.py
@@ -84,10 +84,6 @@ class Sdk(object, metaclass=ABCMeta):
bb.warn("cannot remove SDK dir: %s" % path)
def install_locales(self, pm):
- # This is only relevant for glibc
- if self.d.getVar("TCLIBC") != "glibc":
- return
-
linguas = self.d.getVar("SDKIMAGE_LINGUAS")
if linguas:
import fnmatch
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 03/18] libgcrypt: CVE-2019-12904
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
2019-12-16 15:59 ` [thud 01/18] at-spi2: fix dbus-daemon path Armin Kuster
2019-12-16 15:59 ` [thud 02/18] sdk: Install nativesdk locales for all TCLIBC variants Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 04/18] tar: Fix CVE-2018-20482 Armin Kuster
` (15 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Shubham Agrawal <shuagr@microsoft.com>
fix Upstream-Status: Backport
Signed-off-by: Shubham Agrawal<shuagr@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libgcrypt/files/CVE-2019-12904_p1.patch | 176 +++++++++++
.../libgcrypt/files/CVE-2019-12904_p2.patch | 330 +++++++++++++++++++++
meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb | 2 +
3 files changed, 508 insertions(+)
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
new file mode 100644
index 0000000..cda5211
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p1.patch
@@ -0,0 +1,176 @@
+From 263ad8ae08f287e32656d4e3e0116479f3d9ad9d Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 31 May 2019 17:27:25 +0300
+Subject: [PATCH] GCM: move look-up table to .data section and unshare between processes
+Reply-To: shuagr@microsoft.com
+
+CVE: CVE-2019-12904_p1
+Upstream-Status: Backport
+Signed-off-by: Shubham Agrawal<shuagr@microsoft.com>
+Upstream-commit : https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
+
+* cipher/cipher-gcm.c (ATTR_ALIGNED_64): New.
+(gcmR): Move to 'gcm_table' structure.
+(gcm_table): New structure for look-up table with counters before and
+after.
+(gcmR): New macro.
+(prefetch_table): Handle input with length not multiple of 256.
+(do_prefetch_tables): Modify pre- and post-table counters to unshare
+look-up table pages between processes.
+--
+GnuPG-bug-id: 4541
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/cipher-gcm.c | 129 ++++++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 95 insertions(+), 34 deletions(-)
+
+diff --git a/cipher/cipher-gcm.c b/cipher/cipher-gcm.c
+index 6169d14..97a8015 100644
+--- a/cipher/cipher-gcm.c
++++ b/cipher/cipher-gcm.c
+@@ -30,6 +30,14 @@
+ #include "./cipher-internal.h"
+
+
++/* Helper macro to force alignment to 16 or 64 bytes. */
++#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64)))
++#else
++# define ATTR_ALIGNED_64
++#endif
++
++
+ #ifdef GCM_USE_INTEL_PCLMUL
+ extern void _gcry_ghash_setup_intel_pclmul (gcry_cipher_hd_t c);
+
+@@ -63,40 +71,93 @@ ghash_armv8_ce_pmull (gcry_cipher_hd_t c, byte *result, const byte *buf,
+
+
+ #ifdef GCM_USE_TABLES
+-static const u16 gcmR[256] = {
+- 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
+- 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
+- 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
+- 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
+- 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
+- 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
+- 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
+- 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
+- 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
+- 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
+- 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
+- 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
+- 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
+- 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
+- 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
+- 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
+- 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
+- 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
+- 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
+- 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
+- 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
+- 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
+- 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
+- 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
+- 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
+- 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
+- 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
+- 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
+- 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
+- 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
+- 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
+- 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
+-};
++static struct
++{
++ volatile u32 counter_head;
++ u32 cacheline_align[64 / 4 - 1];
++ u16 R[256];
++ volatile u32 counter_tail;
++} gcm_table ATTR_ALIGNED_64 =
++ {
++ 0,
++ { 0, },
++ {
++ 0x0000, 0x01c2, 0x0384, 0x0246, 0x0708, 0x06ca, 0x048c, 0x054e,
++ 0x0e10, 0x0fd2, 0x0d94, 0x0c56, 0x0918, 0x08da, 0x0a9c, 0x0b5e,
++ 0x1c20, 0x1de2, 0x1fa4, 0x1e66, 0x1b28, 0x1aea, 0x18ac, 0x196e,
++ 0x1230, 0x13f2, 0x11b4, 0x1076, 0x1538, 0x14fa, 0x16bc, 0x177e,
++ 0x3840, 0x3982, 0x3bc4, 0x3a06, 0x3f48, 0x3e8a, 0x3ccc, 0x3d0e,
++ 0x3650, 0x3792, 0x35d4, 0x3416, 0x3158, 0x309a, 0x32dc, 0x331e,
++ 0x2460, 0x25a2, 0x27e4, 0x2626, 0x2368, 0x22aa, 0x20ec, 0x212e,
++ 0x2a70, 0x2bb2, 0x29f4, 0x2836, 0x2d78, 0x2cba, 0x2efc, 0x2f3e,
++ 0x7080, 0x7142, 0x7304, 0x72c6, 0x7788, 0x764a, 0x740c, 0x75ce,
++ 0x7e90, 0x7f52, 0x7d14, 0x7cd6, 0x7998, 0x785a, 0x7a1c, 0x7bde,
++ 0x6ca0, 0x6d62, 0x6f24, 0x6ee6, 0x6ba8, 0x6a6a, 0x682c, 0x69ee,
++ 0x62b0, 0x6372, 0x6134, 0x60f6, 0x65b8, 0x647a, 0x663c, 0x67fe,
++ 0x48c0, 0x4902, 0x4b44, 0x4a86, 0x4fc8, 0x4e0a, 0x4c4c, 0x4d8e,
++ 0x46d0, 0x4712, 0x4554, 0x4496, 0x41d8, 0x401a, 0x425c, 0x439e,
++ 0x54e0, 0x5522, 0x5764, 0x56a6, 0x53e8, 0x522a, 0x506c, 0x51ae,
++ 0x5af0, 0x5b32, 0x5974, 0x58b6, 0x5df8, 0x5c3a, 0x5e7c, 0x5fbe,
++ 0xe100, 0xe0c2, 0xe284, 0xe346, 0xe608, 0xe7ca, 0xe58c, 0xe44e,
++ 0xef10, 0xeed2, 0xec94, 0xed56, 0xe818, 0xe9da, 0xeb9c, 0xea5e,
++ 0xfd20, 0xfce2, 0xfea4, 0xff66, 0xfa28, 0xfbea, 0xf9ac, 0xf86e,
++ 0xf330, 0xf2f2, 0xf0b4, 0xf176, 0xf438, 0xf5fa, 0xf7bc, 0xf67e,
++ 0xd940, 0xd882, 0xdac4, 0xdb06, 0xde48, 0xdf8a, 0xddcc, 0xdc0e,
++ 0xd750, 0xd692, 0xd4d4, 0xd516, 0xd058, 0xd19a, 0xd3dc, 0xd21e,
++ 0xc560, 0xc4a2, 0xc6e4, 0xc726, 0xc268, 0xc3aa, 0xc1ec, 0xc02e,
++ 0xcb70, 0xcab2, 0xc8f4, 0xc936, 0xcc78, 0xcdba, 0xcffc, 0xce3e,
++ 0x9180, 0x9042, 0x9204, 0x93c6, 0x9688, 0x974a, 0x950c, 0x94ce,
++ 0x9f90, 0x9e52, 0x9c14, 0x9dd6, 0x9898, 0x995a, 0x9b1c, 0x9ade,
++ 0x8da0, 0x8c62, 0x8e24, 0x8fe6, 0x8aa8, 0x8b6a, 0x892c, 0x88ee,
++ 0x83b0, 0x8272, 0x8034, 0x81f6, 0x84b8, 0x857a, 0x873c, 0x86fe,
++ 0xa9c0, 0xa802, 0xaa44, 0xab86, 0xaec8, 0xaf0a, 0xad4c, 0xac8e,
++ 0xa7d0, 0xa612, 0xa454, 0xa596, 0xa0d8, 0xa11a, 0xa35c, 0xa29e,
++ 0xb5e0, 0xb422, 0xb664, 0xb7a6, 0xb2e8, 0xb32a, 0xb16c, 0xb0ae,
++ 0xbbf0, 0xba32, 0xb874, 0xb9b6, 0xbcf8, 0xbd3a, 0xbf7c, 0xbebe,
++ },
++ 0
++ };
++
++#define gcmR gcm_table.R
++static inline
++void prefetch_table(const void *tab, size_t len)
++{
++ const volatile byte *vtab = tab;
++ size_t i;
++
++ for (i = 0; len - i >= 8 * 32; i += 8 * 32)
++ {
++ (void)vtab[i + 0 * 32];
++ (void)vtab[i + 1 * 32];
++ (void)vtab[i + 2 * 32];
++ (void)vtab[i + 3 * 32];
++ (void)vtab[i + 4 * 32];
++ (void)vtab[i + 5 * 32];
++ (void)vtab[i + 6 * 32];
++ (void)vtab[i + 7 * 32];
++ }
++ for (; i < len; i += 32)
++ {
++ (void)vtab[i];
++ }
++
++ (void)vtab[len - 1];
++}
++
++static inline void
++do_prefetch_tables (const void *gcmM, size_t gcmM_size)
++{
++ /* Modify counters to trigger copy-on-write and unsharing if physical pages
++ * of look-up table are shared between processes. Modifying counters also
++ * causes checksums for pages to change and hint same-page merging algorithm
++ * that these pages are frequently changing. */
++ gcm_table.counter_head++;
++ gcm_table.counter_tail++;
++
++ /* Prefetch look-up tables to cache. */
++ prefetch_table(gcmM, gcmM_size);
++ prefetch_table(&gcm_table, sizeof(gcm_table));
++}
+
+ #ifdef GCM_TABLES_USE_U64
+ static void
+--
+2.7.4
+
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
new file mode 100644
index 0000000..0cb503e
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2019-12904_p2.patch
@@ -0,0 +1,330 @@
+From a5c359cc68a4def9bf39f63070837d89711b4e17 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 31 May 2019 17:18:09 +0300
+Subject: [PATCH] AES: move look-up tables to .data section and unshare between processes
+Reply-To: shuagr@microsoft.com
+
+CVE: CVE-2019-12904_p2
+Upstream-status: Backport
+Signed-off-by: Shubham Agrawal<shuagr@microsoft.com>
+Upstream-commit: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762
+
+* cipher/rijndael-internal.h (ATTR_ALIGNED_64): New.
+* cipher/rijndael-tables.h (encT): Move to 'enc_tables' structure.
+(enc_tables): New structure for encryption table with counters before
+and after.
+(encT): New macro.
+(dec_tables): Add counters before and after encryption table; Move
+from .rodata to .data section.
+(do_encrypt): Change 'encT' to 'enc_tables.T'.
+(do_decrypt): Change '&dec_tables' to 'dec_tables.T'.
+* cipher/cipher-gcm.c (prefetch_table): Make inline; Handle input
+with length not multiple of 256.
+(prefetch_enc, prefetch_dec): Modify pre- and post-table counters
+to unshare look-up table pages between processes.
+--
+
+GnuPG-bug-id: 4541
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/rijndael-internal.h | 4 +-
+ cipher/rijndael-tables.h | 155 +++++++++++++++++++++++++--------------------
+ cipher/rijndael.c | 35 ++++++++--
+ 3 files changed, 118 insertions(+), 76 deletions(-)
+
+diff --git a/cipher/rijndael-internal.h b/cipher/rijndael-internal.h
+index 160fb8c..a62d4b7 100644
+--- a/cipher/rijndael-internal.h
++++ b/cipher/rijndael-internal.h
+@@ -29,11 +29,13 @@
+ #define BLOCKSIZE (128/8)
+
+
+-/* Helper macro to force alignment to 16 bytes. */
++/* Helper macro to force alignment to 16 or 64 bytes. */
+ #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
+ # define ATTR_ALIGNED_16 __attribute__ ((aligned (16)))
++# define ATTR_ALIGNED_64 __attribute__ ((aligned (64)))
+ #else
+ # define ATTR_ALIGNED_16
++# define ATTR_ALIGNED_64
+ #endif
+
+
+diff --git a/cipher/rijndael-tables.h b/cipher/rijndael-tables.h
+index 8359470..b54d959 100644
+--- a/cipher/rijndael-tables.h
++++ b/cipher/rijndael-tables.h
+@@ -21,80 +21,98 @@
+ /* To keep the actual implementation at a readable size we use this
+ include file to define the tables. */
+
+-static const u32 encT[256] =
++static struct
++{
++ volatile u32 counter_head;
++ u32 cacheline_align[64 / 4 - 1];
++ u32 T[256];
++ volatile u32 counter_tail;
++} enc_tables ATTR_ALIGNED_64 =
+ {
+- 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
+- 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
+- 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
+- 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
+- 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
+- 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
+- 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
+- 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
+- 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
+- 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
+- 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
+- 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
+- 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
+- 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
+- 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
+- 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
+- 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
+- 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
+- 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
+- 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
+- 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
+- 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
+- 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
+- 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
+- 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
+- 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
+- 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
+- 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
+- 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
+- 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
+- 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
+- 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
+- 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
+- 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
+- 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
+- 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
+- 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
+- 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
+- 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
+- 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
+- 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
+- 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
+- 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
+- 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
+- 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
+- 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
+- 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
+- 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
+- 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
+- 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
+- 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
+- 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
+- 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
+- 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
+- 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
+- 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
+- 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
+- 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
+- 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
+- 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
+- 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
+- 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
+- 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
+- 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
++ 0,
++ { 0, },
++ {
++ 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6,
++ 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591,
++ 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56,
++ 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec,
++ 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa,
++ 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb,
++ 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45,
++ 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b,
++ 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c,
++ 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83,
++ 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9,
++ 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a,
++ 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d,
++ 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f,
++ 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df,
++ 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea,
++ 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34,
++ 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b,
++ 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d,
++ 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413,
++ 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1,
++ 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6,
++ 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972,
++ 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85,
++ 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed,
++ 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511,
++ 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe,
++ 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b,
++ 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05,
++ 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1,
++ 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142,
++ 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf,
++ 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3,
++ 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e,
++ 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a,
++ 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6,
++ 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3,
++ 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b,
++ 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428,
++ 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad,
++ 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14,
++ 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8,
++ 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4,
++ 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2,
++ 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda,
++ 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949,
++ 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf,
++ 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810,
++ 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c,
++ 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697,
++ 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e,
++ 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f,
++ 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc,
++ 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c,
++ 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969,
++ 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27,
++ 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122,
++ 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433,
++ 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9,
++ 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5,
++ 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a,
++ 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0,
++ 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e,
++ 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c
++ },
++ 0
+ };
+
+-static const struct
++#define encT enc_tables.T
++
++static struct
+ {
++ volatile u32 counter_head;
++ u32 cacheline_align[64 / 4 - 1];
+ u32 T[256];
+ byte inv_sbox[256];
+-} dec_tables =
++ volatile u32 counter_tail;
++} dec_tables ATTR_ALIGNED_64 =
+ {
++ 0,
++ { 0, },
+ {
+ 0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a,
+ 0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b,
+@@ -194,7 +212,8 @@ static const struct
+ 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61,
+ 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26,
+ 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d
+- }
++ },
++ 0
+ };
+
+ #define decT dec_tables.T
+diff --git a/cipher/rijndael.c b/cipher/rijndael.c
+index 8637195..d0edab2 100644
+--- a/cipher/rijndael.c
++++ b/cipher/rijndael.c
+@@ -227,11 +227,11 @@ static const char *selftest(void);
+
+ \f
+ /* Prefetching for encryption/decryption tables. */
+-static void prefetch_table(const volatile byte *tab, size_t len)
++static inline void prefetch_table(const volatile byte *tab, size_t len)
+ {
+ size_t i;
+
+- for (i = 0; i < len; i += 8 * 32)
++ for (i = 0; len - i >= 8 * 32; i += 8 * 32)
+ {
+ (void)tab[i + 0 * 32];
+ (void)tab[i + 1 * 32];
+@@ -242,17 +242,37 @@ static void prefetch_table(const volatile byte *tab, size_t len)
+ (void)tab[i + 6 * 32];
+ (void)tab[i + 7 * 32];
+ }
++ for (; i < len; i += 32)
++ {
++ (void)tab[i];
++ }
+
+ (void)tab[len - 1];
+ }
+
+ static void prefetch_enc(void)
+ {
+- prefetch_table((const void *)encT, sizeof(encT));
++ /* Modify counters to trigger copy-on-write and unsharing if physical pages
++ * of look-up table are shared between processes. Modifying counters also
++ * causes checksums for pages to change and hint same-page merging algorithm
++ * that these pages are frequently changing. */
++ enc_tables.counter_head++;
++ enc_tables.counter_tail++;
++
++ /* Prefetch look-up tables to cache. */
++ prefetch_table((const void *)&enc_tables, sizeof(enc_tables));
+ }
+
+ static void prefetch_dec(void)
+ {
++ /* Modify counters to trigger copy-on-write and unsharing if physical pages
++ * of look-up table are shared between processes. Modifying counters also
++ * causes checksums for pages to change and hint same-page merging algorithm
++ * that these pages are frequently changing. */
++ dec_tables.counter_head++;
++ dec_tables.counter_tail++;
++
++ /* Prefetch look-up tables to cache. */
+ prefetch_table((const void *)&dec_tables, sizeof(dec_tables));
+ }
+
+@@ -737,7 +757,7 @@ do_encrypt (const RIJNDAEL_context *ctx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+ return _gcry_aes_amd64_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
+- encT);
++ enc_tables.T);
+ # else
+ /* Call SystemV ABI function without storing non-volatile XMM registers,
+ * as target function does not use vector instruction sets. */
+@@ -757,7 +777,8 @@ do_encrypt (const RIJNDAEL_context *ctx,
+ return ret;
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+- return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds, encT);
++ return _gcry_aes_arm_encrypt_block(ctx->keyschenc, bx, ax, ctx->rounds,
++ enc_tables.T);
+ #else
+ return do_encrypt_fn (ctx, bx, ax);
+ #endif /* !USE_ARM_ASM && !USE_AMD64_ASM*/
+@@ -1120,7 +1141,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ #ifdef USE_AMD64_ASM
+ # ifdef HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS
+ return _gcry_aes_amd64_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+- &dec_tables);
++ dec_tables.T);
+ # else
+ /* Call SystemV ABI function without storing non-volatile XMM registers,
+ * as target function does not use vector instruction sets. */
+@@ -1141,7 +1162,7 @@ do_decrypt (const RIJNDAEL_context *ctx, unsigned char *bx,
+ # endif /* HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS */
+ #elif defined(USE_ARM_ASM)
+ return _gcry_aes_arm_decrypt_block(ctx->keyschdec, bx, ax, ctx->rounds,
+- &dec_tables);
++ dec_tables.T);
+ #else
+ return do_decrypt_fn (ctx, bx, ax);
+ #endif /*!USE_ARM_ASM && !USE_AMD64_ASM*/
+--
+2.7.4
+
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
index fda68a2..13d0378 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.4.bb
@@ -21,6 +21,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \
file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \
+ file://CVE-2019-12904_p1.patch \
+ file://CVE-2019-12904_p2.patch \
"
SRC_URI[md5sum] = "fbfdaebbbc6d7e5fbbf6ffdb3e139573"
SRC_URI[sha256sum] = "f638143a0672628fde0cad745e9b14deb85dffb175709cacc1f4fe24b93f2227"
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 04/18] tar: Fix CVE-2018-20482
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (2 preceding siblings ...)
2019-12-16 15:59 ` [thud 03/18] libgcrypt: CVE-2019-12904 Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 05/18] sudo: Fix CVE-2019-14287 Armin Kuster
` (14 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-extended/tar/tar/CVE-2018-20482.patch | 405 +++++++++++++++++++++
meta/recipes-extended/tar/tar_1.30.bb | 1 +
2 files changed, 406 insertions(+)
create mode 100644 meta/recipes-extended/tar/tar/CVE-2018-20482.patch
diff --git a/meta/recipes-extended/tar/tar/CVE-2018-20482.patch b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch
new file mode 100644
index 0000000..2a13148
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2018-20482.patch
@@ -0,0 +1,405 @@
+From 331be56598b284d41370c67046df25673b040a55 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Thu, 27 Dec 2018 17:48:57 +0200
+Subject: [PATCH] Fix CVE-2018-20482
+
+* NEWS: Update.
+* src/sparse.c (sparse_dump_region): Handle short read condition.
+(sparse_extract_region,check_data_region): Fix dumped_size calculation.
+Handle short read condition.
+(pax_decode_header): Fix dumped_size calculation.
+* tests/Makefile.am: Add new testcases.
+* tests/testsuite.at: Likewise.
+
+* tests/sptrcreat.at: New file.
+* tests/sptrdiff00.at: New file.
+* tests/sptrdiff01.at: New file.
+
+CVE: CVE-2018-20482
+Upstream-Status: Backport
+[http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/sparse.c | 50 +++++++++++++++++++++++++++++++-----
+ tests/Makefile.am | 5 +++-
+ tests/sptrcreat.at | 62 +++++++++++++++++++++++++++++++++++++++++++++
+ tests/sptrdiff00.at | 55 ++++++++++++++++++++++++++++++++++++++++
+ tests/sptrdiff01.at | 55 ++++++++++++++++++++++++++++++++++++++++
+ tests/testsuite.at | 5 +++-
+ 6 files changed, 224 insertions(+), 8 deletions(-)
+ create mode 100644 tests/sptrcreat.at
+ create mode 100644 tests/sptrdiff00.at
+ create mode 100644 tests/sptrdiff01.at
+
+diff --git a/src/sparse.c b/src/sparse.c
+index 0830f62..e8e8259 100644
+--- a/src/sparse.c
++++ b/src/sparse.c
+@@ -1,6 +1,6 @@
+ /* Functions for dealing with sparse files
+
+- Copyright 2003-2007, 2010, 2013-2017 Free Software Foundation, Inc.
++ Copyright 2003-2007, 2010, 2013-2018 Free Software Foundation, Inc.
+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+@@ -427,6 +427,30 @@ sparse_dump_region (struct tar_sparse_file *file, size_t i)
+ bufsize);
+ return false;
+ }
++ else if (bytes_read == 0)
++ {
++ char buf[UINTMAX_STRSIZE_BOUND];
++ struct stat st;
++ size_t n;
++ if (fstat (file->fd, &st) == 0)
++ n = file->stat_info->stat.st_size - st.st_size;
++ else
++ n = file->stat_info->stat.st_size
++ - (file->stat_info->sparse_map[i].offset
++ + file->stat_info->sparse_map[i].numbytes
++ - bytes_left);
++
++ WARNOPT (WARN_FILE_SHRANK,
++ (0, 0,
++ ngettext ("%s: File shrank by %s byte; padding with zeros",
++ "%s: File shrank by %s bytes; padding with zeros",
++ n),
++ quotearg_colon (file->stat_info->orig_file_name),
++ STRINGIFY_BIGINT (n, buf)));
++ if (! ignore_failed_read_option)
++ set_exit_status (TAREXIT_DIFFERS);
++ return false;
++ }
+
+ memset (blk->buffer + bytes_read, 0, BLOCKSIZE - bytes_read);
+ bytes_left -= bytes_read;
+@@ -464,9 +488,9 @@ sparse_extract_region (struct tar_sparse_file *file, size_t i)
+ return false;
+ }
+ set_next_block_after (blk);
++ file->dumped_size += BLOCKSIZE;
+ count = blocking_write (file->fd, blk->buffer, wrbytes);
+ write_size -= count;
+- file->dumped_size += count;
+ mv_size_left (file->stat_info->archive_file_size - file->dumped_size);
+ file->offset += count;
+ if (count != wrbytes)
+@@ -598,6 +622,12 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end)
+ rdsize);
+ return false;
+ }
++ else if (bytes_read == 0)
++ {
++ report_difference (file->stat_info, _("Size differs"));
++ return false;
++ }
++
+ if (!zero_block_p (diff_buffer, bytes_read))
+ {
+ char begbuf[INT_BUFSIZE_BOUND (off_t)];
+@@ -609,6 +639,7 @@ check_sparse_region (struct tar_sparse_file *file, off_t beg, off_t end)
+
+ beg += bytes_read;
+ }
++
+ return true;
+ }
+
+@@ -635,6 +666,7 @@ check_data_region (struct tar_sparse_file *file, size_t i)
+ return false;
+ }
+ set_next_block_after (blk);
++ file->dumped_size += BLOCKSIZE;
+ bytes_read = safe_read (file->fd, diff_buffer, rdsize);
+ if (bytes_read == SAFE_READ_ERROR)
+ {
+@@ -645,7 +677,11 @@ check_data_region (struct tar_sparse_file *file, size_t i)
+ rdsize);
+ return false;
+ }
+- file->dumped_size += bytes_read;
++ else if (bytes_read == 0)
++ {
++ report_difference (¤t_stat_info, _("Size differs"));
++ return false;
++ }
+ size_left -= bytes_read;
+ mv_size_left (file->stat_info->archive_file_size - file->dumped_size);
+ if (memcmp (blk->buffer, diff_buffer, rdsize))
+@@ -1213,7 +1249,8 @@ pax_decode_header (struct tar_sparse_file *file)
+ union block *blk;
+ char *p;
+ size_t i;
+-
++ off_t start;
++
+ #define COPY_BUF(b,buf,src) do \
+ { \
+ char *endp = b->buffer + BLOCKSIZE; \
+@@ -1229,7 +1266,6 @@ pax_decode_header (struct tar_sparse_file *file)
+ if (src == endp) \
+ { \
+ set_next_block_after (b); \
+- file->dumped_size += BLOCKSIZE; \
+ b = find_next_block (); \
+ if (!b) \
+ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive"))); \
+@@ -1242,8 +1278,8 @@ pax_decode_header (struct tar_sparse_file *file)
+ dst[-1] = 0; \
+ } while (0)
+
++ start = current_block_ordinal ();
+ set_next_block_after (current_header);
+- file->dumped_size += BLOCKSIZE;
+ blk = find_next_block ();
+ if (!blk)
+ FATAL_ERROR ((0, 0, _("Unexpected EOF in archive")));
+@@ -1282,6 +1318,8 @@ pax_decode_header (struct tar_sparse_file *file)
+ sparse_add_map (file->stat_info, &sp);
+ }
+ set_next_block_after (blk);
++
++ file->dumped_size += BLOCKSIZE * (current_block_ordinal () - start);
+ }
+
+ return true;
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 2d7939d..ac3b6e7 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -1,6 +1,6 @@
+ # Makefile for GNU tar regression tests.
+
+-# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2015 Free Software
++# Copyright 1996-1997, 1999-2001, 2003-2007, 2009, 2012-2018 Free Software
+
+ # This file is part of GNU tar.
+
+@@ -228,6 +228,9 @@ TESTSUITE_AT = \
+ spmvp00.at\
+ spmvp01.at\
+ spmvp10.at\
++ sptrcreat.at\
++ sptrdiff00.at\
++ sptrdiff01.at\
+ time01.at\
+ time02.at\
+ truncate.at\
+diff --git a/tests/sptrcreat.at b/tests/sptrcreat.at
+new file mode 100644
+index 0000000..8e28f0e
+--- /dev/null
++++ b/tests/sptrcreat.at
+@@ -0,0 +1,62 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++
++# Test suite for GNU tar.
++# Copyright 2018 Free Software Foundation, Inc.
++
++# This file is part of GNU tar.
++
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++# Tar up to 1.30 would loop endlessly if a sparse file had been truncated
++# while being archived (with --sparse flag).
++#
++# The bug has been assigned id CVE-2018-20482 (on the grounds that it is a
++# denial of service possibility).
++#
++# Reported by: Chris Siebenmann <cks.gnutar-01@cs.toronto.edu>
++# References: <20181226223948.781EB32008E@apps1.cs.toronto.edu>,
++# <http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html>
++# <https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug>
++# <https://nvd.nist.gov/vuln/detail/CVE-2018-20482>
++
++AT_SETUP([sparse file truncated while archiving])
++AT_KEYWORDS([truncate filechange sparse sptr sptrcreat])
++
++AT_TAR_CHECK([
++genfile --sparse --block-size=1024 --file foo \
++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
++genfile --file baz
++genfile --run --checkpoint 3 --length 200m --truncate foo -- \
++ tar --checkpoint=1 \
++ --checkpoint-action=echo \
++ --checkpoint-action=sleep=1 \
++ --sparse -vcf bar foo baz
++echo Exit status: $?
++echo separator
++genfile --file foo --seek 200m --length 11575296 --pattern=zeros
++tar dvf bar],
++[1],
++[foo
++baz
++Exit status: 1
++separator
++foo
++foo: Mod time differs
++baz
++],
++[tar: foo: File shrank by 11575296 bytes; padding with zeros
++],
++[],[],[posix, gnu, oldgnu])
++
++AT_CLEANUP
+diff --git a/tests/sptrdiff00.at b/tests/sptrdiff00.at
+new file mode 100644
+index 0000000..c410561
+--- /dev/null
++++ b/tests/sptrdiff00.at
+@@ -0,0 +1,55 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++#
++# Test suite for GNU tar.
++# Copyright 2018 Free Software Foundation, Inc.
++#
++# This file is part of GNU tar.
++#
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered
++# that similar bug exists in file checking code (tar d).
++# This test case checks if tar correctly handles a short read condition
++# appearing in check_sparse_region.
++
++AT_SETUP([file truncated in sparse region while comparing])
++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff])
++
++# This triggers short read in check_sparse_region.
++AT_TAR_CHECK([
++genfile --sparse --block-size=1024 --file foo \
++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
++genfile --file baz
++echo creating
++tar --sparse -vcf bar foo baz
++echo comparing
++genfile --run --checkpoint 3 --length 200m --truncate foo -- \
++ tar --checkpoint=1 \
++ --checkpoint-action=echo='Write checkpoint %u' \
++ --checkpoint-action=sleep=1 \
++ --sparse -vdf bar
++],
++[1],
++[creating
++foo
++baz
++comparing
++foo
++foo: Size differs
++baz
++],
++[],
++[],[],[posix, gnu, oldgnu])
++
++AT_CLEANUP
+diff --git a/tests/sptrdiff01.at b/tests/sptrdiff01.at
+new file mode 100644
+index 0000000..2da2267
+--- /dev/null
++++ b/tests/sptrdiff01.at
+@@ -0,0 +1,55 @@
++# Process this file with autom4te to create testsuite. -*- Autotest -*-
++#
++# Test suite for GNU tar.
++# Copyright 2018 Free Software Foundation, Inc.
++#
++# This file is part of GNU tar.
++#
++# GNU tar is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3 of the License, or
++# (at your option) any later version.
++#
++# GNU tar is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++# While fixing CVE-2018-20482 (see sptrcreat.at) it has been discovered
++# that similar bug exists in file checking code (tar d).
++# This test case checks if tar correctly handles a short read condition
++# appearing in check_data_region.
++
++AT_SETUP([file truncated in data region while comparing])
++AT_KEYWORDS([truncate filechange sparse sptr sptrdiff diff])
++
++# This triggers short read in check_data_region.
++AT_TAR_CHECK([
++genfile --sparse --block-size=1024 --file foo \
++ 0 ABCDEFGHIJ 1M ABCDEFGHIJ 10M ABCDEFGHIJ 200M ABCDEFGHIJ
++genfile --file baz
++echo creating
++tar --sparse -vcf bar foo baz
++echo comparing
++genfile --run --checkpoint 5 --length 221278210 --truncate foo -- \
++ tar --checkpoint=1 \
++ --checkpoint-action=echo='Write checkpoint %u' \
++ --checkpoint-action=sleep=1 \
++ --sparse -vdf bar
++],
++[1],
++[creating
++foo
++baz
++comparing
++foo
++foo: Size differs
++baz
++],
++[],
++[],[],[posix, gnu, oldgnu])
++
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 2a83757..23386f7 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -1,7 +1,7 @@
+ # Process this file with autom4te to create testsuite. -*- Autotest -*-
+
+ # Test suite for GNU tar.
+-# Copyright 2004-2008, 2010-2017 Free Software Foundation, Inc.
++# Copyright 2004-2008, 2010-2018 Free Software Foundation, Inc.
+
+ # This file is part of GNU tar.
+
+@@ -405,6 +405,9 @@ m4_include([sparsemv.at])
+ m4_include([spmvp00.at])
+ m4_include([spmvp01.at])
+ m4_include([spmvp10.at])
++m4_include([sptrcreat.at])
++m4_include([sptrdiff00.at])
++m4_include([sptrdiff01.at])
+
+ AT_BANNER([Updates])
+ m4_include([update.at])
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-extended/tar/tar_1.30.bb b/meta/recipes-extended/tar/tar_1.30.bb
index ab1b33b..7cf0522 100644
--- a/meta/recipes-extended/tar/tar_1.30.bb
+++ b/meta/recipes-extended/tar/tar_1.30.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
file://remove-gets.patch \
file://musl_dirent.patch \
file://CVE-2019-9923.patch \
+ file://CVE-2018-20482.patch \
"
SRC_URI[md5sum] = "8404e4c1fc5a3000228ab2b8ad674a65"
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 05/18] sudo: Fix CVE-2019-14287
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (3 preceding siblings ...)
2019-12-16 15:59 ` [thud 04/18] tar: Fix CVE-2018-20482 Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 06/18] cve-check: backport rewrite from master Armin Kuster
` (13 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../sudo/sudo/CVE-2019-14287_p1.patch | 170 +++++++++++++++++++++
.../sudo/sudo/CVE-2019-14287_p2.patch | 98 ++++++++++++
meta/recipes-extended/sudo/sudo_1.8.23.bb | 2 +
3 files changed, 270 insertions(+)
create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
create mode 100644 meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
new file mode 100644
index 0000000..f954fac
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p1.patch
@@ -0,0 +1,170 @@
+Treat an ID of -1 as invalid since that means "no change".
+Fixes CVE-2019-14287.
+Found by Joe Vennix from Apple Information Security.
+
+CVE: CVE-2019-14287
+Upstream-Status: Backport
+[https://www.sudo.ws/repos/sudo/rev/83db8dba09e7]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+
+Index: sudo-1.8.21p2/lib/util/strtoid.c
+===================================================================
+--- sudo-1.8.21p2.orig/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400
++++ sudo-1.8.21p2/lib/util/strtoid.c 2019-10-10 14:31:08.338476078 -0400
+@@ -42,6 +42,27 @@
+ #include "sudo_util.h"
+
+ /*
++ * Make sure that the ID ends with a valid separator char.
++ */
++static bool
++valid_separator(const char *p, const char *ep, const char *sep)
++{
++ bool valid = false;
++ debug_decl(valid_separator, SUDO_DEBUG_UTIL)
++
++ if (ep != p) {
++ /* check for valid separator (including '\0') */
++ if (sep == NULL)
++ sep = "";
++ do {
++ if (*ep == *sep)
++ valid = true;
++ } while (*sep++ != '\0');
++ }
++ debug_return_bool(valid);
++}
++
++/*
+ * Parse a uid/gid in string form.
+ * If sep is non-NULL, it contains valid separator characters (e.g. comma, space)
+ * If endp is non-NULL it is set to the next char after the ID.
+@@ -55,36 +76,33 @@ sudo_strtoid_v1(const char *p, const cha
+ char *ep;
+ id_t ret = 0;
+ long long llval;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
++ /* While id_t may be 64-bit signed, uid_t and gid_t are 32-bit unsigned. */
+ errno = 0;
+ llval = strtoll(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
++ if ((errno == ERANGE && llval == LLONG_MAX) || llval > (id_t)UINT_MAX) {
++ errno = ERANGE;
++ if (errstr != NULL)
++ *errstr = N_("value too large");
++ goto done;
+ }
+- if (!valid) {
++ if ((errno == ERANGE && llval == LLONG_MIN) || llval < INT_MIN) {
++ errno = ERANGE;
+ if (errstr != NULL)
+- *errstr = N_("invalid value");
+- errno = EINVAL;
++ *errstr = N_("value too small");
+ goto done;
+ }
+- if (errno == ERANGE) {
+- if (errstr != NULL) {
+- if (llval == LLONG_MAX)
+- *errstr = N_("value too large");
+- else
+- *errstr = N_("value too small");
+- }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || llval == -1 || llval == (id_t)UINT_MAX) {
++ if (errstr != NULL)
++ *errstr = N_("invalid value");
++ errno = EINVAL;
+ goto done;
+ }
+ ret = (id_t)llval;
+@@ -101,30 +119,15 @@ sudo_strtoid_v1(const char *p, const cha
+ {
+ char *ep;
+ id_t ret = 0;
+- bool valid = false;
+ debug_decl(sudo_strtoid, SUDO_DEBUG_UTIL)
+
+ /* skip leading space so we can pick up the sign, if any */
+ while (isspace((unsigned char)*p))
+ p++;
+- if (sep == NULL)
+- sep = "";
++
+ errno = 0;
+ if (*p == '-') {
+ long lval = strtol(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
+- if (errstr != NULL)
+- *errstr = N_("invalid value");
+- errno = EINVAL;
+- goto done;
+- }
+ if ((errno == ERANGE && lval == LONG_MAX) || lval > INT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+@@ -137,28 +140,31 @@ sudo_strtoid_v1(const char *p, const cha
+ *errstr = N_("value too small");
+ goto done;
+ }
+- ret = (id_t)lval;
+- } else {
+- unsigned long ulval = strtoul(p, &ep, 10);
+- if (ep != p) {
+- /* check for valid separator (including '\0') */
+- do {
+- if (*ep == *sep)
+- valid = true;
+- } while (*sep++ != '\0');
+- }
+- if (!valid) {
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || lval == -1) {
+ if (errstr != NULL)
+ *errstr = N_("invalid value");
+ errno = EINVAL;
+ goto done;
+ }
++ ret = (id_t)lval;
++ } else {
++ unsigned long ulval = strtoul(p, &ep, 10);
+ if ((errno == ERANGE && ulval == ULONG_MAX) || ulval > UINT_MAX) {
+ errno = ERANGE;
+ if (errstr != NULL)
+ *errstr = N_("value too large");
+ goto done;
+ }
++
++ /* Disallow id -1, which means "no change". */
++ if (!valid_separator(p, ep, sep) || ulval == UINT_MAX) {
++ if (errstr != NULL)
++ *errstr = N_("invalid value");
++ errno = EINVAL;
++ goto done;
++ }
+ ret = (id_t)ulval;
+ }
+ if (errstr != NULL)
diff --git a/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
new file mode 100644
index 0000000..dcb2703
--- /dev/null
+++ b/meta/recipes-extended/sudo/sudo/CVE-2019-14287_p2.patch
@@ -0,0 +1,98 @@
+CVE: CVE-2019-14287
+Upstream-Status: Backport
+[https://www.sudo.ws/repos/sudo/rev/db06a8336c09]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+
+Index: sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c
+===================================================================
+--- sudo-1.8.21p2.orig/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:11:49.874655384 -0400
++++ sudo-1.8.21p2/lib/util/regress/atofoo/atofoo_test.c 2019-10-11 07:13:07.471005893 -0400
+@@ -24,6 +24,7 @@
+ #else
+ # include "compat/stdbool.h"
+ #endif
++#include <errno.h>
+
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+@@ -78,15 +79,20 @@ static struct strtoid_data {
+ id_t id;
+ const char *sep;
+ const char *ep;
++ int errnum;
+ } strtoid_data[] = {
+- { "0,1", 0, ",", "," },
+- { "10", 10, NULL, NULL },
+- { "-2", -2, NULL, NULL },
++ { "0,1", 0, ",", ",", 0 },
++ { "10", 10, NULL, NULL, 0 },
++ { "-1", 0, NULL, NULL, EINVAL },
++ { "4294967295", 0, NULL, NULL, EINVAL },
++ { "4294967296", 0, NULL, NULL, ERANGE },
++ { "-2147483649", 0, NULL, NULL, ERANGE },
++ { "-2", -2, NULL, NULL, 0 },
+ #if SIZEOF_ID_T != SIZEOF_LONG_LONG
+- { "-2", 4294967294U, NULL, NULL },
++ { "-2", (id_t)4294967294U, NULL, NULL, 0 },
+ #endif
+- { "4294967294", 4294967294U, NULL, NULL },
+- { NULL, 0, NULL, NULL }
++ { "4294967294", (id_t)4294967294U, NULL, NULL, 0 },
++ { NULL, 0, NULL, NULL, 0 }
+ };
+
+ static int
+@@ -102,11 +108,23 @@ test_strtoid(int *ntests)
+ (*ntests)++;
+ errstr = "some error";
+ value = sudo_strtoid(d->idstr, d->sep, &ep, &errstr);
+- if (errstr != NULL) {
+- if (d->id != (id_t)-1) {
+- sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++ if (d->errnum != 0) {
++ if (errstr == NULL) {
++ sudo_warnx_nodebug("FAIL: %s: missing errstr for errno %d",
++ d->idstr, d->errnum);
++ errors++;
++ } else if (value != 0) {
++ sudo_warnx_nodebug("FAIL: %s should return 0 on error",
++ d->idstr);
++ errors++;
++ } else if (errno != d->errnum) {
++ sudo_warnx_nodebug("FAIL: %s: errno mismatch, %d != %d",
++ d->idstr, errno, d->errnum);
+ errors++;
+ }
++ } else if (errstr != NULL) {
++ sudo_warnx_nodebug("FAIL: %s: %s", d->idstr, errstr);
++ errors++;
+ } else if (value != d->id) {
+ sudo_warnx_nodebug("FAIL: %s != %u", d->idstr, (unsigned int)d->id);
+ errors++;
+Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok
+===================================================================
+--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.874655384 -0400
++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.out.ok 2019-10-11 07:11:49.870655365 -0400
+@@ -4,7 +4,7 @@ Parse error in sudoers near line 1.
+ Entries for user root:
+
+ Command unmatched
+-testsudoers: test5.inc should be owned by gid 4294967295
++testsudoers: test5.inc should be owned by gid 4294967294
+ Parse error in sudoers near line 1.
+
+ Entries for user root:
+Index: sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh
+===================================================================
+--- sudo-1.8.21p2.orig/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.874655384 -0400
++++ sudo-1.8.21p2/plugins/sudoers/regress/testsudoers/test5.sh 2019-10-11 07:11:49.870655365 -0400
+@@ -24,7 +24,7 @@ EOF
+
+ # Test group writable
+ chmod 664 $TESTFILE
+-./testsudoers -U $MYUID -G -1 root id <<EOF
++./testsudoers -U $MYUID -G -2 root id <<EOF
+ #include $TESTFILE
+ EOF
+
diff --git a/meta/recipes-extended/sudo/sudo_1.8.23.bb b/meta/recipes-extended/sudo/sudo_1.8.23.bb
index ce32bd1..d12cf2d 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.23.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.23.bb
@@ -3,6 +3,8 @@ require sudo.inc
SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://0001-Include-sys-types.h-for-id_t-definition.patch \
+ file://CVE-2019-14287_p1.patch \
+ file://CVE-2019-14287_p2.patch \
"
PAM_SRC_URI = "file://sudo.pam"
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 06/18] cve-check: backport rewrite from master
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (4 preceding siblings ...)
2019-12-16 15:59 ` [thud 05/18] sudo: Fix CVE-2019-14287 Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 07/18] cve-check: ensure all known CVEs are in the report Armin Kuster
` (12 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
As detailed at [1] the XML feeds provided by NIST are being discontinued on
October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be
inoperable after this date.
To ensure that cve-check continues working, backport the following commits from
master to move away from the unmaintained cve-check-tool to our own Python code
that fetches the JSON:
546d14135c5 cve-update-db: New recipe to update CVE database
bc144b028f6 cve-check: Remove dependency to cve-check-tool-native
7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name
3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator
c0eabd30d7b cve-update-db: Use std library instead of urllib3
27eb839ee65 cve-check: be idiomatic
09be21f4d17 cve-update-db: Manage proxy if needed.
975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch
0325dd72714 cve-update-db: Catch request.urlopen errors.
4078da92b49 cve-check: Depends on cve-update-db-native
f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table
bc0195be1b1 cve-check: Update unpatched CVE matching
c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded.
07bb8b25e17 cve-check: remove redundant readline CVE whitelisting
5388ed6d137 cve-check-tool: remove
270ac00cb43 cve-check.bbclass: initialize to_append
e6bf9000987 cve-check: allow comparison of Vendor as well as Product
91770338f76 cve-update-db-native: use SQL placeholders instead of format strings
7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
78de2cb39d7 cve-update-db-native: Remove hash column from database.
4b301030cf9 cve-update-db-native: use os.path.join instead of +
f0d822fad2a cve-update-db: actually inherit native
b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion
bb4e53af33d cve-update-db-native: improve metadata parsing
94227459792 cve-update-db-native: clean up JSON fetching
95438d52b73 cve-update-db-native: fix https proxy issues
1f9a963b9ff glibc: exclude child recipes from CVE scanning
[1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement
(From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/cve-check.bbclass | 142 ++++++++------
meta/conf/distro/include/maintainers.inc | 1 +
meta/recipes-core/glibc/glibc-locale.inc | 3 +
meta/recipes-core/glibc/glibc-mtrace.inc | 3 +
meta/recipes-core/glibc/glibc-scripts.inc | 3 +
meta/recipes-core/meta/cve-update-db-native.bb | 195 +++++++++++++++++++
.../cve-check-tool/cve-check-tool_5.6.4.bb | 62 ------
...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 -----
...ow-overriding-default-CA-certificate-file.patch | 215 ---------------------
...ogress-in-percent-when-downloading-CVE-db.patch | 135 -------------
...are-computed-vs-expected-sha256-digit-str.patch | 52 -----
.../check-for-malloc_trim-before-using-it.patch | 51 -----
12 files changed, 292 insertions(+), 620 deletions(-)
create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb
delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08..c00d291 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -37,32 +37,33 @@ CVE_CHECK_COPY_FILES ??= "1"
CVE_CHECK_CREATE_MANIFEST ??= "1"
# Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST = "\
- glibc-locale \
-"
+CVE_CHECK_PN_WHITELIST ?= ""
-# Whitelist for CVE and version of package
-CVE_CHECK_CVE_WHITELIST = "{\
- 'CVE-2014-2524': ('6.3','5.2',), \
-}"
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
+# The value is a string containing space separated CVE values:
+#
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+#
+CVE_CHECK_WHITELIST ?= ""
python do_cve_check () {
"""
Check recipe for patched and unpatched CVEs
"""
- if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
+ if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
patched_cves = get_patches_cves(d)
patched, unpatched = check_cves(d, patched_cves)
if patched or unpatched:
cve_data = get_cve_info(d, patched + unpatched)
cve_write_data(d, patched, unpatched, cve_data)
else:
- bb.note("Failed to update CVE database, skipping CVE check")
+ bb.note("No CVE database found, skipping CVE check")
+
}
addtask cve_check after do_unpack before do_build
-do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db"
+do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
do_cve_check[nostamp] = "1"
python cve_check_cleanup () {
@@ -163,65 +164,94 @@ def get_patches_cves(d):
def check_cves(d, patched_cves):
"""
- Run cve-check-tool looking for patched and unpatched CVEs.
+ Connect to the NVD database and find unpatched cves.
"""
-
import ast, csv, tempfile, subprocess, io
+ from distutils.version import LooseVersion
- cves_patched = []
cves_unpatched = []
- bpn = d.getVar("CVE_PRODUCT")
+ # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
+ products = d.getVar("CVE_PRODUCT").split()
# If this has been unset then we're not scanning for CVEs here (for example, image recipes)
- if not bpn:
+ if not products:
return ([], [])
pv = d.getVar("CVE_VERSION").split("+git")[0]
- cves = " ".join(patched_cves)
- cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
- cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
- cve_cmd = "cve-check-tool"
- cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
# If the recipe has been whitlisted we return empty lists
if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
bb.note("Recipe has been whitelisted, skipping check")
return ([], [])
- try:
- # Write the faux CSV file to be used with cve-check-tool
- fd, faux = tempfile.mkstemp(prefix="cve-faux-")
- with os.fdopen(fd, "w") as f:
- for pn in bpn.split():
- f.write("%s,%s,%s,\n" % (pn, pv, cves))
- cmd.append(faux)
-
- output = subprocess.check_output(cmd).decode("utf-8")
- bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
- except subprocess.CalledProcessError as e:
- bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
- finally:
- os.remove(faux)
-
- for row in csv.reader(io.StringIO(output)):
- # Third row has the unpatched CVEs
- if row[2]:
- for cve in row[2].split():
- # Skip if the CVE has been whitlisted for the current version
- if pv in cve_whitelist.get(cve,[]):
- bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
+ old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST")
+ if old_cve_whitelist:
+ bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
+ cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
+
+ import sqlite3
+ db_file = d.getVar("CVE_CHECK_DB_FILE")
+ conn = sqlite3.connect(db_file)
+
+ for product in products:
+ c = conn.cursor()
+ if ":" in product:
+ vendor, product = product.split(":", 1)
+ c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor))
+ else:
+ c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+
+ for row in c:
+ cve = row[0]
+ version_start = row[3]
+ operator_start = row[4]
+ version_end = row[5]
+ operator_end = row[6]
+
+ if cve in cve_whitelist:
+ bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
+ elif cve in patched_cves:
+ bb.note("%s has been patched" % (cve))
+ else:
+ to_append = False
+ if (operator_start == '=' and pv == version_start):
+ cves_unpatched.append(cve)
else:
+ if operator_start:
+ try:
+ to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+ to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_start, version_start, cve))
+ to_append_start = False
+ else:
+ to_append_start = False
+
+ if operator_end:
+ try:
+ to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+ to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_end, version_end, cve))
+ to_append_end = False
+ else:
+ to_append_end = False
+
+ if operator_start and operator_end:
+ to_append = to_append_start and to_append_end
+ else:
+ to_append = to_append_start or to_append_end
+
+ if to_append:
cves_unpatched.append(cve)
- bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
- # Fourth row has patched CVEs
- if row[3]:
- for cve in row[3].split():
- cves_patched.append(cve)
- bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve))
+ bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
+ conn.close()
- return (cves_patched, cves_unpatched)
+ return (list(patched_cves), cves_unpatched)
def get_cve_info(d, cves):
"""
- Get CVE information from the database used by cve-check-tool.
+ Get CVE information from the database.
Unfortunately the only way to get CVE info is set the output to
html (hard to parse) or query directly the database.
@@ -241,9 +271,10 @@ def get_cve_info(d, cves):
for row in cur.execute(query, tuple(cves)):
cve_data[row[0]] = {}
cve_data[row[0]]["summary"] = row[1]
- cve_data[row[0]]["score"] = row[2]
- cve_data[row[0]]["modified"] = row[3]
- cve_data[row[0]]["vector"] = row[4]
+ cve_data[row[0]]["scorev2"] = row[2]
+ cve_data[row[0]]["scorev3"] = row[3]
+ cve_data[row[0]]["modified"] = row[4]
+ cve_data[row[0]]["vector"] = row[5]
conn.close()
return cve_data
@@ -270,7 +301,8 @@ def cve_write_data(d, patched, unpatched, cve_data):
unpatched_cves.append(cve)
write_string += "CVE STATUS: Unpatched\n"
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
- write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
+ write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
+ write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 672f067..c027901 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -116,6 +116,7 @@ RECIPE_MAINTAINER_pn-cryptodev-tests = "Robert Yang <liezhi.yang@windriver.com>"
RECIPE_MAINTAINER_pn-cups = "Chen Qi <Qi.Chen@windriver.com>"
RECIPE_MAINTAINER_pn-curl = "Armin Kuster <akuster808@gmail.com>"
RECIPE_MAINTAINER_pn-cve-check-tool = "Ross Burton <ross.burton@intel.com>"
+RECIPE_MAINTAINER_pn-cve-update-db-native = "Ross Burton <ross.burton@intel.com>"
RECIPE_MAINTAINER_pn-cwautomacros = "Ross Burton <ross.burton@intel.com>"
RECIPE_MAINTAINER_pn-db = "Mark Hatle <mark.hatle@windriver.com>"
RECIPE_MAINTAINER_pn-dbus = "Chen Qi <Qi.Chen@windriver.com>"
diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc
index 1b676dc..97d83cb 100644
--- a/meta/recipes-core/glibc/glibc-locale.inc
+++ b/meta/recipes-core/glibc/glibc-locale.inc
@@ -95,3 +95,6 @@ do_install () {
inherit libc-package
BBCLASSEXTEND = "nativesdk"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc
index d703c14..ef9d60e 100644
--- a/meta/recipes-core/glibc/glibc-mtrace.inc
+++ b/meta/recipes-core/glibc/glibc-mtrace.inc
@@ -11,3 +11,6 @@ do_install() {
install -d -m 0755 ${D}${bindir}
install -m 0755 ${SRC}/mtrace ${D}${bindir}/
}
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc
index 2a2b415..14a14e4 100644
--- a/meta/recipes-core/glibc/glibc-scripts.inc
+++ b/meta/recipes-core/glibc/glibc-scripts.inc
@@ -18,3 +18,6 @@ do_install() {
# sotruss script requires sotruss-lib.so (given by libsotruss package),
# to produce trace of the library calls.
RDEPENDS_${PN} += "libsotruss"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
new file mode 100644
index 0000000..2c427a5
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -0,0 +1,195 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+python () {
+ if not d.getVar("CVE_CHECK_DB_FILE"):
+ raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_populate_cve_db() {
+ """
+ Update NVD database with json data feed
+ """
+
+ import sqlite3, urllib, urllib.parse, shutil, gzip
+ from datetime import date
+
+ BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
+ YEAR_START = 2002
+
+ db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
+ db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
+ json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
+ proxy = d.getVar("https_proxy")
+
+ if proxy:
+ # instantiate an opener but do not install it as the global
+ # opener unless if we're really sure it's applicable for all
+ # urllib requests
+ proxy_handler = urllib.request.ProxyHandler({'https': proxy})
+ proxy_opener = urllib.request.build_opener(proxy_handler)
+ else:
+ proxy_opener = None
+
+ cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
+
+ if not os.path.isdir(db_dir):
+ os.mkdir(db_dir)
+
+ # Connect to database
+ conn = sqlite3.connect(db_file)
+ c = conn.cursor()
+
+ initialize_db(c)
+
+ for year in range(YEAR_START, date.today().year + 1):
+ year_url = BASE_URL + str(year)
+ meta_url = year_url + ".meta"
+ json_url = year_url + ".json.gz"
+
+ # Retrieve meta last modified date
+
+ response = None
+
+ if proxy_opener:
+ response = proxy_opener.open(meta_url)
+ else:
+ req = urllib.request.Request(meta_url)
+ response = urllib.request.urlopen(req)
+
+ if response:
+ for l in response.read().decode("utf-8").splitlines():
+ key, value = l.split(":", 1)
+ if key == "lastModifiedDate":
+ last_modified = value
+ break
+ else:
+ bb.warn("Cannot parse CVE metadata, update failed")
+ return
+
+ # Compare with current db last modified date
+ c.execute("select DATE from META where YEAR = ?", (year,))
+ meta = c.fetchone()
+ if not meta or meta[0] != last_modified:
+ # Clear products table entries corresponding to current year
+ c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,))
+
+ # Update db with current year json file
+ try:
+ if proxy_opener:
+ response = proxy_opener.open(json_url)
+ else:
+ req = urllib.request.Request(json_url)
+ response = urllib.request.urlopen(req)
+
+ if response:
+ update_db(c, gzip.decompress(response.read()).decode('utf-8'))
+ c.execute("insert or replace into META values (?, ?)", [year, last_modified])
+ except urllib.error.URLError as e:
+ cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+ bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+ return
+
+ # Update success, set the date to cve_check file.
+ if year == date.today().year:
+ cve_f.write('CVE database update : %s\n\n' % date.today())
+
+ cve_f.close()
+ conn.commit()
+ conn.close()
+}
+
+def initialize_db(c):
+ c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+ c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+ SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+ c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+ VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+ VERSION_END TEXT, OPERATOR_END TEXT)")
+
+def parse_node_and_insert(c, node, cveId):
+ # Parse children node if needed
+ for child in node.get('children', ()):
+ parse_node_and_insert(c, child, cveId)
+
+ def cpe_generator():
+ for cpe in node.get('cpe_match', ()):
+ if not cpe['vulnerable']:
+ return
+ cpe23 = cpe['cpe23Uri'].split(':')
+ vendor = cpe23[3]
+ product = cpe23[4]
+ version = cpe23[5]
+
+ if version != '*':
+ # Version is defined, this is a '=' match
+ yield [cveId, vendor, product, version, '=', '', '']
+ else:
+ # Parse start version, end version and operators
+ op_start = ''
+ op_end = ''
+ v_start = ''
+ v_end = ''
+
+ if 'versionStartIncluding' in cpe:
+ op_start = '>='
+ v_start = cpe['versionStartIncluding']
+
+ if 'versionStartExcluding' in cpe:
+ op_start = '>'
+ v_start = cpe['versionStartExcluding']
+
+ if 'versionEndIncluding' in cpe:
+ op_end = '<='
+ v_end = cpe['versionEndIncluding']
+
+ if 'versionEndExcluding' in cpe:
+ op_end = '<'
+ v_end = cpe['versionEndExcluding']
+
+ yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+
+ c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator())
+
+def update_db(c, jsondata):
+ import json
+ root = json.loads(jsondata)
+
+ for elt in root['CVE_Items']:
+ if not elt['impact']:
+ continue
+
+ cveId = elt['cve']['CVE_data_meta']['ID']
+ cveDesc = elt['cve']['description']['description_data'][0]['value']
+ date = elt['lastModifiedDate']
+ accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+ cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
+
+ try:
+ cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+ except:
+ cvssv3 = 0.0
+
+ c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+ [cveId, cveDesc, cvssv2, cvssv3, date, accessVector])
+
+ configurations = elt['configurations']['nodes']
+ for config in configurations:
+ parse_node_and_insert(c, config, cveId)
+
+
+addtask do_populate_cve_db before do_fetch
+do_populate_cve_db[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
deleted file mode 100644
index 1c84fb1..0000000
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ /dev/null
@@ -1,62 +0,0 @@
-SUMMARY = "cve-check-tool"
-DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
-The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
-HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
-SECTION = "Development/Tools"
-LICENSE = "GPL-2.0+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
-
-SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
- file://check-for-malloc_trim-before-using-it.patch \
- file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
- file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
- file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
- file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
- "
-
-SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
-SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
-
-UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
-
-DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
-
-RDEPENDS_${PN} = "ca-certificates"
-
-inherit pkgconfig autotools
-
-EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
-CFLAGS_append = " -Wno-error=pedantic"
-
-do_populate_cve_db() {
- if [ "${BB_NO_NETWORK}" = "1" ] ; then
- bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
- return
- fi
-
- # In case we don't inherit cve-check class, use default values defined in the class.
- cve_dir="${CVE_CHECK_DB_DIR}"
- cve_file="${CVE_CHECK_TMP_FILE}"
-
- [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
- [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
-
- unused="${@bb.utils.export_proxies(d)}"
- bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
- # --cacert works around curl-native not finding the CA bundle
- if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
- printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
- else
- bbwarn "Error in executing cve-check-update"
- if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
- bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
- fi
- fi
-}
-
-addtask populate_cve_db after do_populate_sysroot
-do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
-do_populate_cve_db[nostamp] = "1"
-do_populate_cve_db[progress] = "percent"
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
deleted file mode 100644
index 4a82cf2..0000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
-From: Peter Marko <peter.marko@siemens.com>
-Date: Thu, 13 Apr 2017 23:09:52 +0200
-Subject: [PATCH] Fix freeing memory allocated by sqlite
-
-Upstream-Status: Backport
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/core.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/core.c b/src/core.c
-index 6263031..6788f16 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
- rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
- if (rc != SQLITE_OK) {
- fprintf(stderr, "ensure_table(): %s\n", err);
-- free(err);
-+ sqlite3_free(err);
- return false;
- }
-
-@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
- rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
- if (rc != SQLITE_OK) {
- fprintf(stderr, "ensure_table(): %s\n", err);
-- free(err);
-+ sqlite3_free(err);
- return false;
- }
-
-@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
- rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
- if (rc != SQLITE_OK) {
- fprintf(stderr, "ensure_table(): %s\n", err);
-- free(err);
-+ sqlite3_free(err);
- return false;
- }
- if (err) {
-- free(err);
-+ sqlite3_free(err);
- }
-
- return true;
---
-2.1.4
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
deleted file mode 100644
index 3d8ebd1..0000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
-From: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date: Thu, 9 Feb 2017 14:51:28 +0200
-Subject: [PATCH] curl: allow overriding default CA certificate file
-
-Similar to curl, --cacert can now be used in cve-check-tool and
-cve-check-update to override the default CA certificate file. Useful
-in cases where the system default is unsuitable (for example,
-out-dated) or broken (as in OE's current native libcurl, which embeds
-a path string from one build host and then uses it on another although
-the right path may have become something different).
-
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
-
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-
-
-Took Patrick Ohlys original patch from meta-security-isafw, rebased
-on top of other patches.
-
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
----
- src/library/cve-check-tool.h | 1 +
- src/library/fetch.c | 10 +++++++++-
- src/library/fetch.h | 3 ++-
- src/main.c | 5 ++++-
- src/update-main.c | 4 +++-
- src/update.c | 12 +++++++-----
- src/update.h | 2 +-
- 7 files changed, 27 insertions(+), 10 deletions(-)
-
-diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
-index e4bb5b1..f89eade 100644
---- a/src/library/cve-check-tool.h
-+++ b/src/library/cve-check-tool.h
-@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
- bool bugs; /**<Whether bug tracking is enabled */
- GHashTable *mapping; /**<CVE Mapping */
- const char *output_file; /**<Output file, if any */
-+ const char *cacert_file; /**<Non-default SSL certificate file, if any */
- } CveCheckTool;
-
- /**
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 0fe6d76..8f998c3 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
- }
-
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-- unsigned int start_percent, unsigned int end_percent)
-+ unsigned int start_percent, unsigned int end_percent,
-+ const char *cacert_file)
- {
- FetchStatus ret = FETCH_STATUS_FAIL;
- CURLcode res;
-@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
- return ret;
- }
-
-+ if (cacert_file) {
-+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
-+ if (res != CURLE_OK) {
-+ goto bail;
-+ }
-+ }
-+
- if (stat(target, &st) == 0) {
- res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
- if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 4cce5d1..836c7d7 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -29,7 +29,8 @@ typedef enum {
- * @return A FetchStatus, indicating the operation taken
- */
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-- unsigned int this_percent, unsigned int next_percent);
-+ unsigned int this_percent, unsigned int next_percent,
-+ const char *cacert_file);
-
- /**
- * Attempt to extract the given gzipped file
-diff --git a/src/main.c b/src/main.c
-index 8e6f158..ae69d47 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -280,6 +280,7 @@ static bool csv_mode = false;
- static char *modified_stamp = NULL;
- static gchar *mapping_file = NULL;
- static gchar *output_file = NULL;
-+static gchar *cacert_file = NULL;
-
- static GOptionEntry _entries[] = {
- { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
-@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
- { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
- { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
- { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
-+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
- { .short_name = 0 }
- };
-
-@@ -492,6 +494,7 @@ int main(int argc, char **argv)
-
- quiet = csv_mode || !no_html;
- self->output_file = output_file;
-+ self->cacert_file = cacert_file;
-
- if (!csv_mode && self->output_file) {
- quiet = false;
-@@ -530,7 +533,7 @@ int main(int argc, char **argv)
- if (status) {
- fprintf(stderr, "Update of db forced\n");
- cve_db_unlock();
-- if (!update_db(quiet, db_path->str)) {
-+ if (!update_db(quiet, db_path->str, self->cacert_file)) {
- fprintf(stderr, "DB update failure\n");
- goto cleanup;
- }
-diff --git a/src/update-main.c b/src/update-main.c
-index 2379cfa..c52d9d0 100644
---- a/src/update-main.c
-+++ b/src/update-main.c
-@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
- static gchar *nvds = NULL;
- static bool _show_version = false;
- static bool _quiet = false;
-+static const char *_cacert_file = NULL;
-
- static GOptionEntry _entries[] = {
- { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
- { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
- { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
-+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
- { .short_name = 0 }
- };
-
-@@ -88,7 +90,7 @@ int main(int argc, char **argv)
- goto end;
- }
-
-- if (update_db(_quiet, db_path->str)) {
-+ if (update_db(_quiet, db_path->str, _cacert_file)) {
- ret = EXIT_SUCCESS;
- } else {
- fprintf(stderr, "Failed to update database\n");
-diff --git a/src/update.c b/src/update.c
-index 070560a..8cb4a39 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
-
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
- bool db_exist, bool verbose,
-- unsigned int this_percent, unsigned int next_percent)
-+ unsigned int this_percent, unsigned int next_percent,
-+ const char *cacert_file)
- {
- const char nvd_uri[] = URI_PREFIX;
- autofree(cve_string) *uri_meta = NULL;
-@@ -331,14 +332,14 @@ refetch:
- }
-
- /* Fetch NVD META file */
-- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
- if (st == FETCH_STATUS_FAIL) {
- fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
- return -1;
- }
-
- /* Fetch NVD XML file */
-- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
- switch (st) {
- case FETCH_STATUS_FAIL:
- fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -391,7 +392,7 @@ refetch:
- return 0;
- }
-
--bool update_db(bool quiet, const char *db_file)
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
- {
- autofree(char) *db_dir = NULL;
- autofree(CveDB) *cve_db = NULL;
-@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
- if (!quiet)
- fprintf(stderr, "completed: %u%%\r", start_percent);
- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-- start_percent, end_percent);
-+ start_percent, end_percent,
-+ cacert_file);
- switch (rc) {
- case 0:
- if (!quiet)
-diff --git a/src/update.h b/src/update.h
-index b8e9911..ceea0c3 100644
---- a/src/update.h
-+++ b/src/update.h
-@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
-
- int update_required(const char *db_file);
-
--bool update_db(bool quiet, const char *db_file);
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
-
-
- /*
---
-2.1.4
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
deleted file mode 100644
index 8ea6f68..0000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net>
-Date: Mon, 26 Sep 2016 12:12:41 +0100
-Subject: [PATCH] print progress in percent when downloading CVE db
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream-Status: Pending
-Signed-off-by: André Draszik <git@andred.net>
----
- src/library/fetch.c | 28 +++++++++++++++++++++++++++-
- src/library/fetch.h | 3 ++-
- src/update.c | 16 ++++++++++++----
- 3 files changed, 41 insertions(+), 6 deletions(-)
-
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 06d4b30..0fe6d76 100644
---- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f
- return fwrite(ptr, size, nmemb, f->f);
- }
-
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
-+struct percent_t {
-+ unsigned int start;
-+ unsigned int end;
-+};
-+
-+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)
-+{
-+ (void) ultotal;
-+ (void) ulnow;
-+
-+ struct percent_t *percent = (struct percent_t *) ptr;
-+
-+ if (dltotal && percent && percent->end >= percent->start) {
-+ unsigned int diff = percent->end - percent->start;
-+ if (diff) {
-+ fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));
-+ }
-+ }
-+
-+ return 0;
-+}
-+
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+ unsigned int start_percent, unsigned int end_percent)
- {
- FetchStatus ret = FETCH_STATUS_FAIL;
- CURLcode res;
- struct stat st;
- CURL *curl = NULL;
- struct fetch_t *f = NULL;
-+ struct percent_t percent = { .start = start_percent, .end = end_percent };
-
- curl = curl_easy_init();
- if (!curl) {
-@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)
- }
- if (verbose) {
- (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);
-+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent);
-+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);
- }
- res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);
- if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 70c3779..4cce5d1 100644
---- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -28,7 +28,8 @@ typedef enum {
- * @param verbose Whether to be verbose
- * @return A FetchStatus, indicating the operation taken
- */
--FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);
-+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-+ unsigned int this_percent, unsigned int next_percent);
-
- /**
- * Attempt to extract the given gzipped file
-diff --git a/src/update.c b/src/update.c
-index 30fbe96..eaeeefd 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- }
-
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
-- bool db_exist, bool verbose)
-+ bool db_exist, bool verbose,
-+ unsigned int this_percent, unsigned int next_percent)
- {
- const char nvd_uri[] = URI_PREFIX;
- autofree(cve_string) *uri_meta = NULL;
-@@ -330,14 +331,14 @@ refetch:
- }
-
- /* Fetch NVD META file */
-- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);
-+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
- if (st == FETCH_STATUS_FAIL) {
- fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
- return -1;
- }
-
- /* Fetch NVD XML file */
-- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);
-+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
- switch (st) {
- case FETCH_STATUS_FAIL:
- fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)
- for (int i = YEAR_START; i <= year+1; i++) {
- int y = i > year ? -1 : i;
- int rc;
-+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);
-+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);
-
-- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);
-+ if (!quiet)
-+ fprintf(stderr, "completed: %u%%\r", start_percent);
-+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-+ start_percent, end_percent);
- switch (rc) {
- case 0:
-+ if (!quiet)
-+ fprintf(stderr,"completed: %u%%\r", end_percent);
- continue;
- case ENOMEM:
- goto oom;
---
-2.9.3
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
deleted file mode 100644
index 458c0cc..0000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
-From: Sergey Popovich <popovich_sergei@mail.ua>
-Date: Fri, 21 Apr 2017 07:32:23 -0700
-Subject: [PATCH] update: Compare computed vs expected sha256 digit string
- ignoring case
-
-We produce sha256 digest string using %x snprintf()
-qualifier for each byte of digest which uses alphabetic
-characters from "a" to "f" in lower case to represent
-integer values from 10 to 15.
-
-Previously all of the NVD META files supply sha256
-digest string for corresponding XML file in lower case.
-
-However due to some reason this changed recently to
-provide digest digits in upper case causing fetched
-data consistency checks to fail. This prevents database
-from being updated periodically.
-
-While commit c4f6e94 (update: Do not treat sha256 failure
-as fatal if requested) adds useful option to skip
-digest validation at all and thus provides workaround for
-this situation, it might be unacceptable for some
-deployments where we need to ensure that downloaded
-data is consistent before start parsing it and update
-SQLite database.
-
-Use strcasecmp() to compare two digest strings case
-insensitively and addressing this case.
-
-Upstream-Status: Backport
-Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
----
- src/update.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/update.c b/src/update.c
-index 8588f38..3cc6b67 100644
---- a/src/update.c
-+++ b/src/update.c
-@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
- snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
- }
-
-- ret = streq(csum_meta, csum_data);
-+ ret = !strcasecmp(csum_meta, csum_data);
-
- err_unmap:
- munmap(buffer, length);
---
-2.11.0
-
diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
deleted file mode 100644
index 0774ad9..0000000
--- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 22 Aug 2016 22:54:24 -0700
-Subject: [PATCH] Check for malloc_trim before using it
-
-malloc_trim is gnu specific and not all libc
-implement it, threfore write a configure check
-to poke for it first and use the define to
-guard its use.
-
-Helps in compiling on musl based systems
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48]
- configure.ac | 2 ++
- src/core.c | 4 ++--
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index d3b66ce..79c3542 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])
- m4_define([openssl_required_version],[1.0.0])
- # TODO: Set minimum sqlite
-
-+AC_CHECK_FUNCS_ONCE(malloc_trim)
-+
- PKG_CHECK_MODULES(CVE_CHECK_TOOL,
- [
- glib-2.0 >= glib_required_version,
-diff --git a/src/core.c b/src/core.c
-index 6263031..0d5df29 100644
---- a/src/core.c
-+++ b/src/core.c
-@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)
- }
-
- b = true;
--
-+#ifdef HAVE_MALLOC_TRIM
- malloc_trim(0);
--
-+#endif
- xmlFreeTextReader(r);
- if (fd) {
- close(fd);
---
-2.9.3
-
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 07/18] cve-check: ensure all known CVEs are in the report
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (5 preceding siblings ...)
2019-12-16 15:59 ` [thud 06/18] cve-check: backport rewrite from master Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 08/18] cve-check: failure to parse versions should be more visible Armin Kuster
` (11 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
CVEs that are whitelisted or were not vulnerable when there are version
comparisons were not included in the report, so alter the logic to ensure that
all relevant CVEs are in the report for completeness.
(From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/cve-check.bbclass | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c00d291..f87bcc9 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,12 +208,14 @@ def check_cves(d, patched_cves):
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
+ # TODO: this should be in the report as 'whitelisted'
+ patched_cves.add(cve)
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
else:
to_append = False
if (operator_start == '=' and pv == version_start):
- cves_unpatched.append(cve)
+ to_append = True
else:
if operator_start:
try:
@@ -243,8 +245,11 @@ def check_cves(d, patched_cves):
to_append = to_append_start or to_append_end
if to_append:
+ bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
cves_unpatched.append(cve)
- bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
+ else:
+ bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+ patched_cves.add(cve)
conn.close()
return (list(patched_cves), cves_unpatched)
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 08/18] cve-check: failure to parse versions should be more visible
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (6 preceding siblings ...)
2019-12-16 15:59 ` [thud 07/18] cve-check: ensure all known CVEs are in the report Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 15:59 ` [thud 09/18] cve-check: we don't actually need to unpack to check Armin Kuster
` (10 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/cve-check.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f87bcc9..1c8b222 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -222,7 +222,7 @@ def check_cves(d, patched_cves):
to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
except:
- bb.note("%s: Failed to compare %s %s %s for %s" %
+ bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start, version_start, cve))
to_append_start = False
else:
@@ -233,7 +233,7 @@ def check_cves(d, patched_cves):
to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
except:
- bb.note("%s: Failed to compare %s %s %s for %s" %
+ bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end, cve))
to_append_end = False
else:
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 09/18] cve-check: we don't actually need to unpack to check
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (7 preceding siblings ...)
2019-12-16 15:59 ` [thud 08/18] cve-check: failure to parse versions should be more visible Armin Kuster
@ 2019-12-16 15:59 ` Armin Kuster
2019-12-16 16:00 ` [thud 10/18] cve-update-db-native: don't refresh more than once an hour Armin Kuster
` (9 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 15:59 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
The patch scanner works with patch files in the layer, not in the workdir, so it
doesn't need to unpack.
(From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/cve-check.bbclass | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1c8b222..3326944 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -62,7 +62,7 @@ python do_cve_check () {
}
-addtask cve_check after do_unpack before do_build
+addtask cve_check before do_build
do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
do_cve_check[nostamp] = "1"
@@ -70,7 +70,6 @@ python cve_check_cleanup () {
"""
Delete the file used to gather all the CVE information.
"""
-
bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
}
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 10/18] cve-update-db-native: don't refresh more than once an hour
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (8 preceding siblings ...)
2019-12-16 15:59 ` [thud 09/18] cve-check: we don't actually need to unpack to check Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 11/18] cve-update-db-native: don't hardcode the database name Armin Kuster
` (8 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
We already fetch the yearly CVE metadata and check that for updates before
downloading the full data, but we can speed up CVE checking further by only
checking the CVE metadata once an hour.
(From OE-Core rev: 50d898fd360c58fe85460517d965f62b7654771a)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/meta/cve-update-db-native.bb | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 2c427a5..19875a4 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -31,8 +31,16 @@ python do_populate_cve_db() {
db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
- proxy = d.getVar("https_proxy")
+ # Don't refresh the database more than once an hour
+ try:
+ import time
+ if time.time() - os.path.getmtime(db_file) < (60*60):
+ return
+ except OSError:
+ pass
+
+ proxy = d.getVar("https_proxy")
if proxy:
# instantiate an opener but do not install it as the global
# opener unless if we're really sure it's applicable for all
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 11/18] cve-update-db-native: don't hardcode the database name
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (9 preceding siblings ...)
2019-12-16 16:00 ` [thud 10/18] cve-update-db-native: don't refresh more than once an hour Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 12/18] cve-update-db-native: add an index on the CVE ID column Armin Kuster
` (7 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
Don't hardcode the database filename, there's a variable for this in
cve-check.bbclass.
(From OE-Core rev: 0d188a9dc4ae64c64cd661e9d9c3841e86f226ab)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/meta/cve-update-db-native.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 19875a4..c15534d 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -28,8 +28,8 @@ python do_populate_cve_db() {
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
YEAR_START = 2002
- db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
- db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
+ db_file = d.getVar("CVE_CHECK_DB_FILE")
+ db_dir = os.path.dirname(db_file)
json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
# Don't refresh the database more than once an hour
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 12/18] cve-update-db-native: add an index on the CVE ID column
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (10 preceding siblings ...)
2019-12-16 16:00 ` [thud 11/18] cve-update-db-native: don't hardcode the database name Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 13/18] cve-update-db-native: clean up proxy handling Armin Kuster
` (6 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
Create an index on the PRODUCTS table which contains a row for each CPE,
drastically increasing the performance of lookups for a specific CVE.
(From OE-Core rev: b4048b05b3a00d85c40d09961f846eadcebd812e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/meta/cve-update-db-native.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index c15534d..08b18f0 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -120,11 +120,14 @@ python do_populate_cve_db() {
def initialize_db(c):
c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+
c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
VERSION_END TEXT, OPERATOR_END TEXT)")
+ c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
def parse_node_and_insert(c, node, cveId):
# Parse children node if needed
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 13/18] cve-update-db-native: clean up proxy handling
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (11 preceding siblings ...)
2019-12-16 16:00 ` [thud 12/18] cve-update-db-native: add an index on the CVE ID column Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 14/18] cve-check: rewrite look to fix false negatives Armin Kuster
` (5 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
urllib handles adding proxy handlers if the proxies are set in the environment,
so call bb.utils.export_proxies() to do that and remove the manual setup.
(From OE-Core rev: 6b73004668b3b71c9c38814b79fbb58c893ed434)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/meta/cve-update-db-native.bb | 31 +++++---------------------
1 file changed, 5 insertions(+), 26 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 08b18f0..db1d69a 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -21,10 +21,12 @@ python do_populate_cve_db() {
"""
Update NVD database with json data feed
"""
-
+ import bb.utils
import sqlite3, urllib, urllib.parse, shutil, gzip
from datetime import date
+ bb.utils.export_proxies(d)
+
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
YEAR_START = 2002
@@ -40,16 +42,6 @@ python do_populate_cve_db() {
except OSError:
pass
- proxy = d.getVar("https_proxy")
- if proxy:
- # instantiate an opener but do not install it as the global
- # opener unless if we're really sure it's applicable for all
- # urllib requests
- proxy_handler = urllib.request.ProxyHandler({'https': proxy})
- proxy_opener = urllib.request.build_opener(proxy_handler)
- else:
- proxy_opener = None
-
cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
if not os.path.isdir(db_dir):
@@ -67,15 +59,7 @@ python do_populate_cve_db() {
json_url = year_url + ".json.gz"
# Retrieve meta last modified date
-
- response = None
-
- if proxy_opener:
- response = proxy_opener.open(meta_url)
- else:
- req = urllib.request.Request(meta_url)
- response = urllib.request.urlopen(req)
-
+ response = urllib.request.urlopen(meta_url)
if response:
for l in response.read().decode("utf-8").splitlines():
key, value = l.split(":", 1)
@@ -95,12 +79,7 @@ python do_populate_cve_db() {
# Update db with current year json file
try:
- if proxy_opener:
- response = proxy_opener.open(json_url)
- else:
- req = urllib.request.Request(json_url)
- response = urllib.request.urlopen(req)
-
+ response = urllib.request.urlopen(json_url)
if response:
update_db(c, gzip.decompress(response.read()).decode('utf-8'))
c.execute("insert or replace into META values (?, ?)", [year, last_modified])
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 14/18] cve-check: rewrite look to fix false negatives
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (12 preceding siblings ...)
2019-12-16 16:00 ` [thud 13/18] cve-update-db-native: clean up proxy handling Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 15/18] cve-check: neaten get_cve_info Armin Kuster
` (4 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
A previous optimisation was premature and resulted in false-negatives in the report.
Rewrite the checking algorithm to first get the list of potential CVEs by
vendor:product, then iterate through every matching CPE for that CVE to
determine if the bounds match or not. By doing this in two stages we can know
if we've checked every CPE, instead of accidentally breaking out of the scan too
early.
(From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/cve-check.bbclass | 63 +++++++++++++++++++++++-------------------
1 file changed, 34 insertions(+), 29 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3326944..c1cbdbd 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -165,7 +165,6 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
- import ast, csv, tempfile, subprocess, io
from distutils.version import LooseVersion
cves_unpatched = []
@@ -187,68 +186,74 @@ def check_cves(d, patched_cves):
cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
import sqlite3
- db_file = d.getVar("CVE_CHECK_DB_FILE")
- conn = sqlite3.connect(db_file)
+ db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+ conn = sqlite3.connect(db_file, uri=True)
+ # For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
for product in products:
- c = conn.cursor()
if ":" in product:
vendor, product = product.split(":", 1)
- c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor))
else:
- c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+ vendor = "%"
- for row in c:
- cve = row[0]
- version_start = row[3]
- operator_start = row[4]
- version_end = row[5]
- operator_end = row[6]
+ # Find all relevant CVE IDs.
+ for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+ cve = cverow[0]
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
# TODO: this should be in the report as 'whitelisted'
patched_cves.add(cve)
+ continue
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
- else:
- to_append = False
+ continue
+
+ vulnerable = False
+ for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+ (_, _, _, version_start, operator_start, version_end, operator_end) = row
+ #bb.debug(2, "Evaluating row " + str(row))
+
if (operator_start == '=' and pv == version_start):
- to_append = True
+ vulnerable = True
else:
if operator_start:
try:
- to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
- to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+ vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+ vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start, version_start, cve))
- to_append_start = False
+ vulnerable_start = False
else:
- to_append_start = False
+ vulnerable_start = False
if operator_end:
try:
- to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
- to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+ vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+ vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end, cve))
- to_append_end = False
+ vulnerable_end = False
else:
- to_append_end = False
+ vulnerable_end = False
if operator_start and operator_end:
- to_append = to_append_start and to_append_end
+ vulnerable = vulnerable_start and vulnerable_end
else:
- to_append = to_append_start or to_append_end
+ vulnerable = vulnerable_start or vulnerable_end
- if to_append:
+ if vulnerable:
bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
cves_unpatched.append(cve)
- else:
- bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
- patched_cves.add(cve)
+ break
+
+ if not vulnerable:
+ bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+ # TODO: not patched but not vulnerable
+ patched_cves.add(cve)
+
conn.close()
return (list(patched_cves), cves_unpatched)
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 15/18] cve-check: neaten get_cve_info
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (13 preceding siblings ...)
2019-12-16 16:00 ` [thud 14/18] cve-check: rewrite look to fix false negatives Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 16/18] cve-check: fetch CVE data once at a time instead of in a single call Armin Kuster
` (3 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
Remove obsolete Python 2 code, and use convenience methods for neatness.
(From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/cve-check.bbclass | 18 +++++-------------
1 file changed, 5 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c1cbdbd..e95716d 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -261,23 +261,15 @@ def check_cves(d, patched_cves):
def get_cve_info(d, cves):
"""
Get CVE information from the database.
-
- Unfortunately the only way to get CVE info is set the output to
- html (hard to parse) or query directly the database.
"""
- try:
- import sqlite3
- except ImportError:
- from pysqlite2 import dbapi2 as sqlite3
+ import sqlite3
cve_data = {}
- db_file = d.getVar("CVE_CHECK_DB_FILE")
- placeholder = ",".join("?" * len(cves))
- query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder
- conn = sqlite3.connect(db_file)
- cur = conn.cursor()
- for row in cur.execute(query, tuple(cves)):
+ conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
+ placeholders = ",".join("?" * len(cves))
+ query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
+ for row in conn.execute(query, tuple(cves)):
cve_data[row[0]] = {}
cve_data[row[0]]["summary"] = row[1]
cve_data[row[0]]["scorev2"] = row[2]
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 16/18] cve-check: fetch CVE data once at a time instead of in a single call
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (14 preceding siblings ...)
2019-12-16 16:00 ` [thud 15/18] cve-check: neaten get_cve_info Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 17/18] glibc: finish incomplete fix for CVE-2016-10739 Armin Kuster
` (2 subsequent siblings)
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
This code used to construct a single SQL statement that fetched the NVD data for
every CVE requested. For recipes such as the kernel where there are over 2000
CVEs to report this can hit the variable count limit and the query fails with
"sqlite3.OperationalError: too many SQL variables". The default limit is 999
variables, but some distributions such as Debian set the default to 250000.
As the NVD table has an index on the ID column, whilst requesting the data
CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time
different is insignificant: 0.05s verses 0.01s on my machine.
(From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/classes/cve-check.bbclass | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e95716d..19ed554 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -267,17 +267,17 @@ def get_cve_info(d, cves):
cve_data = {}
conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
- placeholders = ",".join("?" * len(cves))
- query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
- for row in conn.execute(query, tuple(cves)):
- cve_data[row[0]] = {}
- cve_data[row[0]]["summary"] = row[1]
- cve_data[row[0]]["scorev2"] = row[2]
- cve_data[row[0]]["scorev3"] = row[3]
- cve_data[row[0]]["modified"] = row[4]
- cve_data[row[0]]["vector"] = row[5]
- conn.close()
+ for cve in cves:
+ for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+ cve_data[row[0]] = {}
+ cve_data[row[0]]["summary"] = row[1]
+ cve_data[row[0]]["scorev2"] = row[2]
+ cve_data[row[0]]["scorev3"] = row[3]
+ cve_data[row[0]]["modified"] = row[4]
+ cve_data[row[0]]["vector"] = row[5]
+
+ conn.close()
return cve_data
def cve_write_data(d, patched, unpatched, cve_data):
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 17/18] glibc: finish incomplete fix for CVE-2016-10739
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (15 preceding siblings ...)
2019-12-16 16:00 ` [thud 16/18] cve-check: fetch CVE data once at a time instead of in a single call Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-16 16:00 ` [thud 18/18] linux-yocto/4.14: update to 4.14.154 Armin Kuster
2019-12-17 3:51 ` [thud 00/18] thud pull request Adrian Bunk
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
Somehow the patch for this CVE only included one of the four required patches.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-core/glibc/glibc/CVE-2016-10739.patch | 910 ++++++++++++++++++++-
1 file changed, 907 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
index 7eb55d6..7dc8428 100644
--- a/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
+++ b/meta/recipes-core/glibc/glibc/CVE-2016-10739.patch
@@ -5,12 +5,12 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
From 8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 21 Jan 2019 08:59:42 +0100
-Subject: [PATCH] resolv: Reformat inet_addr, inet_aton to GNU style
+Subject: [PATCH 1/4] resolv: Reformat inet_addr, inet_aton to GNU style
(cherry picked from commit 5e30b8ef0758763effa115634e0ed7d8938e4bc0)
---
ChangeLog | 5 ++
- resolv/inet_addr.c | 192 ++++++++++++++++++++++++++++-------------------------
+ resolv/inet_addr.c | 192 ++++++++++++++++++++++++---------------------
2 files changed, 106 insertions(+), 91 deletions(-)
diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
@@ -229,4 +229,908 @@ index 022f7ea084..32f58b0e13 100644
weak_alias (__inet_aton, inet_aton)
libc_hidden_def (__inet_aton)
--
-2.11.0
+2.20.1
+
+
+From 37edf1d3f8ab9adefb61cc466ac52b53114fbd5b Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 21 Jan 2019 09:26:41 +0100
+Subject: [PATCH 2/4] resolv: Do not send queries for non-host-names in nss_dns
+ [BZ #24112]
+
+Before this commit, nss_dns would send a query which did not contain a
+host name as the query name (such as invalid\032name.example.com) and
+then reject the answer in getanswer_r and gaih_getanswer_slice, using
+a check based on res_hnok. With this commit, no query is sent, and a
+host-not-found error is returned to NSS without network interaction.
+
+(cherry picked from commit 6ca53a2453598804a2559a548a08424fca96434a)
+---
+ ChangeLog | 9 +++++++++
+ resolv/nss_dns/dns-host.c | 24 ++++++++++++++++++++++--
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5dc2829cd1..99c3b61e1c 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -274,11 +274,26 @@ gethostbyname3_context (struct resolv_context *ctx,
+ return status;
+ }
+
++/* Verify that the name looks like a host name. There is no point in
++ sending a query which will not produce a usable name in the
++ response. */
++static enum nss_status
++check_name (const char *name, int *h_errnop)
++{
++ if (res_hnok (name))
++ return NSS_STATUS_SUCCESS;
++ *h_errnop = HOST_NOT_FOUND;
++ return NSS_STATUS_NOTFOUND;
++}
++
+ enum nss_status
+ _nss_dns_gethostbyname2_r (const char *name, int af, struct hostent *result,
+ char *buffer, size_t buflen, int *errnop,
+ int *h_errnop)
+ {
++ enum nss_status status = check_name (name, h_errnop);
++ if (status != NSS_STATUS_SUCCESS)
++ return status;
+ return _nss_dns_gethostbyname3_r (name, af, result, buffer, buflen, errnop,
+ h_errnop, NULL, NULL);
+ }
+@@ -289,6 +304,9 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result,
+ char *buffer, size_t buflen, int *errnop,
+ int *h_errnop)
+ {
++ enum nss_status status = check_name (name, h_errnop);
++ if (status != NSS_STATUS_SUCCESS)
++ return status;
+ struct resolv_context *ctx = __resolv_context_get ();
+ if (ctx == NULL)
+ {
+@@ -296,7 +314,7 @@ _nss_dns_gethostbyname_r (const char *name, struct hostent *result,
+ *h_errnop = NETDB_INTERNAL;
+ return NSS_STATUS_UNAVAIL;
+ }
+- enum nss_status status = NSS_STATUS_NOTFOUND;
++ status = NSS_STATUS_NOTFOUND;
+ if (res_use_inet6 ())
+ status = gethostbyname3_context (ctx, name, AF_INET6, result, buffer,
+ buflen, errnop, h_errnop, NULL, NULL);
+@@ -313,6 +331,9 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+ char *buffer, size_t buflen, int *errnop,
+ int *herrnop, int32_t *ttlp)
+ {
++ enum nss_status status = check_name (name, herrnop);
++ if (status != NSS_STATUS_SUCCESS)
++ return status;
+ struct resolv_context *ctx = __resolv_context_get ();
+ if (ctx == NULL)
+ {
+@@ -347,7 +368,6 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+ int ans2p_malloced = 0;
+
+ int olderr = errno;
+- enum nss_status status;
+ int n = __res_context_search (ctx, name, C_IN, T_QUERY_A_AND_AAAA,
+ host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+--
+2.20.1
+
+
+From 2373941bd73cb288c8a42a33e23e7f7bb81151e7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 21 Jan 2019 21:26:03 +0100
+Subject: [PATCH 3/4] CVE-2016-10739: getaddrinfo: Fully parse IPv4 address
+ strings [BZ #20018]
+
+The IPv4 address parser in the getaddrinfo function is changed so that
+it does not ignore trailing whitespace and all characters after it.
+For backwards compatibility, the getaddrinfo function still recognizes
+legacy name syntax, such as 192.000.002.010 interpreted as 192.0.2.8
+(octal).
+
+This commit does not change the behavior of inet_addr and inet_aton.
+gethostbyname already had additional sanity checks (but is switched
+over to the new __inet_aton_exact function for completeness as well).
+
+To avoid sending the problematic query names over DNS, commit
+6ca53a2453598804a2559a548a08424fca96434a ("resolv: Do not send queries
+for non-host-names in nss_dns [BZ #24112]") is needed.
+
+(cherry picked from commit 108bc4049f8ae82710aec26a92ffdb4b439c83fd)
+---
+ ChangeLog | 33 ++++++++
+ NEWS | 4 +
+ include/arpa/inet.h | 6 +-
+ nscd/gai.c | 1 -
+ nscd/gethstbynm3_r.c | 2 -
+ nss/digits_dots.c | 3 +-
+ resolv/Makefile | 7 ++
+ resolv/Versions | 1 +
+ resolv/inet_addr.c | 62 ++++++++++-----
+ resolv/res_init.c | 17 ++--
+ resolv/tst-aton.c | 35 +++++++--
+ resolv/tst-inet_aton_exact.c | 47 +++++++++++
+ resolv/tst-resolv-nondecimal.c | 139 +++++++++++++++++++++++++++++++++
+ resolv/tst-resolv-trailing.c | 136 ++++++++++++++++++++++++++++++++
+ sysdeps/posix/getaddrinfo.c | 2 +-
+ 15 files changed, 455 insertions(+), 40 deletions(-)
+ create mode 100644 resolv/tst-inet_aton_exact.c
+ create mode 100644 resolv/tst-resolv-nondecimal.c
+ create mode 100644 resolv/tst-resolv-trailing.c
+
+diff --git a/include/arpa/inet.h b/include/arpa/inet.h
+index c3f28f2baa..19aec74275 100644
+--- a/include/arpa/inet.h
++++ b/include/arpa/inet.h
+@@ -1,10 +1,10 @@
+ #include <inet/arpa/inet.h>
+
+ #ifndef _ISOMAC
+-extern int __inet_aton (const char *__cp, struct in_addr *__inp);
+-libc_hidden_proto (__inet_aton)
++/* Variant of inet_aton which rejects trailing garbage. */
++extern int __inet_aton_exact (const char *__cp, struct in_addr *__inp);
++libc_hidden_proto (__inet_aton_exact)
+
+-libc_hidden_proto (inet_aton)
+ libc_hidden_proto (inet_ntop)
+ libc_hidden_proto (inet_pton)
+ extern __typeof (inet_pton) __inet_pton;
+diff --git a/nscd/gai.c b/nscd/gai.c
+index 24bdfee1db..f57f396f57 100644
+--- a/nscd/gai.c
++++ b/nscd/gai.c
+@@ -19,7 +19,6 @@
+
+ /* This file uses the getaddrinfo code but it compiles it without NSCD
+ support. We just need a few symbol renames. */
+-#define __inet_aton inet_aton
+ #define __ioctl ioctl
+ #define __getsockname getsockname
+ #define __socket socket
+diff --git a/nscd/gethstbynm3_r.c b/nscd/gethstbynm3_r.c
+index 7beb9dce9f..f792c4fcd0 100644
+--- a/nscd/gethstbynm3_r.c
++++ b/nscd/gethstbynm3_r.c
+@@ -38,8 +38,6 @@
+ #define HAVE_LOOKUP_BUFFER 1
+ #define HAVE_AF 1
+
+-#define __inet_aton inet_aton
+-
+ /* We are nscd, so we don't want to be talking to ourselves. */
+ #undef USE_NSCD
+
+diff --git a/nss/digits_dots.c b/nss/digits_dots.c
+index 39bff38865..5441bce16e 100644
+--- a/nss/digits_dots.c
++++ b/nss/digits_dots.c
+@@ -29,7 +29,6 @@
+ #include "nsswitch.h"
+
+ #ifdef USE_NSCD
+-# define inet_aton __inet_aton
+ # include <nscd/nscd_proto.h>
+ #endif
+
+@@ -160,7 +159,7 @@ __nss_hostname_digits_dots_context (struct resolv_context *ctx,
+ 255.255.255.255? The test below will succeed
+ spuriously... ??? */
+ if (af == AF_INET)
+- ok = __inet_aton (name, (struct in_addr *) host_addr);
++ ok = __inet_aton_exact (name, (struct in_addr *) host_addr);
+ else
+ {
+ assert (af == AF_INET6);
+diff --git a/resolv/Makefile b/resolv/Makefile
+index ea395ac3eb..d36eedd34a 100644
+--- a/resolv/Makefile
++++ b/resolv/Makefile
+@@ -34,6 +34,9 @@ routines := herror inet_addr inet_ntop inet_pton nsap_addr res_init \
+ tests = tst-aton tst-leaks tst-inet_ntop
+ xtests = tst-leaks2
+
++tests-internal += tst-inet_aton_exact
++
++
+ generate := mtrace-tst-leaks.out tst-leaks.mtrace tst-leaks2.mtrace
+
+ extra-libs := libresolv libnss_dns
+@@ -54,8 +57,10 @@ tests += \
+ tst-resolv-binary \
+ tst-resolv-edns \
+ tst-resolv-network \
++ tst-resolv-nondecimal \
+ tst-resolv-res_init-multi \
+ tst-resolv-search \
++ tst-resolv-trailing \
+
+ # These tests need libdl.
+ ifeq (yes,$(build-shared))
+@@ -190,9 +195,11 @@ $(objpfx)tst-resolv-res_init-multi: $(objpfx)libresolv.so \
+ $(shared-thread-library)
+ $(objpfx)tst-resolv-res_init-thread: $(libdl) $(objpfx)libresolv.so \
+ $(shared-thread-library)
++$(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-search: $(objpfx)libresolv.so $(shared-thread-library)
++$(objpfx)tst-resolv-trailing: $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-threads: \
+ $(libdl) $(objpfx)libresolv.so $(shared-thread-library)
+ $(objpfx)tst-resolv-canonname: \
+diff --git a/resolv/Versions b/resolv/Versions
+index b05778d965..9a82704af7 100644
+--- a/resolv/Versions
++++ b/resolv/Versions
+@@ -27,6 +27,7 @@ libc {
+ __h_errno; __resp;
+
+ __res_iclose;
++ __inet_aton_exact;
+ __inet_pton_length;
+ __resolv_context_get;
+ __resolv_context_get_preinit;
+diff --git a/resolv/inet_addr.c b/resolv/inet_addr.c
+index 32f58b0e13..41b6166a5b 100644
+--- a/resolv/inet_addr.c
++++ b/resolv/inet_addr.c
+@@ -96,26 +96,14 @@
+ #include <limits.h>
+ #include <errno.h>
+
+-/* ASCII IPv4 Internet address interpretation routine. The value
+- returned is in network order. */
+-in_addr_t
+-__inet_addr (const char *cp)
+-{
+- struct in_addr val;
+-
+- if (__inet_aton (cp, &val))
+- return val.s_addr;
+- return INADDR_NONE;
+-}
+-weak_alias (__inet_addr, inet_addr)
+-
+ /* Check whether "cp" is a valid ASCII representation of an IPv4
+ Internet address and convert it to a binary address. Returns 1 if
+ the address is valid, 0 if not. This replaces inet_addr, the
+ return value from which cannot distinguish between failure and a
+- local broadcast address. */
+-int
+-__inet_aton (const char *cp, struct in_addr *addr)
++ local broadcast address. Write a pointer to the first
++ non-converted character to *endp. */
++static int
++inet_aton_end (const char *cp, struct in_addr *addr, const char **endp)
+ {
+ static const in_addr_t max[4] = { 0xffffffff, 0xffffff, 0xffff, 0xff };
+ in_addr_t val;
+@@ -180,6 +168,7 @@ __inet_aton (const char *cp, struct in_addr *addr)
+
+ if (addr != NULL)
+ addr->s_addr = res.word | htonl (val);
++ *endp = cp;
+
+ __set_errno (saved_errno);
+ return 1;
+@@ -188,6 +177,41 @@ __inet_aton (const char *cp, struct in_addr *addr)
+ __set_errno (saved_errno);
+ return 0;
+ }
+-weak_alias (__inet_aton, inet_aton)
+-libc_hidden_def (__inet_aton)
+-libc_hidden_weak (inet_aton)
++
++int
++__inet_aton_exact (const char *cp, struct in_addr *addr)
++{
++ struct in_addr val;
++ const char *endp;
++ /* Check that inet_aton_end parsed the entire string. */
++ if (inet_aton_end (cp, &val, &endp) != 0 && *endp == 0)
++ {
++ *addr = val;
++ return 1;
++ }
++ else
++ return 0;
++}
++libc_hidden_def (__inet_aton_exact)
++
++/* inet_aton ignores trailing garbage. */
++int
++__inet_aton_ignore_trailing (const char *cp, struct in_addr *addr)
++{
++ const char *endp;
++ return inet_aton_end (cp, addr, &endp);
++}
++weak_alias (__inet_aton_ignore_trailing, inet_aton)
++
++/* ASCII IPv4 Internet address interpretation routine. The value
++ returned is in network order. */
++in_addr_t
++__inet_addr (const char *cp)
++{
++ struct in_addr val;
++ const char *endp;
++ if (inet_aton_end (cp, &val, &endp))
++ return val.s_addr;
++ return INADDR_NONE;
++}
++weak_alias (__inet_addr, inet_addr)
+diff --git a/resolv/res_init.c b/resolv/res_init.c
+index f5e52cbbb9..94743a252e 100644
+--- a/resolv/res_init.c
++++ b/resolv/res_init.c
+@@ -399,8 +399,16 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+ cp = parser->buffer + sizeof ("nameserver") - 1;
+ while (*cp == ' ' || *cp == '\t')
+ cp++;
++
++ /* Ignore trailing contents on the name server line. */
++ {
++ char *el;
++ if ((el = strpbrk (cp, " \t\n")) != NULL)
++ *el = '\0';
++ }
++
+ struct sockaddr *sa;
+- if ((*cp != '\0') && (*cp != '\n') && __inet_aton (cp, &a))
++ if ((*cp != '\0') && (*cp != '\n') && __inet_aton_exact (cp, &a))
+ {
+ sa = allocate_address_v4 (a, NAMESERVER_PORT);
+ if (sa == NULL)
+@@ -410,9 +418,6 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+ {
+ struct in6_addr a6;
+ char *el;
+-
+- if ((el = strpbrk (cp, " \t\n")) != NULL)
+- *el = '\0';
+ if ((el = strchr (cp, SCOPE_DELIMITER)) != NULL)
+ *el = '\0';
+ if ((*cp != '\0') && (__inet_pton (AF_INET6, cp, &a6) > 0))
+@@ -472,7 +477,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+ char separator = *cp;
+ *cp = 0;
+ struct resolv_sortlist_entry e;
+- if (__inet_aton (net, &a))
++ if (__inet_aton_exact (net, &a))
+ {
+ e.addr = a;
+ if (is_sort_mask (separator))
+@@ -484,7 +489,7 @@ res_vinit_1 (FILE *fp, struct resolv_conf_parser *parser)
+ cp++;
+ separator = *cp;
+ *cp = 0;
+- if (__inet_aton (net, &a))
++ if (__inet_aton_exact (net, &a))
+ e.mask = a.s_addr;
+ else
+ e.mask = net_mask (e.addr);
+diff --git a/resolv/tst-aton.c b/resolv/tst-aton.c
+index 08110a007a..eb734d7758 100644
+--- a/resolv/tst-aton.c
++++ b/resolv/tst-aton.c
+@@ -1,11 +1,29 @@
++/* Test legacy IPv4 text-to-address function inet_aton.
++ Copyright (C) 1998-2019 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <array_length.h>
+ #include <stdio.h>
+ #include <stdint.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+
+-
+-static struct tests
++static const struct tests
+ {
+ const char *input;
+ int valid;
+@@ -16,6 +34,7 @@ static struct tests
+ { "-1", 0, 0 },
+ { "256", 1, 0x00000100 },
+ { "256.", 0, 0 },
++ { "255a", 0, 0 },
+ { "256a", 0, 0 },
+ { "0x100", 1, 0x00000100 },
+ { "0200.0x123456", 1, 0x80123456 },
+@@ -40,7 +59,12 @@ static struct tests
+ { "1.2.256.4", 0, 0 },
+ { "1.2.3.0x100", 0, 0 },
+ { "323543357756889", 0, 0 },
+- { "10.1.2.3.4", 0, 0},
++ { "10.1.2.3.4", 0, 0 },
++ { "192.0.2.1", 1, 0xc0000201 },
++ { "192.0.2.2\nX", 1, 0xc0000202 },
++ { "192.0.2.3 Y", 1, 0xc0000203 },
++ { "192.0.2.3Z", 0, 0 },
++ { "192.000.002.010", 1, 0xc0000208 },
+ };
+
+
+@@ -50,7 +74,7 @@ do_test (void)
+ int result = 0;
+ size_t cnt;
+
+- for (cnt = 0; cnt < sizeof (tests) / sizeof (tests[0]); ++cnt)
++ for (cnt = 0; cnt < array_length (tests); ++cnt)
+ {
+ struct in_addr addr;
+
+@@ -73,5 +97,4 @@ do_test (void)
+ return result;
+ }
+
+-#define TEST_FUNCTION do_test ()
+-#include "../test-skeleton.c"
++#include <support/test-driver.c>
+diff --git a/resolv/tst-inet_aton_exact.c b/resolv/tst-inet_aton_exact.c
+new file mode 100644
+index 0000000000..0fdfa3d6aa
+--- /dev/null
++++ b/resolv/tst-inet_aton_exact.c
+@@ -0,0 +1,47 @@
++/* Test internal legacy IPv4 text-to-address function __inet_aton_exact.
++ Copyright (C) 2019 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <arpa/inet.h>
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++ struct in_addr addr = { };
++
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.1", &addr), 1);
++ TEST_COMPARE (ntohl (addr.s_addr), 0xC0000201);
++
++ TEST_COMPARE (__inet_aton_exact ("192.000.002.010", &addr), 1);
++ TEST_COMPARE (ntohl (addr.s_addr), 0xC0000208);
++ TEST_COMPARE (__inet_aton_exact ("0xC0000234", &addr), 1);
++ TEST_COMPARE (ntohl (addr.s_addr), 0xC0000234);
++
++ /* Trailing content is not accepted. */
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.2X", &addr), 0);
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.3 Y", &addr), 0);
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.4\nZ", &addr), 0);
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.5\tT", &addr), 0);
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.6 Y", &addr), 0);
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.7\n", &addr), 0);
++ TEST_COMPARE (__inet_aton_exact ("192.0.2.8\t", &addr), 0);
++
++ return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/resolv/tst-resolv-nondecimal.c b/resolv/tst-resolv-nondecimal.c
+new file mode 100644
+index 0000000000..a0df6f332a
+--- /dev/null
++++ b/resolv/tst-resolv-nondecimal.c
+@@ -0,0 +1,139 @@
++/* Test name resolution behavior for octal, hexadecimal IPv4 addresses.
++ Copyright (C) 2019 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <netdb.h>
++#include <stdlib.h>
++#include <support/check.h>
++#include <support/check_nss.h>
++#include <support/resolv_test.h>
++#include <support/support.h>
++
++static void
++response (const struct resolv_response_context *ctx,
++ struct resolv_response_builder *b,
++ const char *qname, uint16_t qclass, uint16_t qtype)
++{
++ /* The tests are not supposed send any DNS queries. */
++ FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype);
++}
++
++static void
++run_query_addrinfo (const char *query, const char *address)
++{
++ char *quoted_query = support_quote_string (query);
++
++ struct addrinfo *ai;
++ struct addrinfo hints =
++ {
++ .ai_socktype = SOCK_STREAM,
++ .ai_protocol = IPPROTO_TCP,
++ };
++
++ char *context = xasprintf ("getaddrinfo \"%s\" AF_INET", quoted_query);
++ char *expected = xasprintf ("address: STREAM/TCP %s 80\n", address);
++ hints.ai_family = AF_INET;
++ int ret = getaddrinfo (query, "80", &hints, &ai);
++ check_addrinfo (context, ai, ret, expected);
++ if (ret == 0)
++ freeaddrinfo (ai);
++ free (context);
++
++ context = xasprintf ("getaddrinfo \"%s\" AF_UNSPEC", quoted_query);
++ hints.ai_family = AF_UNSPEC;
++ ret = getaddrinfo (query, "80", &hints, &ai);
++ check_addrinfo (context, ai, ret, expected);
++ if (ret == 0)
++ freeaddrinfo (ai);
++ free (expected);
++ free (context);
++
++ context = xasprintf ("getaddrinfo \"%s\" AF_INET6", quoted_query);
++ expected = xasprintf ("flags: AI_V4MAPPED\n"
++ "address: STREAM/TCP ::ffff:%s 80\n",
++ address);
++ hints.ai_family = AF_INET6;
++ hints.ai_flags = AI_V4MAPPED;
++ ret = getaddrinfo (query, "80", &hints, &ai);
++ check_addrinfo (context, ai, ret, expected);
++ if (ret == 0)
++ freeaddrinfo (ai);
++ free (expected);
++ free (context);
++
++ free (quoted_query);
++}
++
++static void
++run_query (const char *query, const char *address)
++{
++ char *quoted_query = support_quote_string (query);
++ char *context = xasprintf ("gethostbyname (\"%s\")", quoted_query);
++ char *expected = xasprintf ("name: %s\n"
++ "address: %s\n", query, address);
++ check_hostent (context, gethostbyname (query), expected);
++ free (context);
++
++ context = xasprintf ("gethostbyname_r \"%s\"", quoted_query);
++ struct hostent storage;
++ char buf[4096];
++ struct hostent *e = NULL;
++ TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf),
++ &e, &h_errno), 0);
++ check_hostent (context, e, expected);
++ free (context);
++
++ context = xasprintf ("gethostbyname2 (\"%s\", AF_INET)", quoted_query);
++ check_hostent (context, gethostbyname2 (query, AF_INET), expected);
++ free (context);
++
++ context = xasprintf ("gethostbyname2_r \"%s\" AF_INET", quoted_query);
++ e = NULL;
++ TEST_COMPARE (gethostbyname2_r (query, AF_INET, &storage, buf, sizeof (buf),
++ &e, &h_errno), 0);
++ check_hostent (context, e, expected);
++ free (context);
++ free (expected);
++
++ free (quoted_query);
++
++ /* The gethostbyname tests are always valid for getaddrinfo, but not
++ vice versa. */
++ run_query_addrinfo (query, address);
++}
++
++static int
++do_test (void)
++{
++ struct resolv_test *aux = resolv_test_start
++ ((struct resolv_redirect_config)
++ {
++ .response_callback = response,
++ });
++
++ run_query ("192.000.002.010", "192.0.2.8");
++
++ /* Hexadecimal numbers are not accepted by gethostbyname. */
++ run_query_addrinfo ("0xc0000210", "192.0.2.16");
++ run_query_addrinfo ("192.0x234", "192.0.2.52");
++
++ resolv_test_end (aux);
++
++ return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/resolv/tst-resolv-trailing.c b/resolv/tst-resolv-trailing.c
+new file mode 100644
+index 0000000000..7504bdae57
+--- /dev/null
++++ b/resolv/tst-resolv-trailing.c
+@@ -0,0 +1,136 @@
++/* Test name resolution behavior with trailing characters.
++ Copyright (C) 2019 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <array_length.h>
++#include <netdb.h>
++#include <support/check.h>
++#include <support/check_nss.h>
++#include <support/resolv_test.h>
++#include <support/support.h>
++
++static void
++response (const struct resolv_response_context *ctx,
++ struct resolv_response_builder *b,
++ const char *qname, uint16_t qclass, uint16_t qtype)
++{
++ /* The tests are not supposed send any DNS queries. */
++ FAIL_EXIT1 ("unexpected DNS query for %s/%d/%d", qname, qclass, qtype);
++}
++
++static int
++do_test (void)
++{
++ struct resolv_test *aux = resolv_test_start
++ ((struct resolv_redirect_config)
++ {
++ .response_callback = response,
++ });
++
++ static const char *const queries[] =
++ {
++ "192.0.2.1 ",
++ "192.0.2.2\t",
++ "192.0.2.3\n",
++ "192.0.2.4 X",
++ "192.0.2.5\tY",
++ "192.0.2.6\nZ",
++ "192.0.2. ",
++ "192.0.2.\t",
++ "192.0.2.\n",
++ "192.0.2. X",
++ "192.0.2.\tY",
++ "192.0.2.\nZ",
++ "2001:db8::1 ",
++ "2001:db8::2\t",
++ "2001:db8::3\n",
++ "2001:db8::4 X",
++ "2001:db8::5\tY",
++ "2001:db8::6\nZ",
++ };
++ for (size_t query_idx = 0; query_idx < array_length (queries); ++query_idx)
++ {
++ const char *query = queries[query_idx];
++ struct hostent storage;
++ char buf[4096];
++ struct hostent *e;
++
++ h_errno = 0;
++ TEST_VERIFY (gethostbyname (query) == NULL);
++ TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++ h_errno = 0;
++ e = NULL;
++ TEST_COMPARE (gethostbyname_r (query, &storage, buf, sizeof (buf),
++ &e, &h_errno), 0);
++ TEST_VERIFY (e == NULL);
++ TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++ h_errno = 0;
++ TEST_VERIFY (gethostbyname2 (query, AF_INET) == NULL);
++ TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++ h_errno = 0;
++ e = NULL;
++ TEST_COMPARE (gethostbyname2_r (query, AF_INET,
++ &storage, buf, sizeof (buf),
++ &e, &h_errno), 0);
++ TEST_VERIFY (e == NULL);
++ TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++ h_errno = 0;
++ TEST_VERIFY (gethostbyname2 (query, AF_INET6) == NULL);
++ TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++ h_errno = 0;
++ e = NULL;
++ TEST_COMPARE (gethostbyname2_r (query, AF_INET6,
++ &storage, buf, sizeof (buf),
++ &e, &h_errno), 0);
++ TEST_VERIFY (e == NULL);
++ TEST_COMPARE (h_errno, HOST_NOT_FOUND);
++
++ static const int gai_flags[] =
++ {
++ 0,
++ AI_ADDRCONFIG,
++ AI_NUMERICHOST,
++ AI_IDN,
++ AI_IDN | AI_NUMERICHOST,
++ AI_V4MAPPED,
++ AI_V4MAPPED | AI_NUMERICHOST,
++ };
++ for (size_t gai_flags_idx; gai_flags_idx < array_length (gai_flags);
++ ++gai_flags_idx)
++ {
++ struct addrinfo hints = { .ai_flags = gai_flags[gai_flags_idx], };
++ struct addrinfo *ai;
++ hints.ai_family = AF_INET;
++ TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
++ hints.ai_family = AF_INET6;
++ TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
++ hints.ai_family = AF_UNSPEC;
++ TEST_COMPARE (getaddrinfo (query, "80", &hints, &ai), EAI_NONAME);
++ }
++ };
++
++ resolv_test_end (aux);
++
++ return 0;
++}
++
++#include <support/test-driver.c>
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 553833d1f2..c91b281e31 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -488,7 +488,7 @@ gaih_inet (const char *name, const struct gaih_service *service,
+ malloc_name = true;
+ }
+
+- if (__inet_aton (name, (struct in_addr *) at->addr) != 0)
++ if (__inet_aton_exact (name, (struct in_addr *) at->addr) != 0)
+ {
+ if (req->ai_family == AF_UNSPEC || req->ai_family == AF_INET)
+ at->family = AF_INET;
+--
+2.20.1
+
+
+From c533244b8e00ae701583ec50aeb43377d292452d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 4 Feb 2019 20:07:18 +0100
+Subject: [PATCH 4/4] nscd: Do not use __inet_aton_exact@GLIBC_PRIVATE [BZ
+ #20018]
+
+This commit avoids referencing the __inet_aton_exact@GLIBC_PRIVATE
+symbol from nscd. In master, the separately-compiled getaddrinfo
+implementation in nscd needs it, however such an internal ABI change
+is not desirable on a release branch if it can be avoided.
+---
+ ChangeLog | 10 ++++++++++
+ nscd/Makefile | 2 +-
+ nscd/gai.c | 6 ++++++
+ nscd/nscd-inet_addr.c | 32 ++++++++++++++++++++++++++++++++
+ 4 files changed, 49 insertions(+), 1 deletion(-)
+ create mode 100644 nscd/nscd-inet_addr.c
+
+diff --git a/nscd/Makefile b/nscd/Makefile
+index b713a84c49..eb23c01a39 100644
+--- a/nscd/Makefile
++++ b/nscd/Makefile
+@@ -36,7 +36,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \
+ getsrvbynm_r getsrvbypt_r servicescache \
+ dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \
+ xmalloc xstrdup aicache initgrcache gai res_hconf \
+- netgroupcache
++ netgroupcache nscd-inet_addr
+
+ ifeq ($(build-nscd)$(have-thread-library),yesyes)
+
+diff --git a/nscd/gai.c b/nscd/gai.c
+index f57f396f57..68a4abd30e 100644
+--- a/nscd/gai.c
++++ b/nscd/gai.c
+@@ -33,6 +33,12 @@
+ #define __getifaddrs getifaddrs
+ #define __freeifaddrs freeifaddrs
+
++/* We do not want to export __inet_aton_exact. Get the prototype and
++ change its visibility to hidden. */
++#include <arpa/inet.h>
++__typeof__ (__inet_aton_exact) __inet_aton_exact
++ __attribute__ ((visibility ("hidden")));
++
+ /* We are nscd, so we don't want to be talking to ourselves. */
+ #undef USE_NSCD
+
+diff --git a/nscd/nscd-inet_addr.c b/nscd/nscd-inet_addr.c
+new file mode 100644
+index 0000000000..f366b9567d
+--- /dev/null
++++ b/nscd/nscd-inet_addr.c
+@@ -0,0 +1,32 @@
++/* Legacy IPv4 text-to-address functions. Version for nscd.
++ Copyright (C) 2019 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <arpa/inet.h>
++
++/* We do not want to export __inet_aton_exact. Get the prototype and
++ change the visibility to hidden. */
++#include <arpa/inet.h>
++__typeof__ (__inet_aton_exact) __inet_aton_exact
++ __attribute__ ((visibility ("hidden")));
++
++/* Do not provide definitions of the public symbols exported from
++ libc. */
++#undef weak_alias
++#define weak_alias(from, to)
++
++#include <resolv/inet_addr.c>
+--
+2.20.1
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [thud 18/18] linux-yocto/4.14: update to 4.14.154
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (16 preceding siblings ...)
2019-12-16 16:00 ` [thud 17/18] glibc: finish incomplete fix for CVE-2016-10739 Armin Kuster
@ 2019-12-16 16:00 ` Armin Kuster
2019-12-17 3:51 ` [thud 00/18] thud pull request Adrian Bunk
18 siblings, 0 replies; 20+ messages in thread
From: Armin Kuster @ 2019-12-16 16:00 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb | 6 +++---
meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb | 6 +++---
meta/recipes-kernel/linux/linux-yocto_4.14.bb | 20 ++++++++++----------
3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
index 0ed2900..de6f5c9 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_4.14.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "72075349c6af55a7a6d024f0aa241711653fcb97"
-SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
+SRCREV_machine ?= "3aa9671ae072f45665e72591be5636522c8a6215"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.143"
+LINUX_VERSION ?= "4.14.154"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
index cb46307..52c02ca 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_4.14.bb
@@ -4,7 +4,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "4.14.143"
+LINUX_VERSION ?= "4.14.154"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
@@ -12,8 +12,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "3d884bc92763f474cc0728d1feb0becad8ed37d5"
-SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
+SRCREV_machine ?= "38c3a6549d60a3b4a5ab0cb6a440929ba8502f7f"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_4.14.bb b/meta/recipes-kernel/linux/linux-yocto_4.14.bb
index 4a92d27..0048735 100644
--- a/meta/recipes-kernel/linux/linux-yocto_4.14.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_4.14.bb
@@ -11,20 +11,20 @@ KBRANCH_qemux86 ?= "v4.14/standard/base"
KBRANCH_qemux86-64 ?= "v4.14/standard/base"
KBRANCH_qemumips64 ?= "v4.14/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "bd85f4880bb890bf9c45ee6c2fd95f077d2bf67e"
-SRCREV_machine_qemuarm64 ?= "445a4787bd489eb6b3d5c172b9842dbe5a34d734"
-SRCREV_machine_qemumips ?= "3d07ac9aa6ca729674dfb763563202f18f9eedde"
-SRCREV_machine_qemuppc ?= "81ba8dbab3b1bfc371e539956be905809db0e41a"
-SRCREV_machine_qemux86 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
-SRCREV_machine_qemux86-64 ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
-SRCREV_machine_qemumips64 ?= "3c4acadcbe2ee11043f7d0fce43a5181511d0935"
-SRCREV_machine ?= "bc9d4b045fa0254d14ef3a667a200f02cb9af755"
-SRCREV_meta ?= "1bd749b7ce4240e83024b10fa4a4a6b9de5a5e5f"
+SRCREV_machine_qemuarm ?= "e4e2990af921c2d1544d18efa5f7183f95289cd0"
+SRCREV_machine_qemuarm64 ?= "51c9e69ebef5d2d15dfbcdf098269d86e0e38317"
+SRCREV_machine_qemumips ?= "e70c76a3fe9cc785619d9e4c8e28cb4d4d76ecaf"
+SRCREV_machine_qemuppc ?= "6b6eab44d3a04294c233e0b47d6b7c6cbb6e9ffb"
+SRCREV_machine_qemux86 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_machine_qemux86-64 ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_machine_qemumips64 ?= "4e099e87d223bfc1526543a5e4c5383cb2edda70"
+SRCREV_machine ?= "57278e88a6b0f7c6230f7429cab7e74229f2b7ce"
+SRCREV_meta ?= "a889c43359ca8bee705601817c50edf3c209bc09"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRANCH}; \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-4.14;destsuffix=${KMETA}"
-LINUX_VERSION ?= "4.14.143"
+LINUX_VERSION ?= "4.14.154"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.7.4
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [thud 00/18] thud pull request
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
` (17 preceding siblings ...)
2019-12-16 16:00 ` [thud 18/18] linux-yocto/4.14: update to 4.14.154 Armin Kuster
@ 2019-12-17 3:51 ` Adrian Bunk
18 siblings, 0 replies; 20+ messages in thread
From: Adrian Bunk @ 2019-12-17 3:51 UTC (permalink / raw)
To: Armin Kuster; +Cc: openembedded-core
On Mon, Dec 16, 2019 at 07:59:50AM -0800, Armin Kuster wrote:
>...
> Khem Raj (1):
> sdk: Install nativesdk locales for all TCLIBC variants
>
> Ross Burton (12):
>...
> cve-check: ensure all known CVEs are in the report
> cve-check: failure to parse versions should be more visible
> cve-check: we don't actually need to unpack to check
> cve-update-db-native: don't refresh more than once an hour
> cve-update-db-native: don't hardcode the database name
> cve-update-db-native: add an index on the CVE ID column
> cve-update-db-native: clean up proxy handling
> cve-check: rewrite look to fix false negatives
> cve-check: neaten get_cve_info
> cve-check: fetch CVE data once at a time instead of in a single call
>...
Please also queue these 11 commits for warrior, when they are in thud
they shouldn't be missing after upgrading to warrior.
Thanks
Adrian
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2019-12-17 3:52 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-16 15:59 [thud 00/18] thud pull request Armin Kuster
2019-12-16 15:59 ` [thud 01/18] at-spi2: fix dbus-daemon path Armin Kuster
2019-12-16 15:59 ` [thud 02/18] sdk: Install nativesdk locales for all TCLIBC variants Armin Kuster
2019-12-16 15:59 ` [thud 03/18] libgcrypt: CVE-2019-12904 Armin Kuster
2019-12-16 15:59 ` [thud 04/18] tar: Fix CVE-2018-20482 Armin Kuster
2019-12-16 15:59 ` [thud 05/18] sudo: Fix CVE-2019-14287 Armin Kuster
2019-12-16 15:59 ` [thud 06/18] cve-check: backport rewrite from master Armin Kuster
2019-12-16 15:59 ` [thud 07/18] cve-check: ensure all known CVEs are in the report Armin Kuster
2019-12-16 15:59 ` [thud 08/18] cve-check: failure to parse versions should be more visible Armin Kuster
2019-12-16 15:59 ` [thud 09/18] cve-check: we don't actually need to unpack to check Armin Kuster
2019-12-16 16:00 ` [thud 10/18] cve-update-db-native: don't refresh more than once an hour Armin Kuster
2019-12-16 16:00 ` [thud 11/18] cve-update-db-native: don't hardcode the database name Armin Kuster
2019-12-16 16:00 ` [thud 12/18] cve-update-db-native: add an index on the CVE ID column Armin Kuster
2019-12-16 16:00 ` [thud 13/18] cve-update-db-native: clean up proxy handling Armin Kuster
2019-12-16 16:00 ` [thud 14/18] cve-check: rewrite look to fix false negatives Armin Kuster
2019-12-16 16:00 ` [thud 15/18] cve-check: neaten get_cve_info Armin Kuster
2019-12-16 16:00 ` [thud 16/18] cve-check: fetch CVE data once at a time instead of in a single call Armin Kuster
2019-12-16 16:00 ` [thud 17/18] glibc: finish incomplete fix for CVE-2016-10739 Armin Kuster
2019-12-16 16:00 ` [thud 18/18] linux-yocto/4.14: update to 4.14.154 Armin Kuster
2019-12-17 3:51 ` [thud 00/18] thud pull request Adrian Bunk
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox