* [OE-core][dunfell 00/18] Patch review
@ 2020-07-27 15:09 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2020-07-27 15:09 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.
The following changes since commit ea886d57db917a41a0d106a15e1e96c72d6407b0:
kernel-yocto: account for extracted defconfig in elements check (2020-07-23 04:07:37 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Ahmad Fatoum (1):
core: glib-2.0: fix requested libmount/mkostemp/selinux not being
linked in
Armin Kuster (1):
glibc: Secruity fix for CVE-2020-6096
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.51
linux-yocto-rt/5.4: fix mmdrop stress test issues
Changqing Li (1):
gtk-immodules-cache.bbclass: fix post install scriptlet error
Chen Qi (1):
rpm: fix nativesdk's default var location
Daniel Ammann (1):
image.bbclass: improve wording when image size exceeds the specified
limit
Joshua Watt (2):
classes/cmake: Fix host detection
classes/package: Use HOST_OS for runtime dependencies
Kevin Hao (3):
wic/filemap: Drop the unused block_is_unmapped()
wic/filemap: Drop the unused get_unmapped_ranges()
wic/filemap: Fall back to standard copy when no way to get the block
map
Kurt Kiefer (1):
linux-firmware: add ibt-20 package
Lee Chee Yang (1):
buildhistory: use pid for temporary txt file name
Richard Purdie (1):
oeqa/qemurunner: Add priority/nice information for running processes
Robert Yang (1):
openssl: openssl-bin requires openssl-conf to run
Ross Burton (1):
startup-notification: add time_t type mismatch patch from upstream
Sakib Sajal (1):
busybox: make hwclock compatible with glibc 2.31
meta/classes/buildhistory.bbclass | 11 +-
meta/classes/cmake.bbclass | 19 +-
meta/classes/gtk-immodules-cache.bbclass | 1 +
meta/classes/image.bbclass | 4 +-
meta/classes/package.bbclass | 10 +-
meta/lib/oeqa/utils/qemurunner.py | 2 +-
meta/lib/oeqa/utils/qemutinyrunner.py | 2 +-
.../openssl/openssl_1.1.1g.bb | 2 +
...1-hwclock-make-glibc-2.31-compatible.patch | 83 ++++++++
meta/recipes-core/busybox/busybox_1.31.1.bb | 1 +
...ot-hardcode-linux-as-the-host-system.patch | 49 +++++
meta/recipes-core/glib-2.0/glib-2.0_2.62.4.bb | 1 +
.../glibc/glibc/CVE-2020-6096.patch | 112 ++++++++++
.../glibc/glibc/CVE-2020-6096_2.patch | 194 ++++++++++++++++++
meta/recipes-core/glibc/glibc_2.31.bb | 2 +
meta/recipes-devtools/rpm/rpm_4.14.2.1.bb | 2 +-
.../startup-notification-0.12/time_t.patch | 108 ++++++++++
.../startup-notification_0.12.bb | 1 +
.../linux-firmware/linux-firmware_20200619.bb | 4 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
scripts/lib/wic/filemap.py | 75 +++----
23 files changed, 630 insertions(+), 89 deletions(-)
create mode 100644 meta/recipes-core/busybox/busybox/0001-hwclock-make-glibc-2.31-compatible.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/0020-meson.build-do-not-hardcode-linux-as-the-host-system.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
create mode 100644 meta/recipes-graphics/startup-notification/startup-notification-0.12/time_t.patch
--
2.17.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/18] Patch review
@ 2020-09-07 17:01 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2020-09-07 17:01 UTC (permalink / raw)
To: openembedded-core
Please review this next set of changes for dunfell and have comments back
by end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1350
NOTE: json-c: Fix CVE-2020-12762 has a line longer than 988 characters and thus
breaks send-pull-request. I've truncated that line and tagged it with a <snip>
The full patch is of course available in the git repo linked below.
The following changes since commit 0d4d0df6084cce3c3d9051db88f3199a030d3352:
linux-firmware: update 20200721 -> 20200817 (2020-09-01 05:45:54 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Anibal Limon (1):
recipes-kernel: linux-firmware add qcom-venus-{5.2,5.4} packages
Bruce Ashfield (1):
kernel-yocto: checksum all modifications to available kernel fragments
directories
Joshua Watt (1):
oeqa: sdk: Capture stderr output
Khem Raj (3):
json-c: Fix CVE-2020-12762
util-linux: Allow update alternatives for additional apps
json-glib: Backport a build fix with clang
Martin Jansa (1):
devtool: expand SRC_URI when guessing recipe update mode
Michael Tretter (1):
devtool: deploy-target: Fix size calculation for hard links
Nicolas Dechesne (1):
linux-libc-headers: kernel headers are installed in
STAGING_KERNEL_BUILDDIR
Rasmus Villemoes (1):
cml1: Move find_cfgs() helper to cml1.bbclass
Richard Purdie (1):
selftest/prservice: Improve test failure message
Ross Burton (2):
package.bbclass: explode the RPROVIDES so we don't think the versions
are provides
insane: improve gnu-hash-style warning
Steve Sakoman (1):
sanity.conf: update BB_MIN_VERSION to 1.46.0
Sumit Garg (1):
insane: fix gnu-hash-style check
Vijai Kumar K (1):
wic: misc: Add /bin to the list of searchpaths
Yann Dirson (1):
package: get_package_mapping: avoid dependency mapping if renamed
package provides original name
hongxu (1):
sysstat: fix installed-vs-shipped QA Issue in systemd
meta/classes/cml1.bbclass | 10 +
meta/classes/insane.bbclass | 5 +-
meta/classes/kernel-yocto.bbclass | 16 ++
meta/classes/package.bbclass | 18 +-
meta/conf/sanity.conf | 2 +-
meta/lib/oeqa/sdk/case.py | 2 +-
meta/lib/oeqa/sdk/cases/assimp.py | 2 +-
meta/lib/oeqa/sdk/cases/buildcpio.py | 2 +-
meta/lib/oeqa/sdk/cases/buildepoxy.py | 2 +-
meta/lib/oeqa/sdk/cases/buildgalculator.py | 2 +-
meta/lib/oeqa/sdk/cases/buildlzip.py | 2 +-
meta/lib/oeqa/selftest/cases/prservice.py | 4 +-
meta/recipes-bsp/u-boot/u-boot.inc | 10 -
meta/recipes-core/busybox/busybox.inc | 10 -
meta/recipes-core/util-linux/util-linux.inc | 3 +
.../json-c/json-c/CVE-2020-12762.patch | 231 ++++++++++++++++++
meta/recipes-devtools/json-c/json-c_0.13.1.bb | 1 +
meta/recipes-extended/sysstat/sysstat.inc | 2 +-
...o-instead-of-cast-to-convert-pointer.patch | 33 +++
.../json-glib/json-glib_1.4.4.bb | 4 +-
.../linux-firmware/linux-firmware_20200817.bb | 6 +-
.../linux-libc-headers/linux-libc-headers.inc | 2 +-
scripts/lib/devtool/deploy.py | 8 +-
scripts/lib/devtool/standard.py | 2 +-
scripts/lib/wic/misc.py | 5 +-
25 files changed, 341 insertions(+), 43 deletions(-)
create mode 100644 meta/recipes-devtools/json-c/json-c/CVE-2020-12762.patch
create mode 100644 meta/recipes-gnome/json-glib/json-glib/0001-scanner-use-macro-instead-of-cast-to-convert-pointer.patch
--
2.17.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/18] Patch review
@ 2020-11-13 14:52 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2020-11-13 14:52 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day on Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1588
The following changes since commit 4f395ad49ef9035954d0fda7b7df14dea18b49a0:
grub: clean up CVE patches (2020-11-08 16:51:24 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alex Kiernan (1):
openssh: Upgrade 8.2p1 -> 8.3p1
Alexander Kanavin (2):
clutter-gst-3.0: do not call out to host gstreamer plugin scanner
openssh: upgrade 8.3p1 -> 8.4p1 to fix CVE-2020-14145 and
CVE-2020-15778
Denys Zagorui (1):
binutils: reproducibility: reuse debug-prefix-map for stabs
Diego Santa Cruz (1):
freetype: fix CVE-2020-15999, backport from 2.10.4
Gratian Crisan (1):
kernel-module-split.bbclass: identify kernel modconf files as
configuration files
Jose Quaresma (1):
gstreamer1.0: warn the user when something is wrong with GstBufferPool
Konrad Weihmann (3):
oeqa/core/context: expose results as variable
oeqa/core/context: initialize _run_end_time
testimage: print results for interrupted runs
Nathan Rossi (1):
diffstat: add nativesdk to BBCLASSEXTEND
Ricardo Salveti (1):
dosfstools: add mkfs.vfat to ALTERNATIVE
Richard Purdie (3):
ptest-runner: Fix license as it contains 'or later' clause
libdnf: Fix license as it contains 'or later' clause
alsa-utils: Fix license to GPLv2 only
Ross Burton (1):
syslinux: add link to upstream discussion in patch
Steve Sakoman (1):
openssh: whitelist CVE-2014-9278
akash hadke (1):
systemd: udev SECLABEL{selinux} crash fix
meta/classes/kernel-module-split.bbclass | 1 +
meta/classes/testimage.bbclass | 19 ++++---
meta/lib/oeqa/core/context.py | 4 ++
.../{openssh_8.2p1.bb => openssh_8.4p1.bb} | 7 ++-
...temd-udev-seclabel-options-crash-fix.patch | 30 +++++++++++
meta/recipes-core/systemd/systemd_244.3.bb | 1 +
.../binutils/binutils-2.34.inc | 1 +
...oducibility-for-stabs-debugging-data.patch | 32 ++++++++++++
.../diffstat/diffstat_1.63.bb | 2 +
.../dosfstools/dosfstools_4.1.bb | 6 ++-
meta/recipes-devtools/libdnf/libdnf_0.28.1.bb | 2 +-
...nux-syslinux-support-ext2-3-4-device.patch | 2 +-
.../clutter/clutter-gst-3.0.inc | 2 +
...-sfnt-Fix-heap-buffer-overflow-59308.patch | 51 +++++++++++++++++++
.../freetype/freetype_2.10.1.bb | 1 +
.../alsa/alsa-utils_1.2.1.bb | 3 +-
...size-in-reset-when-maxsize-is-larger.patch | 49 ++++++++++++++++++
.../gstreamer/gstreamer1.0_1.16.3.bb | 1 +
.../ptest-runner/ptest-runner_2.3.2.bb | 2 +-
19 files changed, 201 insertions(+), 15 deletions(-)
rename meta/recipes-connectivity/openssh/{openssh_8.2p1.bb => openssh_8.4p1.bb} (95%)
create mode 100644 meta/recipes-core/systemd/systemd/systemd-udev-seclabel-options-crash-fix.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0001-gas-improve-reproducibility-for-stabs-debugging-data.patch
create mode 100644 meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch
--
2.17.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/18] Patch review
@ 2021-12-03 18:18 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2021-12-03 18:18 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2988
with the exception of a known autobuilder intermittent issue (on qemuppc test)
which passed on subsequent retest:
https://autobuilder.yoctoproject.org/typhoon/#/builders/63/builds/4402
The following changes since commit f61fcb6e176f19f1e768ce63a693f238713c8887:
openssh: remove redundant BSD license (2021-12-02 05:11:21 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Dhruva Gole (1):
scripts/checklayer/common.py: Fixed a minor grammatical error
Eero Aaltonen (1):
cmake: FindGTest: Add target for gmock library
Jate Sujjavanich (2):
libdnf: Backport bugfix for upgrade calc
dnf: Backport bugfix for upgrade
Khem Raj (1):
libunwind: Backport a fix for -fno-common option to compile
Neetika Singh (1):
glib-2.0: Add security fixes
Pavel Zhukov (2):
busybox: Fix for CVE-2021-42374
busybox: Fix for CVE-2021-42376
Quentin Schulz (1):
README.OE-Core.md: update URLs
Ranjitsinh Rathod (2):
ncurses: Fix for CVE-2021-39537
libsolv: update tag for missing CVEs
Richard Purdie (2):
buildhistory: Fix srcrevs output
oeqa/parselogs: Fix quoting
Ross Burton (1):
vim: fix CVE-2021-3968 and CVE-2021-3973
Steve Sakoman (4):
cve-extra-exclusions: add db CVEs to exclusion list
bind: update to 9.11.33
bind: update to 9.11.34
bind: update to 9.11.35
README.OE-Core | 10 +-
meta/classes/buildhistory.bbclass | 30 +-
.../distro/include/cve-extra-exclusions.inc | 9 +-
meta/lib/oeqa/runtime/cases/parselogs.py | 14 +-
.../bind/{bind_9.11.32.bb => bind_9.11.35.bb} | 2 +-
.../busybox/busybox/CVE-2021-42374.patch | 53 +++
.../busybox/busybox/CVE-2021-42376.patch | 138 ++++++
meta/recipes-core/busybox/busybox_1.31.1.bb | 2 +
.../glib-2.0/glib-2.0/CVE-2021-27218.patch | 129 ++++++
.../glib-2.0/glib-2.0/CVE-2021-27219-01.patch | 170 +++++++
.../glib-2.0/glib-2.0/CVE-2021-27219-02.patch | 249 +++++++++++
.../glib-2.0/glib-2.0/CVE-2021-27219-03.patch | 131 ++++++
.../glib-2.0/glib-2.0/CVE-2021-27219-04.patch | 298 +++++++++++++
.../glib-2.0/glib-2.0/CVE-2021-27219-05.patch | 54 +++
.../glib-2.0/glib-2.0/CVE-2021-27219-06.patch | 101 +++++
.../glib-2.0/glib-2.0/CVE-2021-27219-07.patch | 76 ++++
.../glib-2.0/glib-2.0/CVE-2021-27219-08.patch | 101 +++++
.../glib-2.0/glib-2.0/CVE-2021-27219-09.patch | 100 +++++
.../glib-2.0/glib-2.0/CVE-2021-27219-10.patch | 59 +++
.../glib-2.0/glib-2.0/CVE-2021-27219-11.patch | 63 +++
.../glib-2.0/CVE-2021-27219-reg1-1.patch | 36 ++
.../glib-2.0/CVE-2021-27219-reg1-2.patch | 38 ++
.../glib-2.0/CVE-2021-27219-reg1-4.patch | 38 ++
.../glib-2.0/CVE-2021-27219-reg1-5.patch | 100 +++++
.../glib-2.0/CVE-2021-27219-reg2-1.patch | 49 ++
.../glib-2.0/CVE-2021-27219-reg2-2.patch | 43 ++
.../glib-2.0/CVE-2021-27219-reg2-3.patch | 232 ++++++++++
.../glib-2.0/glib-2.0/CVE-2021-28153-1.patch | 27 ++
.../glib-2.0/glib-2.0/CVE-2021-28153-2.patch | 42 ++
.../glib-2.0/glib-2.0/CVE-2021-28153-3.patch | 57 +++
.../glib-2.0/glib-2.0/CVE-2021-28153-4.patch | 265 +++++++++++
.../glib-2.0/glib-2.0/CVE-2021-28153-5.patch | 55 +++
meta/recipes-core/glib-2.0/glib-2.0_2.62.6.bb | 24 +
.../ncurses/files/CVE-2021-39537.patch | 30 ++
meta/recipes-core/ncurses/ncurses_6.2.bb | 1 +
.../cmake/cmake-native_3.16.5.bb | 1 +
...ndGTest-Add-target-for-gmock-library.patch | 255 +++++++++++
...ackages-in-upgrade-job-RhBug-1728252.patch | 60 +++
meta/recipes-devtools/dnf/dnf_4.2.2.bb | 1 +
...job-goal.upgrade-with-sltr-as-target.patch | 58 +++
meta/recipes-devtools/libdnf/libdnf_0.28.1.bb | 1 +
.../libsolv/files/CVE-2021-3200.patch | 9 +-
...0001-Fix-compilation-with-fno-common.patch | 420 ++++++++++++++++++
.../libunwind/libunwind_1.3.1.bb | 1 +
...rash-when-using-CTRL-W-f-without-fin.patch | 92 ++++
meta/recipes-support/vim/vim.inc | 4 +
scripts/lib/checklayer/cases/common.py | 2 +-
47 files changed, 3696 insertions(+), 34 deletions(-)
rename meta/recipes-connectivity/bind/{bind_9.11.32.bb => bind_9.11.35.bb} (98%)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2021-42374.patch
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2021-42376.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27218.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-04.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-05.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-06.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-07.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-08.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-09.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-10.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-11.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-1.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-2.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-4.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg1-5.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-1.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-2.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219-reg2-3.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-1.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-2.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-3.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-4.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-28153-5.patch
create mode 100644 meta/recipes-core/ncurses/files/CVE-2021-39537.patch
create mode 100644 meta/recipes-devtools/cmake/cmake/0006-cmake-FindGTest-Add-target-for-gmock-library.patch
create mode 100644 meta/recipes-devtools/dnf/dnf/0040-Keep-installed-packages-in-upgrade-job-RhBug-1728252.patch
create mode 100644 meta/recipes-devtools/libdnf/libdnf/0040-Mark-job-goal.upgrade-with-sltr-as-target.patch
create mode 100644 meta/recipes-support/libunwind/libunwind/0001-Fix-compilation-with-fno-common.patch
create mode 100644 meta/recipes-support/vim/files/0002-patch-8.2.3611-crash-when-using-CTRL-W-f-without-fin.patch
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/18] Patch review
@ 2022-03-04 15:04 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 01/18] libarchive: Fix for CVE-2021-36976 Steve Sakoman
` (17 more replies)
0 siblings, 18 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3314
with the exception of a known autobuilder intermittent issue on qemumips64:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14029
which passed on subsequent retest:
https://autobuilder.yoctoproject.org/typhoon/#/builders/74/builds/4787
The following changes since commit 79ce9059f716546a7d6f4562ba194aedd90c22cd:
grub: add a fix for a crash in scripts (2022-02-23 05:00:42 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Jose Quaresma (1):
buildhistory.bbclass: create the buildhistory directory when needed
Marek Vasut (1):
bootchart2: Add missing python3-math dependency
Michael Halstead (1):
uninative: Upgrade to 3.5
Minjae Kim (2):
go: fix CVE-2022-23806
go: fix CVE-2022-23772
Nathan Rossi (1):
cml1.bbclass: Handle ncurses-native being available via pkg-config
Richard Purdie (2):
libxml-parser-perl: Add missing RDEPENDS
uninative: Add version to uninative tarball name
Ross Burton (3):
coreutils: remove obsolete ignored CVE list
cve-check: get_cve_info should open the database read-only
Revert "cve-check: add lockfile to task"
Steve Sakoman (5):
expat: fix CVE-2022-25235
expat: fix CVE-2022-25236
expat: fix CVE-2022-25313
expat: fix CVE-2022-25314
expat: fix CVE-2022-25315
Virendra Thakur (1):
libarchive: Fix for CVE-2021-36976
wangmy (1):
wireless-regdb: upgrade 2021.08.28 -> 2022.02.18
meta/classes/buildhistory.bbclass | 1 +
meta/classes/cml1.bbclass | 8 +
meta/classes/cve-check.bbclass | 4 +-
meta/classes/uninative.bbclass | 2 +-
meta/conf/distro/include/yocto-uninative.inc | 11 +-
meta/recipes-core/coreutils/coreutils_8.31.bb | 3 -
.../expat/expat/CVE-2022-25235.patch | 283 +++++++++++++++
.../expat/expat/CVE-2022-25236.patch | 129 +++++++
.../expat/CVE-2022-25313-regression.patch | 131 +++++++
.../expat/expat/CVE-2022-25313.patch | 230 +++++++++++++
.../expat/expat/CVE-2022-25314.patch | 32 ++
.../expat/expat/CVE-2022-25315.patch | 145 ++++++++
meta/recipes-core/expat/expat_2.2.9.bb | 6 +
.../bootchart2/bootchart2_0.14.9.bb | 2 +-
meta/recipes-devtools/go/go-1.14.inc | 2 +
.../go/go-1.14/CVE-2022-23772.patch | 50 +++
.../go/go-1.14/CVE-2022-23806.patch | 142 ++++++++
.../perl/libxml-parser-perl_2.46.bb | 1 +
.../libarchive/CVE-2021-36976-1.patch | 321 ++++++++++++++++++
.../libarchive/CVE-2021-36976-2.patch | 121 +++++++
.../libarchive/CVE-2021-36976-3.patch | 93 +++++
.../libarchive/libarchive_3.4.2.bb | 6 +-
....08.28.bb => wireless-regdb_2022.02.18.bb} | 2 +-
23 files changed, 1711 insertions(+), 14 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25235.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25236.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25313.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25314.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25315.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2021.08.28.bb => wireless-regdb_2022.02.18.bb} (94%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][dunfell 01/18] libarchive: Fix for CVE-2021-36976
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 02/18] go: fix CVE-2022-23806 Steve Sakoman
` (16 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Virendra Thakur <virendra.thakur@kpit.com>
Add patch to fix CVE-2021-36976
CVE-2021-36976 fix are provided by below mentioned pull request.
1) https://github.com/libarchive/libarchive/pull/1491
2) https://github.com/libarchive/libarchive/pull/1492
3) https://github.com/libarchive/libarchive/pull/1493
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: virendra thakur <thakur.virendra1810@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/CVE-2021-36976-1.patch | 321 ++++++++++++++++++
.../libarchive/CVE-2021-36976-2.patch | 121 +++++++
.../libarchive/CVE-2021-36976-3.patch | 93 +++++
.../libarchive/libarchive_3.4.2.bb | 6 +-
4 files changed, 540 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
new file mode 100644
index 0000000000..fca53fc9b6
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-1.patch
@@ -0,0 +1,321 @@
+From 05ebb55896d10a9737dad9ae0303f7f45489ba6f Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Sat, 13 Feb 2021 09:08:13 +0100
+Subject: [PATCH] RAR5 reader: fixed out of bounds read in some files
+
+Added more range checks in the bit stream reading functions
+(read_bits_16 and read_bits_32) in order to better guard against out of
+memory reads.
+
+This commit contains a test with OSSFuzz sample #30448.
+
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-1.patch?h=applied/3.4.3-2ubuntu0.1]
+CVE: CVE-2021-36976
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ Makefile.am | 1 +
+ libarchive/archive_read_support_format_rar5.c | 108 ++++++++++--------
+ libarchive/test/test_read_format_rar5.c | 16 +++
+ ...r5_decode_number_out_of_bounds_read.rar.uu | 10 ++
+ 4 files changed, 89 insertions(+), 46 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu
+
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -883,6 +883,7 @@ libarchive_test_EXTRA_DIST=\
+ libarchive/test/test_read_format_rar5_arm_filter_on_window_boundary.rar.uu \
+ libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \
+ libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
++ libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
+ libarchive/test/test_read_format_raw.bufr.uu \
+ libarchive/test/test_read_format_raw.data.gz.uu \
+ libarchive/test/test_read_format_raw.data.Z.uu \
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -1012,7 +1012,16 @@ static int read_var_sized(struct archive
+ return ret;
+ }
+
+-static int read_bits_32(struct rar5* rar, const uint8_t* p, uint32_t* value) {
++static int read_bits_32(struct archive_read* a, struct rar5* rar,
++ const uint8_t* p, uint32_t* value)
++{
++ if(rar->bits.in_addr >= rar->cstate.cur_block_size) {
++ archive_set_error(&a->archive,
++ ARCHIVE_ERRNO_PROGRAMMER,
++ "Premature end of stream during extraction of data (#1)");
++ return ARCHIVE_FATAL;
++ }
++
+ uint32_t bits = ((uint32_t) p[rar->bits.in_addr]) << 24;
+ bits |= p[rar->bits.in_addr + 1] << 16;
+ bits |= p[rar->bits.in_addr + 2] << 8;
+@@ -1023,7 +1032,16 @@ static int read_bits_32(struct rar5* rar
+ return ARCHIVE_OK;
+ }
+
+-static int read_bits_16(struct rar5* rar, const uint8_t* p, uint16_t* value) {
++static int read_bits_16(struct archive_read* a, struct rar5* rar,
++ const uint8_t* p, uint16_t* value)
++{
++ if(rar->bits.in_addr >= rar->cstate.cur_block_size) {
++ archive_set_error(&a->archive,
++ ARCHIVE_ERRNO_PROGRAMMER,
++ "Premature end of stream during extraction of data (#2)");
++ return ARCHIVE_FATAL;
++ }
++
+ int bits = (int) ((uint32_t) p[rar->bits.in_addr]) << 16;
+ bits |= (int) p[rar->bits.in_addr + 1] << 8;
+ bits |= (int) p[rar->bits.in_addr + 2];
+@@ -1039,8 +1057,8 @@ static void skip_bits(struct rar5* rar,
+ }
+
+ /* n = up to 16 */
+-static int read_consume_bits(struct rar5* rar, const uint8_t* p, int n,
+- int* value)
++static int read_consume_bits(struct archive_read* a, struct rar5* rar,
++ const uint8_t* p, int n, int* value)
+ {
+ uint16_t v;
+ int ret, num;
+@@ -1051,7 +1069,7 @@ static int read_consume_bits(struct rar5
+ return ARCHIVE_FATAL;
+ }
+
+- ret = read_bits_16(rar, p, &v);
++ ret = read_bits_16(a, rar, p, &v);
+ if(ret != ARCHIVE_OK)
+ return ret;
+
+@@ -2425,13 +2443,13 @@ static int create_decode_tables(uint8_t*
+ static int decode_number(struct archive_read* a, struct decode_table* table,
+ const uint8_t* p, uint16_t* num)
+ {
+- int i, bits, dist;
++ int i, bits, dist, ret;
+ uint16_t bitfield;
+ uint32_t pos;
+ struct rar5* rar = get_context(a);
+
+- if(ARCHIVE_OK != read_bits_16(rar, p, &bitfield)) {
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &bitfield))) {
++ return ret;
+ }
+
+ bitfield &= 0xfffe;
+@@ -2537,14 +2555,6 @@ static int parse_tables(struct archive_r
+ for(i = 0; i < HUFF_TABLE_SIZE;) {
+ uint16_t num;
+
+- if((rar->bits.in_addr + 6) >= rar->cstate.cur_block_size) {
+- /* Truncated data, can't continue. */
+- archive_set_error(&a->archive,
+- ARCHIVE_ERRNO_FILE_FORMAT,
+- "Truncated data in huffman tables (#2)");
+- return ARCHIVE_FATAL;
+- }
+-
+ ret = decode_number(a, &rar->cstate.bd, p, &num);
+ if(ret != ARCHIVE_OK) {
+ archive_set_error(&a->archive,
+@@ -2561,8 +2571,8 @@ static int parse_tables(struct archive_r
+ /* 16..17: repeat previous code */
+ uint16_t n;
+
+- if(ARCHIVE_OK != read_bits_16(rar, p, &n))
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n)))
++ return ret;
+
+ if(num == 16) {
+ n >>= 13;
+@@ -2590,8 +2600,8 @@ static int parse_tables(struct archive_r
+ /* other codes: fill with zeroes `n` times */
+ uint16_t n;
+
+- if(ARCHIVE_OK != read_bits_16(rar, p, &n))
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &n)))
++ return ret;
+
+ if(num == 18) {
+ n >>= 13;
+@@ -2707,22 +2717,22 @@ static int parse_block_header(struct arc
+ }
+
+ /* Convenience function used during filter processing. */
+-static int parse_filter_data(struct rar5* rar, const uint8_t* p,
+- uint32_t* filter_data)
++static int parse_filter_data(struct archive_read* a, struct rar5* rar,
++ const uint8_t* p, uint32_t* filter_data)
+ {
+- int i, bytes;
++ int i, bytes, ret;
+ uint32_t data = 0;
+
+- if(ARCHIVE_OK != read_consume_bits(rar, p, 2, &bytes))
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = read_consume_bits(a, rar, p, 2, &bytes)))
++ return ret;
+
+ bytes++;
+
+ for(i = 0; i < bytes; i++) {
+ uint16_t byte;
+
+- if(ARCHIVE_OK != read_bits_16(rar, p, &byte)) {
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = read_bits_16(a, rar, p, &byte))) {
++ return ret;
+ }
+
+ /* Cast to uint32_t will ensure the shift operation will not
+@@ -2765,16 +2775,17 @@ static int parse_filter(struct archive_r
+ uint16_t filter_type;
+ struct filter_info* filt = NULL;
+ struct rar5* rar = get_context(ar);
++ int ret;
+
+ /* Read the parameters from the input stream. */
+- if(ARCHIVE_OK != parse_filter_data(rar, p, &block_start))
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_start)))
++ return ret;
+
+- if(ARCHIVE_OK != parse_filter_data(rar, p, &block_length))
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = parse_filter_data(ar, rar, p, &block_length)))
++ return ret;
+
+- if(ARCHIVE_OK != read_bits_16(rar, p, &filter_type))
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = read_bits_16(ar, rar, p, &filter_type)))
++ return ret;
+
+ filter_type >>= 13;
+ skip_bits(rar, 3);
+@@ -2814,8 +2825,8 @@ static int parse_filter(struct archive_r
+ if(filter_type == FILTER_DELTA) {
+ int channels;
+
+- if(ARCHIVE_OK != read_consume_bits(rar, p, 5, &channels))
+- return ARCHIVE_EOF;
++ if(ARCHIVE_OK != (ret = read_consume_bits(ar, rar, p, 5, &channels)))
++ return ret;
+
+ filt->channels = channels + 1;
+ }
+@@ -2823,10 +2834,11 @@ static int parse_filter(struct archive_r
+ return ARCHIVE_OK;
+ }
+
+-static int decode_code_length(struct rar5* rar, const uint8_t* p,
+- uint16_t code)
++static int decode_code_length(struct archive_read* a, struct rar5* rar,
++ const uint8_t* p, uint16_t code)
+ {
+ int lbits, length = 2;
++
+ if(code < 8) {
+ lbits = 0;
+ length += code;
+@@ -2838,7 +2850,7 @@ static int decode_code_length(struct rar
+ if(lbits > 0) {
+ int add;
+
+- if(ARCHIVE_OK != read_consume_bits(rar, p, lbits, &add))
++ if(ARCHIVE_OK != read_consume_bits(a, rar, p, lbits, &add))
+ return -1;
+
+ length += add;
+@@ -2933,7 +2945,7 @@ static int do_uncompress_block(struct ar
+ continue;
+ } else if(num >= 262) {
+ uint16_t dist_slot;
+- int len = decode_code_length(rar, p, num - 262),
++ int len = decode_code_length(a, rar, p, num - 262),
+ dbits,
+ dist = 1;
+
+@@ -2975,12 +2987,12 @@ static int do_uncompress_block(struct ar
+ uint16_t low_dist;
+
+ if(dbits > 4) {
+- if(ARCHIVE_OK != read_bits_32(
+- rar, p, &add)) {
++ if(ARCHIVE_OK != (ret = read_bits_32(
++ a, rar, p, &add))) {
+ /* Return EOF if we
+ * can't read more
+ * data. */
+- return ARCHIVE_EOF;
++ return ret;
+ }
+
+ skip_bits(rar, dbits - 4);
+@@ -3015,11 +3027,11 @@ static int do_uncompress_block(struct ar
+ /* dbits is one of [0,1,2,3] */
+ int add;
+
+- if(ARCHIVE_OK != read_consume_bits(rar,
+- p, dbits, &add)) {
++ if(ARCHIVE_OK != (ret = read_consume_bits(a, rar,
++ p, dbits, &add))) {
+ /* Return EOF if we can't read
+ * more data. */
+- return ARCHIVE_EOF;
++ return ret;
+ }
+
+ dist += add;
+@@ -3076,7 +3088,11 @@ static int do_uncompress_block(struct ar
+ return ARCHIVE_FATAL;
+ }
+
+- len = decode_code_length(rar, p, len_slot);
++ len = decode_code_length(a, rar, p, len_slot);
++ if (len == -1) {
++ return ARCHIVE_FATAL;
++ }
++
+ rar->cstate.last_len = len;
+
+ if(ARCHIVE_OK != copy_string(a, len, dist))
+--- a/libarchive/test/test_read_format_rar5.c
++++ b/libarchive/test/test_read_format_rar5.c
+@@ -1271,3 +1271,20 @@ DEFINE_TEST(test_read_format_rar5_block_
+
+ EPILOGUE();
+ }
++
++DEFINE_TEST(test_read_format_rar5_decode_number_out_of_bounds_read)
++{
++ /* oss fuzz 30448 */
++
++ char buf[4096];
++ PROLOGUE("test_read_format_rar5_decode_number_out_of_bounds_read.rar");
++
++ /* Return codes of those calls are ignored, because this sample file
++ * is invalid. However, the unpacker shouldn't produce any SIGSEGV
++ * errors during processing. */
++
++ (void) archive_read_next_header(a, &ae);
++ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
++
++ EPILOGUE();
++}
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu
+@@ -0,0 +1,10 @@
++begin 644 test_read_format_rar5_decode_number_out_of_bounds_read.rar
++M4F%R(1H'`0!3@"KT`P+G(@(0("`@@`L!!"`@("`@(($D_[BJ2"!::7!)210V
++M+0#ZF#)Q!`+>YPW_("`@("``_R````````````````````````````!__P``
++M``````!T72`@/EW_(/\@("`@("`@("`@("`@("`@("`@("`@("`@(/\@("`@
++M("`@("#_("`@("`@("`@("`@("`@("`@("`@("`@("#_("`@("`@("`@_R`@
++M("`@("`@("`@("`@("`@("`@("`@("`@_R`@("`@("`@(/\@("`@("`@("`@
++M("`@("`@("`@("`@("`@(/\@("`@("`@("#_("`@("`@("`@("`@("`@("`@
++E("`@("`@("#_("`@("`@("`@_R`@("`@("`@("`@("`@("`@(```
++`
++end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
new file mode 100644
index 0000000000..b5da44ec7b
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-2.patch
@@ -0,0 +1,121 @@
+From 17f4e83c0f0fc3bacf4b2bbacb01f987bb5aff5f Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Fri, 12 Feb 2021 20:18:31 +0100
+Subject: [PATCH] RAR5 reader: fix invalid memory access in some files
+
+RAR5 reader uses several variables to manage the window buffer during
+extraction: the buffer itself (`window_buf`), the current size of the
+window buffer (`window_size`), and a helper variable (`window_mask`)
+that is used to constrain read and write offsets to the window buffer.
+
+Some specially crafted files can force the unpacker to update the
+`window_mask` variable to a value that is out of sync with current
+buffer size. If the `window_mask` will be bigger than the actual buffer
+size, then an invalid access operation can happen (SIGSEGV).
+
+This commit ensures that if the `window_size` and `window_mask` will be
+changed, the window buffer will be reallocated to the proper size, so no
+invalid memory operation should be possible.
+
+This commit contains a test file from OSSFuzz #30442.
+
+Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/libarchive/plain/debian/patches/CVE-2021-36976-2.patch?h=applied/3.4.3-2ubuntu0.1]
+CVE: CVE-2021-36976
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ Makefile.am | 1 +
+ libarchive/archive_read_support_format_rar5.c | 27 ++++++++++++++-----
+ libarchive/test/test_read_format_rar5.c | 17 ++++++++++++
+ ...mat_rar5_window_buf_and_size_desync.rar.uu | 11 ++++++++
+ 4 files changed, 50 insertions(+), 6 deletions(-)
+ create mode 100644 libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu
+
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -884,6 +884,7 @@ libarchive_test_EXTRA_DIST=\
+ libarchive/test/test_read_format_rar5_different_winsize_on_merge.rar.uu \
+ libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
+ libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
++ libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
+ libarchive/test/test_read_format_raw.bufr.uu \
+ libarchive/test/test_read_format_raw.data.gz.uu \
+ libarchive/test/test_read_format_raw.data.Z.uu \
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -1730,14 +1730,29 @@ static int process_head_file(struct arch
+ }
+ }
+
+- /* If we're currently switching volumes, ignore the new definition of
+- * window_size. */
+- if(rar->cstate.switch_multivolume == 0) {
+- /* Values up to 64M should fit into ssize_t on every
+- * architecture. */
+- rar->cstate.window_size = (ssize_t) window_size;
++ if(rar->cstate.window_size < (ssize_t) window_size &&
++ rar->cstate.window_buf)
++ {
++ /* If window_buf has been allocated before, reallocate it, so
++ * that its size will match new window_size. */
++
++ uint8_t* new_window_buf =
++ realloc(rar->cstate.window_buf, window_size);
++
++ if(!new_window_buf) {
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_PROGRAMMER,
++ "Not enough memory when trying to realloc the window "
++ "buffer.");
++ return ARCHIVE_FATAL;
++ }
++
++ rar->cstate.window_buf = new_window_buf;
+ }
+
++ /* Values up to 64M should fit into ssize_t on every
++ * architecture. */
++ rar->cstate.window_size = (ssize_t) window_size;
++
+ if(rar->file.solid > 0 && rar->file.solid_window_size == 0) {
+ /* Solid files have to have the same window_size across
+ whole archive. Remember the window_size parameter
+--- a/libarchive/test/test_read_format_rar5.c
++++ b/libarchive/test/test_read_format_rar5.c
+@@ -1206,6 +1206,23 @@ DEFINE_TEST(test_read_format_rar5_differ
+ EPILOGUE();
+ }
+
++DEFINE_TEST(test_read_format_rar5_window_buf_and_size_desync)
++{
++ /* oss fuzz 30442 */
++
++ char buf[4096];
++ PROLOGUE("test_read_format_rar5_window_buf_and_size_desync.rar");
++
++ /* Return codes of those calls are ignored, because this sample file
++ * is invalid. However, the unpacker shouldn't produce any SIGSEGV
++ * errors during processing. */
++
++ (void) archive_read_next_header(a, &ae);
++ while(0 < archive_read_data(a, buf, 46)) {}
++
++ EPILOGUE();
++}
++
+ DEFINE_TEST(test_read_format_rar5_arm_filter_on_window_boundary)
+ {
+ char buf[4096];
+--- /dev/null
++++ b/libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu
+@@ -0,0 +1,11 @@
++begin 644 test_read_format_rar5_window_buf_and_size_desync.rar
++M4F%R(1H'`0`]/-[E`@$`_P$`1#[Z5P("`PL``BXB"?\`!(@B@0`)6.-AF?_1
++M^0DI&0GG(F%R(0<:)`!3@"KT`P+G(@O_X[\``#&``(?!!0$$[:L``$.M*E)A
++M<B$`O<\>P0";/P1%``A*2DI*2DYQ<6TN9'%*2DI*2DI*``!D<F--``````"Z
++MNC*ZNKJZNFYO=&%I;+JZNKJZNKJZOKJZ.KJZNKJZNKKZU@4%````0$!`0$!`
++M0$!`0$!`0$!`0$#_________/T#`0$!`0$!`-UM`0$!`0$!`0$!`0$!`0$!`
++M0$!`0'!,J+:O!IZ-WN4'@`!3*F0`````````````````````````````````
++M``````````````#T`P)287(A&@<!`%.`*O0#`N<B`_,F@`'[__\``(`4`01S
++J'`/H/O\H@?\D`#O9GIZ>GN<B"_]%``(``&1RGIZ>GIZ>8_^>GE/_``!.
++`
++end
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
new file mode 100644
index 0000000000..0e1549f229
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2021-36976-3.patch
@@ -0,0 +1,93 @@
+From 313bcd7ac547f7cc25945831f63507420c0874d7 Mon Sep 17 00:00:00 2001
+From: Grzegorz Antoniak <ga@anadoxin.org>
+Date: Sat, 13 Feb 2021 10:13:22 +0100
+Subject: [PATCH] RAR5 reader: add more checks for invalid extraction
+ parameters
+
+Some specially crafted files declare invalid extraction parameters that
+can confuse the RAR5 reader.
+
+One of the arguments is the declared window size parameter that the
+archive file can declare for each file stored in the archive. Some
+crafted files declare window size equal to 0, which is clearly wrong.
+
+This commit adds additional safety checks decreasing the tolerance of
+the RAR5 format.
+
+This commit also contains OSSFuzz sample #30459.
+---
+ Makefile.am | 1 +
+ libarchive/archive_read_support_format_rar5.c | 10 ++++++++++
+ libarchive/test/test_read_format_rar5.c | 19 +++++++++++++++++++
+ ...t_rar5_bad_window_sz_in_mltarc_file.rar.uu | 7 +++++++
+ 4 files changed, 37 insertions(+)
+ create mode 100644 libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
+
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/pull/1493/commits/313bcd7ac547f7cc25945831f63507420c0874d7]
+CVE: CVE-2021-36976
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+--- libarchive-3.4.2.orig/Makefile.am
++++ libarchive-3.4.2/Makefile.am
+@@ -882,6 +882,7 @@ libarchive_test_EXTRA_DIST=\
+ libarchive/test/test_read_format_rar5_block_size_is_too_small.rar.uu \
+ libarchive/test/test_read_format_rar5_decode_number_out_of_bounds_read.rar.uu \
+ libarchive/test/test_read_format_rar5_window_buf_and_size_desync.rar.uu \
++ libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu \
+ libarchive/test/test_read_format_raw.bufr.uu \
+ libarchive/test/test_read_format_raw.data.gz.uu \
+ libarchive/test/test_read_format_raw.data.Z.uu \
+--- libarchive-3.4.2.orig/libarchive/archive_read_support_format_rar5.c
++++ libarchive-3.4.2/libarchive/archive_read_support_format_rar5.c
+@@ -3637,6 +3637,16 @@ static int do_uncompress_file(struct arc
+ rar->cstate.initialized = 1;
+ }
+
++ /* Don't allow extraction if window_size is invalid. */
++ if(rar->cstate.window_size == 0) {
++ archive_set_error(&a->archive,
++ ARCHIVE_ERRNO_FILE_FORMAT,
++ "Invalid window size declaration in this file");
++
++ /* This should never happen in valid files. */
++ return ARCHIVE_FATAL;
++ }
++
+ if(rar->cstate.all_filters_applied == 1) {
+ /* We use while(1) here, but standard case allows for just 1
+ * iteration. The loop will iterate if process_block() didn't
+--- libarchive-3.4.2.orig/libarchive/test/test_read_format_rar5.c
++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5.c
+@@ -1305,3 +1305,22 @@ DEFINE_TEST(test_read_format_rar5_decode
+
+ EPILOGUE();
+ }
++
++DEFINE_TEST(test_read_format_rar5_bad_window_size_in_multiarchive_file)
++{
++ /* oss fuzz 30459 */
++
++ char buf[4096];
++ PROLOGUE("test_read_format_rar5_bad_window_sz_in_mltarc_file.rar");
++
++ /* This file is damaged, so those functions should return failure.
++ * Additionally, SIGSEGV shouldn't be raised during execution
++ * of those functions. */
++
++ (void) archive_read_next_header(a, &ae);
++ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
++ (void) archive_read_next_header(a, &ae);
++ while(0 < archive_read_data(a, buf, sizeof(buf))) {}
++
++ EPILOGUE();
++}
+--- /dev/null
++++ libarchive-3.4.2/libarchive/test/test_read_format_rar5_bad_window_sz_in_mltarc_file.rar.uu
+@@ -0,0 +1,7 @@
++begin 644 test_read_format_rar5_bad_window_size_in_multiarchive_file.rar
++M4F%R(1H'`0`]/-[E`@$`_R`@1#[Z5P("`PL`("`@@"(`"?\@("#___\@("`@
++M("`@("`@("`@4X`J]`,"YR(#$($@("`@``$@("`@@<L0("`@("`@("`@("`@
++M("`@(""LCTJA`P$%`B`@`2!3@"KT`P+G(@,@("`@_P,!!B`@(/___R`@(('+
++5$"`OX2`@[.SL[.S_("`@("`@("`@
++`
++end
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
index 0ab40fc096..b7426a1be8 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
@@ -32,7 +32,11 @@ PACKAGECONFIG[mbedtls] = "--with-mbedtls,--without-mbedtls,mbedtls,"
EXTRA_OECONF += "--enable-largefile"
-SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz"
+SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
+ file://CVE-2021-36976-1.patch \
+ file://CVE-2021-36976-2.patch \
+ file://CVE-2021-36976-3.patch \
+"
SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451"
SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 02/18] go: fix CVE-2022-23806
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 01/18] libarchive: Fix for CVE-2021-36976 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 03/18] go: fix CVE-2022-23772 Steve Sakoman
` (15 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Minjae Kim <flowergom@gmail.com>
crypto/elliptic: fix IsOnCurve for big.Int values that are not valid coordinates
Some big.Int values that are not valid field elements (negative or overflowing)
might cause Curve.IsOnCurve to incorrectly return true. Operating on those values
may cause a panic or an invalid curve operation. Note that Unmarshal will never
return such values.
Upstream-Status: Backport [https://go.dev/issue/50974]
CVE: CVE-2022-23806
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-23806.patch | 142 ++++++++++++++++++
2 files changed, 143 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index abc6f42184..fcb316e09e 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
file://CVE-2021-34558.patch \
file://CVE-2021-33196.patch \
file://CVE-2021-33197.patch \
+ file://CVE-2022-23806.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
new file mode 100644
index 0000000000..772acdcbf6
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23806.patch
@@ -0,0 +1,142 @@
+From 5b376a209d1c61e10847e062d78c4b1aa90dff0c Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda <filippo@golang.org>
+Date: Sat, 26 Feb 2022 10:40:57 +0000
+Subject: [PATCH] crypto/elliptic: make IsOnCurve return false for invalid
+
+ field elements
+
+Updates #50974
+Fixes #50977
+Fixes CVE-2022-23806
+
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+
+---
+ src/crypto/elliptic/elliptic.go | 6 +++
+ src/crypto/elliptic/elliptic_test.go | 81 ++++++++++++++++++++++++++++
+ src/crypto/elliptic/p224.go | 6 +++
+ 3 files changed, 93 insertions(+)
+
+diff --git a/src/crypto/elliptic/elliptic.go b/src/crypto/elliptic/elliptic.go
+index e2f71cd..bd574a4 100644
+--- a/src/crypto/elliptic/elliptic.go
++++ b/src/crypto/elliptic/elliptic.go
+@@ -53,6 +53,12 @@ func (curve *CurveParams) Params() *CurveParams {
+ }
+
+ func (curve *CurveParams) IsOnCurve(x, y *big.Int) bool {
++
++ if x.Sign() < 0 || x.Cmp(curve.P) >= 0 ||
++ y.Sign() < 0 || y.Cmp(curve.P) >= 0 {
++ return false
++ }
++
+ // y² = x³ - 3x + b
+ y2 := new(big.Int).Mul(y, y)
+ y2.Mod(y2, curve.P)
+diff --git a/src/crypto/elliptic/elliptic_test.go b/src/crypto/elliptic/elliptic_test.go
+index 09c5483..b13a620 100644
+--- a/src/crypto/elliptic/elliptic_test.go
++++ b/src/crypto/elliptic/elliptic_test.go
+@@ -628,3 +628,84 @@ func TestUnmarshalToLargeCoordinates(t *testing.T) {
+ t.Errorf("Unmarshal accepts invalid Y coordinate")
+ }
+ }
++
++func testAllCurves(t *testing.T, f func(*testing.T, Curve)) {
++ tests := []struct {
++ name string
++ curve Curve
++ }{
++ {"P256", P256()},
++ {"P256/Params", P256().Params()},
++ {"P224", P224()},
++ {"P224/Params", P224().Params()},
++ {"P384", P384()},
++ {"P384/Params", P384().Params()},
++ {"P521", P521()},
++ {"P521/Params", P521().Params()},
++ }
++ if testing.Short() {
++ tests = tests[:1]
++ }
++ for _, test := range tests {
++ curve := test.curve
++ t.Run(test.name, func(t *testing.T) {
++ t.Parallel()
++ f(t, curve)
++ })
++ }
++}
++
++// TestInvalidCoordinates tests big.Int values that are not valid field elements
++// (negative or bigger than P). They are expected to return false from
++// IsOnCurve, all other behavior is undefined.
++func TestInvalidCoordinates(t *testing.T) {
++ testAllCurves(t, testInvalidCoordinates)
++}
++
++func testInvalidCoordinates(t *testing.T, curve Curve) {
++ checkIsOnCurveFalse := func(name string, x, y *big.Int) {
++ if curve.IsOnCurve(x, y) {
++ t.Errorf("IsOnCurve(%s) unexpectedly returned true", name)
++ }
++ }
++
++ p := curve.Params().P
++ _, x, y, _ := GenerateKey(curve, rand.Reader)
++ xx, yy := new(big.Int), new(big.Int)
++
++ // Check if the sign is getting dropped.
++ xx.Neg(x)
++ checkIsOnCurveFalse("-x, y", xx, y)
++ yy.Neg(y)
++ checkIsOnCurveFalse("x, -y", x, yy)
++
++ // Check if negative values are reduced modulo P.
++ xx.Sub(x, p)
++ checkIsOnCurveFalse("x-P, y", xx, y)
++ yy.Sub(y, p)
++ checkIsOnCurveFalse("x, y-P", x, yy)
++
++ // Check if positive values are reduced modulo P.
++ xx.Add(x, p)
++ checkIsOnCurveFalse("x+P, y", xx, y)
++ yy.Add(y, p)
++ checkIsOnCurveFalse("x, y+P", x, yy)
++
++ // Check if the overflow is dropped.
++ xx.Add(x, new(big.Int).Lsh(big.NewInt(1), 535))
++ checkIsOnCurveFalse("x+2⁵³⁵, y", xx, y)
++ yy.Add(y, new(big.Int).Lsh(big.NewInt(1), 535))
++ checkIsOnCurveFalse("x, y+2⁵³⁵", x, yy)
++
++ // Check if P is treated like zero (if possible).
++ // y^2 = x^3 - 3x + B
++ // y = mod_sqrt(x^3 - 3x + B)
++ // y = mod_sqrt(B) if x = 0
++ // If there is no modsqrt, there is no point with x = 0, can't test x = P.
++ if yy := new(big.Int).ModSqrt(curve.Params().B, p); yy != nil {
++ if !curve.IsOnCurve(big.NewInt(0), yy) {
++ t.Fatal("(0, mod_sqrt(B)) is not on the curve?")
++ }
++ checkIsOnCurveFalse("P, y", p, yy)
++ }
++}
+diff --git a/src/crypto/elliptic/p224.go b/src/crypto/elliptic/p224.go
+index 8c76021..f1bfd7e 100644
+--- a/src/crypto/elliptic/p224.go
++++ b/src/crypto/elliptic/p224.go
+@@ -48,6 +48,12 @@ func (curve p224Curve) Params() *CurveParams {
+ }
+
+ func (curve p224Curve) IsOnCurve(bigX, bigY *big.Int) bool {
++
++ if bigX.Sign() < 0 || bigX.Cmp(curve.P) >= 0 ||
++ bigY.Sign() < 0 || bigY.Cmp(curve.P) >= 0 {
++ return false
++ }
++
+ var x, y p224FieldElement
+ p224FromBig(&x, bigX)
+ p224FromBig(&y, bigY)
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 03/18] go: fix CVE-2022-23772
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 01/18] libarchive: Fix for CVE-2021-36976 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 02/18] go: fix CVE-2022-23806 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 04/18] expat: fix CVE-2022-25235 Steve Sakoman
` (14 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Minjae Kim <flowergom@gmail.com>
math/big: prevent large memory consumption in Rat.SetString
An attacker can cause unbounded memory growth in a program using (*Rat).SetString
due to an unhandled overflow.
Upstream-Status: Backport [https://go.dev/issue/50699]
CVE: CVE-2022-23772
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-23772.patch | 50 +++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index fcb316e09e..9b3c3b30a8 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -20,6 +20,7 @@ SRC_URI += "\
file://CVE-2021-33196.patch \
file://CVE-2021-33197.patch \
file://CVE-2022-23806.patch \
+ file://CVE-2022-23772.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
SRC_URI[main.sha256sum] = "7ed13b2209e54a451835997f78035530b331c5b6943cdcd68a3d815fdc009149"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
new file mode 100644
index 0000000000..f0daee3624
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-23772.patch
@@ -0,0 +1,50 @@
+From 70882eedccac803ddcf1c3215e0ae8fd59847e39 Mon Sep 17 00:00:00 2001
+From: Katie Hockman <katie@golang.org>
+Date: Sat, 26 Feb 2022 20:03:38 +0000
+Subject: [PATCH] [release-branch.go1.16] math/big: prevent overflow in
+ (*Rat).SetString
+
+Credit to rsc@ for the original patch.
+
+Thanks to the OSS-Fuzz project for discovering this
+issue and to Emmanuel Odeke (@odeke_et) for reporting it.
+
+Updates #50699
+Fixes #50700
+Fixes CVE-2022-23772
+---
+ src/math/big/ratconv.go | 5 +++++
+ src/math/big/ratconv_test.go | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/src/math/big/ratconv.go b/src/math/big/ratconv.go
+index 941139e..e8cbdbe 100644
+--- a/src/math/big/ratconv.go
++++ b/src/math/big/ratconv.go
+@@ -168,6 +168,11 @@ func (z *Rat) SetString(s string) (*Rat, bool) {
+ n := exp5
+ if n < 0 {
+ n = -n
++ if n < 0 {
++ // This can occur if -n overflows. -(-1 << 63) would become
++ // -1 << 63, which is still negative.
++ return nil, false
++ }
+ }
+ pow5 := z.b.abs.expNN(natFive, nat(nil).setWord(Word(n)), nil) // use underlying array of z.b.abs
+ if exp5 > 0 {
+diff --git a/src/math/big/ratconv_test.go b/src/math/big/ratconv_test.go
+index ba0d1ba..b820df4 100644
+--- a/src/math/big/ratconv_test.go
++++ b/src/math/big/ratconv_test.go
+@@ -104,6 +104,7 @@ var setStringTests = []StringTest{
+ {in: "4/3/"},
+ {in: "4/3."},
+ {in: "4/"},
++ {in: "13e-9223372036854775808"}, // CVE-2022-23772
+
+ // valid
+ {"0", "0", true},
+--
+2.17.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 04/18] expat: fix CVE-2022-25235
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (2 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 03/18] go: fix CVE-2022-23772 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 05/18] expat: fix CVE-2022-25236 Steve Sakoman
` (13 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain
validation of encoding, such as checks for whether a UTF-8 character
is valid in a certain context.
Backport patches from:
https://github.com/libexpat/libexpat/pull/562/commits
CVE: CVE-2022-25235
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../expat/expat/CVE-2022-25235.patch | 283 ++++++++++++++++++
meta/recipes-core/expat/expat_2.2.9.bb | 1 +
2 files changed, 284 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25235.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25235.patch b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
new file mode 100644
index 0000000000..be9182a5c1
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25235.patch
@@ -0,0 +1,283 @@
+From ee2a5b50e7d1940ba8745715b62ceb9efd3a96da Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 8 Feb 2022 17:37:14 +0100
+Subject: [PATCH] lib: Drop unused macro UTF8_GET_NAMING
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/562/commits
+
+CVE: CVE-2022-25235
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmltok.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/lib/xmltok.c b/lib/xmltok.c
+index a72200e8..3bddf125 100644
+--- a/lib/xmltok.c
++++ b/lib/xmltok.c
+@@ -95,11 +95,6 @@
+ + ((((byte)[1]) & 3) << 1) + ((((byte)[2]) >> 5) & 1)] \
+ & (1u << (((byte)[2]) & 0x1F)))
+
+-#define UTF8_GET_NAMING(pages, p, n) \
+- ((n) == 2 \
+- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
+- : ((n) == 3 ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) : 0))
+-
+ /* Detection of invalid UTF-8 sequences is based on Table 3.1B
+ of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
+ with the additional restriction of not allowing the Unicode
+From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 8 Feb 2022 04:32:20 +0100
+Subject: [PATCH] lib: Add missing validation of encoding (CVE-2022-25235)
+
+---
+ expat/lib/xmltok_impl.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
+index 0430591b4..64a3b2c15 100644
+--- a/lib/xmltok_impl.c
++++ b/lib/xmltok_impl.c
+@@ -61,7 +61,7 @@
+ case BT_LEAD##n: \
+ if (end - ptr < n) \
+ return XML_TOK_PARTIAL_CHAR; \
+- if (! IS_NAME_CHAR(enc, ptr, n)) { \
++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
+ *nextTokPtr = ptr; \
+ return XML_TOK_INVALID; \
+ } \
+@@ -90,7 +90,7 @@
+ case BT_LEAD##n: \
+ if (end - ptr < n) \
+ return XML_TOK_PARTIAL_CHAR; \
+- if (! IS_NMSTRT_CHAR(enc, ptr, n)) { \
++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
+ *nextTokPtr = ptr; \
+ return XML_TOK_INVALID; \
+ } \
+@@ -1134,6 +1134,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
+ case BT_LEAD##n: \
+ if (end - ptr < n) \
+ return XML_TOK_PARTIAL_CHAR; \
++ if (IS_INVALID_CHAR(enc, ptr, n)) { \
++ *nextTokPtr = ptr; \
++ return XML_TOK_INVALID; \
++ } \
+ if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
+ ptr += n; \
+ tok = XML_TOK_NAME; \
+From c85a3025e7a1be086dc34e7559fbc543914d047f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Wed, 9 Feb 2022 01:00:38 +0100
+Subject: [PATCH] lib: Add comments to BT_LEAD* cases where encoding has
+ already been validated
+
+---
+ expat/lib/xmltok_impl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
+index 64a3b2c1..84ff35f9 100644
+--- a/lib/xmltok_impl.c
++++ b/lib/xmltok_impl.c
+@@ -1266,7 +1266,7 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, const char *end,
+ switch (BYTE_TYPE(enc, ptr)) {
+ # define LEAD_CASE(n) \
+ case BT_LEAD##n: \
+- ptr += n; \
++ ptr += n; /* NOTE: The encoding has already been validated. */ \
+ break;
+ LEAD_CASE(2)
+ LEAD_CASE(3)
+@@ -1335,7 +1335,7 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, const char *end,
+ switch (BYTE_TYPE(enc, ptr)) {
+ # define LEAD_CASE(n) \
+ case BT_LEAD##n: \
+- ptr += n; \
++ ptr += n; /* NOTE: The encoding has already been validated. */ \
+ break;
+ LEAD_CASE(2)
+ LEAD_CASE(3)
+@@ -1514,7 +1514,7 @@ PREFIX(getAtts)(const ENCODING *enc, const char *ptr, int attsMax,
+ state = inName; \
+ }
+ # define LEAD_CASE(n) \
+- case BT_LEAD##n: \
++ case BT_LEAD##n: /* NOTE: The encoding has already been validated. */ \
+ START_NAME ptr += (n - MINBPC(enc)); \
+ break;
+ LEAD_CASE(2)
+@@ -1726,7 +1726,7 @@ PREFIX(nameLength)(const ENCODING *enc, const char *ptr) {
+ switch (BYTE_TYPE(enc, ptr)) {
+ # define LEAD_CASE(n) \
+ case BT_LEAD##n: \
+- ptr += n; \
++ ptr += n; /* NOTE: The encoding has already been validated. */ \
+ break;
+ LEAD_CASE(2)
+ LEAD_CASE(3)
+@@ -1771,7 +1771,7 @@ PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end,
+ switch (BYTE_TYPE(enc, ptr)) {
+ # define LEAD_CASE(n) \
+ case BT_LEAD##n: \
+- ptr += n; \
++ ptr += n; /* NOTE: The encoding has already been validated. */ \
+ break;
+ LEAD_CASE(2)
+ LEAD_CASE(3)
+From 6a5510bc6b7efe743356296724e0b38300f05379 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Tue, 8 Feb 2022 04:06:21 +0100
+Subject: [PATCH] tests: Cover missing validation of encoding (CVE-2022-25235)
+
+---
+ expat/tests/runtests.c | 109 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 109 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index bc5344b1..9b155b82 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -5998,6 +5998,105 @@ START_TEST(test_utf8_in_cdata_section_2) {
+ }
+ END_TEST
+
++START_TEST(test_utf8_in_start_tags) {
++ struct test_case {
++ bool goodName;
++ bool goodNameStart;
++ const char *tagName;
++ };
++
++ // The idea with the tests below is this:
++ // We want to cover 1-, 2- and 3-byte sequences, 4-byte sequences
++ // go to isNever and are hence not a concern.
++ //
++ // We start with a character that is a valid name character
++ // (or even name-start character, see XML 1.0r4 spec) and then we flip
++ // single bits at places where (1) the result leaves the UTF-8 encoding space
++ // and (2) we stay in the same n-byte sequence family.
++ //
++ // The flipped bits are highlighted in angle brackets in comments,
++ // e.g. "[<1>011 1001]" means we had [0011 1001] but we now flipped
++ // the most significant bit to 1 to leave UTF-8 encoding space.
++ struct test_case cases[] = {
++ // 1-byte UTF-8: [0xxx xxxx]
++ {true, true, "\x3A"}, // [0011 1010] = ASCII colon ':'
++ {false, false, "\xBA"}, // [<1>011 1010]
++ {true, false, "\x39"}, // [0011 1001] = ASCII nine '9'
++ {false, false, "\xB9"}, // [<1>011 1001]
++
++ // 2-byte UTF-8: [110x xxxx] [10xx xxxx]
++ {true, true, "\xDB\xA5"}, // [1101 1011] [1010 0101] =
++ // Arabic small waw U+06E5
++ {false, false, "\x9B\xA5"}, // [1<0>01 1011] [1010 0101]
++ {false, false, "\xDB\x25"}, // [1101 1011] [<0>010 0101]
++ {false, false, "\xDB\xE5"}, // [1101 1011] [1<1>10 0101]
++ {true, false, "\xCC\x81"}, // [1100 1100] [1000 0001] =
++ // combining char U+0301
++ {false, false, "\x8C\x81"}, // [1<0>00 1100] [1000 0001]
++ {false, false, "\xCC\x01"}, // [1100 1100] [<0>000 0001]
++ {false, false, "\xCC\xC1"}, // [1100 1100] [1<1>00 0001]
++
++ // 3-byte UTF-8: [1110 xxxx] [10xx xxxx] [10xxxxxx]
++ {true, true, "\xE0\xA4\x85"}, // [1110 0000] [1010 0100] [1000 0101] =
++ // Devanagari Letter A U+0905
++ {false, false, "\xA0\xA4\x85"}, // [1<0>10 0000] [1010 0100] [1000 0101]
++ {false, false, "\xE0\x24\x85"}, // [1110 0000] [<0>010 0100] [1000 0101]
++ {false, false, "\xE0\xE4\x85"}, // [1110 0000] [1<1>10 0100] [1000 0101]
++ {false, false, "\xE0\xA4\x05"}, // [1110 0000] [1010 0100] [<0>000 0101]
++ {false, false, "\xE0\xA4\xC5"}, // [1110 0000] [1010 0100] [1<1>00 0101]
++ {true, false, "\xE0\xA4\x81"}, // [1110 0000] [1010 0100] [1000 0001] =
++ // combining char U+0901
++ {false, false, "\xA0\xA4\x81"}, // [1<0>10 0000] [1010 0100] [1000 0001]
++ {false, false, "\xE0\x24\x81"}, // [1110 0000] [<0>010 0100] [1000 0001]
++ {false, false, "\xE0\xE4\x81"}, // [1110 0000] [1<1>10 0100] [1000 0001]
++ {false, false, "\xE0\xA4\x01"}, // [1110 0000] [1010 0100] [<0>000 0001]
++ {false, false, "\xE0\xA4\xC1"}, // [1110 0000] [1010 0100] [1<1>00 0001]
++ };
++ const bool atNameStart[] = {true, false};
++
++ size_t i = 0;
++ char doc[1024];
++ size_t failCount = 0;
++
++ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
++ size_t j = 0;
++ for (; j < sizeof(atNameStart) / sizeof(atNameStart[0]); j++) {
++ const bool expectedSuccess
++ = atNameStart[j] ? cases[i].goodNameStart : cases[i].goodName;
++ sprintf(doc, "<%s%s><!--", atNameStart[j] ? "" : "a", cases[i].tagName);
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++ const enum XML_Status status
++ = XML_Parse(parser, doc, (int)strlen(doc), /*isFinal=*/XML_FALSE);
++
++ bool success = true;
++ if ((status == XML_STATUS_OK) != expectedSuccess) {
++ success = false;
++ }
++ if ((status == XML_STATUS_ERROR)
++ && (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)) {
++ success = false;
++ }
++
++ if (! success) {
++ fprintf(
++ stderr,
++ "FAIL case %2u (%sat name start, %u-byte sequence, error code %d)\n",
++ (unsigned)i + 1u, atNameStart[j] ? " " : "not ",
++ (unsigned)strlen(cases[i].tagName), XML_GetErrorCode(parser));
++ failCount++;
++ }
++
++ XML_ParserFree(parser);
++ }
++ }
++
++ if (failCount > 0) {
++ fail("UTF-8 regression detected");
++ }
++}
++END_TEST
++
+ /* Test trailing spaces in elements are accepted */
+ static void XMLCALL
+ record_element_end_handler(void *userData, const XML_Char *name) {
+@@ -6175,6 +6274,14 @@ START_TEST(test_bad_doctype) {
+ }
+ END_TEST
+
++START_TEST(test_bad_doctype_utf8) {
++ const char *text = "<!DOCTYPE \xDB\x25"
++ "doc><doc/>"; // [1101 1011] [<0>010 0101]
++ expect_failure(text, XML_ERROR_INVALID_TOKEN,
++ "Invalid UTF-8 in DOCTYPE not faulted");
++}
++END_TEST
++
+ START_TEST(test_bad_doctype_utf16) {
+ const char text[] =
+ /* <!DOCTYPE doc [ \x06f2 ]><doc/>
+@@ -11870,6 +11977,7 @@ make_suite(void) {
+ tcase_add_test(tc_basic, test_ext_entity_utf8_non_bom);
+ tcase_add_test(tc_basic, test_utf8_in_cdata_section);
+ tcase_add_test(tc_basic, test_utf8_in_cdata_section_2);
++ tcase_add_test(tc_basic, test_utf8_in_start_tags);
+ tcase_add_test(tc_basic, test_trailing_spaces_in_elements);
+ tcase_add_test(tc_basic, test_utf16_attribute);
+ tcase_add_test(tc_basic, test_utf16_second_attr);
+@@ -11878,6 +11986,7 @@ make_suite(void) {
+ tcase_add_test(tc_basic, test_bad_attr_desc_keyword);
+ tcase_add_test(tc_basic, test_bad_attr_desc_keyword_utf16);
+ tcase_add_test(tc_basic, test_bad_doctype);
++ tcase_add_test(tc_basic, test_bad_doctype_utf8);
+ tcase_add_test(tc_basic, test_bad_doctype_utf16);
+ tcase_add_test(tc_basic, test_bad_doctype_plus);
+ tcase_add_test(tc_basic, test_bad_doctype_star);
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index 4c86f90ef1..e59ff93df0 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -13,6 +13,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
file://CVE-2022-22822-27.patch \
file://CVE-2022-23852.patch \
file://CVE-2022-23990.patch \
+ file://CVE-2022-25235.patch \
file://libtool-tag.patch \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 05/18] expat: fix CVE-2022-25236
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (3 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 04/18] expat: fix CVE-2022-25235 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 06/18] expat: fix CVE-2022-25313 Steve Sakoman
` (12 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows
attackers to insert namespace-separator characters into
namespace URIs.
Backport patches from:
https://github.com/libexpat/libexpat/pull/561/commits
CVE: CVE-2022-25236
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../expat/expat/CVE-2022-25236.patch | 129 ++++++++++++++++++
meta/recipes-core/expat/expat_2.2.9.bb | 1 +
2 files changed, 130 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25236.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25236.patch b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
new file mode 100644
index 0000000000..ba6443fc6a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25236.patch
@@ -0,0 +1,129 @@
+From 6881a4fc8596307ab9ff2e85e605afa2e413ab71 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 00:19:13 +0100
+Subject: [PATCH] lib: Fix (harmless) use of uninitialized memory
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/561/commits
+
+CVE: CVE-2022-25236
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 902895d5..c768f856 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -718,8 +718,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
+
+ XML_Parser XMLCALL
+ XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
+- XML_Char tmp[2];
+- *tmp = nsSep;
++ XML_Char tmp[2] = {nsSep, 0};
+ return XML_ParserCreate_MM(encodingName, NULL, tmp);
+ }
+
+@@ -1344,8 +1343,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ would be otherwise.
+ */
+ if (parser->m_ns) {
+- XML_Char tmp[2];
+- *tmp = parser->m_namespaceSeparator;
++ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
+ parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
+ } else {
+ parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
+From a2fe525e660badd64b6c557c2b1ec26ddc07f6e4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 01:09:29 +0100
+Subject: [PATCH] lib: Protect against malicious namespace declarations
+ (CVE-2022-25236)
+
+---
+ expat/lib/xmlparse.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c768f856..a3aef88c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -3754,6 +3754,17 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
+ if (! mustBeXML && isXMLNS
+ && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
+ isXMLNS = XML_FALSE;
++
++ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
++ // we have to at least make sure that the XML processor on top of
++ // Expat (that is splitting tag names by namespace separator into
++ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
++ // by an attacker putting additional namespace separator characters
++ // into namespace declarations. That would be ambiguous and not to
++ // be expected.
++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
++ return XML_ERROR_SYNTAX;
++ }
+ }
+ isXML = isXML && len == xmlLen;
+ isXMLNS = isXMLNS && len == xmlnsLen;
+From 2de077423fb22750ebea599677d523b53cb93b1d Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 12 Feb 2022 00:51:43 +0100
+Subject: [PATCH] tests: Cover CVE-2022-25236
+
+---
+ expat/tests/runtests.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/tests/runtests.c b/tests/runtests.c
+index d07203f2..bc5344b1 100644
+--- a/tests/runtests.c
++++ b/tests/runtests.c
+@@ -7220,6 +7220,35 @@ START_TEST(test_ns_double_colon_doctype) {
+ }
+ END_TEST
+
++START_TEST(test_ns_separator_in_uri) {
++ struct test_case {
++ enum XML_Status expectedStatus;
++ const char *doc;
++ };
++ struct test_case cases[] = {
++ {XML_STATUS_OK, "<doc xmlns='one_two' />"},
++ {XML_STATUS_ERROR, "<doc xmlns='one
two' />"},
++ };
++
++ size_t i = 0;
++ size_t failCount = 0;
++ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
++ XML_Parser parser = XML_ParserCreateNS(NULL, '\n');
++ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
++ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
++ /*isFinal*/ XML_TRUE)
++ != cases[i].expectedStatus) {
++ failCount++;
++ }
++ XML_ParserFree(parser);
++ }
++
++ if (failCount) {
++ fail("Namespace separator handling is broken");
++ }
++}
++END_TEST
++
+ /* Control variable; the number of times duff_allocator() will successfully
+ * allocate */
+ #define ALLOC_ALWAYS_SUCCEED (-1)
+@@ -11905,6 +11934,7 @@ make_suite(void) {
+ tcase_add_test(tc_namespace, test_ns_utf16_doctype);
+ tcase_add_test(tc_namespace, test_ns_invalid_doctype);
+ tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
++ tcase_add_test(tc_namespace, test_ns_separator_in_uri);
+
+ suite_add_tcase(s, tc_misc);
+ tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index e59ff93df0..c0103767b1 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
file://CVE-2022-23852.patch \
file://CVE-2022-23990.patch \
file://CVE-2022-25235.patch \
+ file://CVE-2022-25236.patch \
file://libtool-tag.patch \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 06/18] expat: fix CVE-2022-25313
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (4 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 05/18] expat: fix CVE-2022-25236 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 07/18] expat: fix CVE-2022-25314 Steve Sakoman
` (11 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack
exhaustion in build_model via a large nesting depth in the DTD element.
Backport patch from:
https://github.com/libexpat/libexpat/pull/558/commits/9b4ce651b26557f16103c3a366c91934ecd439ab
Also add patch which fixes a regression introduced in the above fix:
https://github.com/libexpat/libexpat/pull/566
CVE: CVE-2022-25313
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../expat/CVE-2022-25313-regression.patch | 131 ++++++++++
.../expat/expat/CVE-2022-25313.patch | 230 ++++++++++++++++++
meta/recipes-core/expat/expat_2.2.9.bb | 2 +
3 files changed, 363 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25313.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch b/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
new file mode 100644
index 0000000000..af255e8cb5
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25313-regression.patch
@@ -0,0 +1,131 @@
+From b12f34fe32821a69dc12ff9a021daca0856de238 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Sat, 19 Feb 2022 23:59:25 +0000
+Subject: [PATCH] Fix build_model regression.
+
+The iterative approach in build_model failed to fill children arrays
+correctly. A preorder traversal is not required and turned out to be the
+culprit. Use an easier algorithm:
+
+Add nodes from scaffold tree starting at index 0 (root) to the target
+array whenever children are encountered. This ensures that children
+are adjacent to each other. This complies with the recursive version.
+
+Store only the scaffold index in numchildren field to prevent a direct
+processing of these children, which would require a recursive solution.
+This allows the algorithm to iterate through the target array from start
+to end without jumping back and forth, converting on the fly.
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+---
+ lib/xmlparse.c | 79 ++++++++++++++++++++++++++------------------
+ 1 file changed, 47 insertions(+), 32 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c479a258..84885b5a 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7373,39 +7373,58 @@ build_model(XML_Parser parser) {
+ *
+ * The iterative approach works as follows:
+ *
+- * - We use space in the target array for building a temporary stack structure
+- * while that space is still unused.
+- * The stack grows from the array's end downwards and the "actual data"
+- * grows from the start upwards, sequentially.
+- * (Because stack grows downwards, pushing onto the stack is a decrement
+- * while popping off the stack is an increment.)
++ * - We have two writing pointers, both walking up the result array; one does
++ * the work, the other creates "jobs" for its colleague to do, and leads
++ * the way:
+ *
+- * - A stack element appears as a regular XML_Content node on the outside,
+- * but only uses a single field -- numchildren -- to store the source
+- * tree node array index. These are the breadcrumbs leading the way back
+- * during pre-order (node first) depth-first traversal.
++ * - The faster one, pointer jobDest, always leads and writes "what job
++ * to do" by the other, once they reach that place in the
++ * array: leader "jobDest" stores the source node array index (relative
++ * to array dtd->scaffold) in field "numchildren".
+ *
+- * - The reason we know the stack will never grow into (or overlap with)
+- * the area with data of value at the start of the array is because
+- * the overall number of elements to process matches the size of the array,
+- * and the sum of fully processed nodes and yet-to-be processed nodes
+- * on the stack, cannot be more than the total number of nodes.
+- * It is possible for the top of the stack and the about-to-write node
+- * to meet, but that is safe because we get the source index out
+- * before doing any writes on that node.
++ * - The slower one, pointer dest, looks at the value stored in the
++ * "numchildren" field (which actually holds a source node array index
++ * at that time) and puts the real data from dtd->scaffold in.
++ *
++ * - Before the loop starts, jobDest writes source array index 0
++ * (where the root node is located) so that dest will have something to do
++ * when it starts operation.
++ *
++ * - Whenever nodes with children are encountered, jobDest appends
++ * them as new jobs, in order. As a result, tree node siblings are
++ * adjacent in the resulting array, for example:
++ *
++ * [0] root, has two children
++ * [1] first child of 0, has three children
++ * [3] first child of 1, does not have children
++ * [4] second child of 1, does not have children
++ * [5] third child of 1, does not have children
++ * [2] second child of 0, does not have children
++ *
++ * Or (the same data) presented in flat array view:
++ *
++ * [0] root, has two children
++ *
++ * [1] first child of 0, has three children
++ * [2] second child of 0, does not have children
++ *
++ * [3] first child of 1, does not have children
++ * [4] second child of 1, does not have children
++ * [5] third child of 1, does not have children
++ *
++ * - The algorithm repeats until all target array indices have been processed.
+ */
+ XML_Content *dest = ret; /* tree node writing location, moves upwards */
+ XML_Content *const destLimit = &ret[dtd->scaffCount];
+- XML_Content *const stackBottom = &ret[dtd->scaffCount];
+- XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
++ XML_Content *jobDest = ret; /* next free writing location in target array */
+ str = (XML_Char *)&ret[dtd->scaffCount];
+
+- /* Push source tree root node index onto the stack */
+- (--stackTop)->numchildren = 0;
++ /* Add the starting job, the root node (index 0) of the source tree */
++ (jobDest++)->numchildren = 0;
+
+ for (; dest < destLimit; dest++) {
+- /* Pop source tree node index off the stack */
+- const int src_node = (int)(stackTop++)->numchildren;
++ /* Retrieve source tree array index from job storage */
++ const int src_node = (int)dest->numchildren;
+
+ /* Convert item */
+ dest->type = dtd->scaffold[src_node].type;
+@@ -7427,16 +7446,12 @@ build_model(XML_Parser parser) {
+ int cn;
+ dest->name = NULL;
+ dest->numchildren = dtd->scaffold[src_node].childcnt;
+- dest->children = &dest[1];
++ dest->children = jobDest;
+
+- /* Push children to the stack
+- * in a way where the first child ends up at the top of the
+- * (downwards growing) stack, in order to be processed first. */
+- stackTop -= dest->numchildren;
++ /* Append scaffold indices of children to array */
+ for (i = 0, cn = dtd->scaffold[src_node].firstchild;
+- i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
+- (stackTop + i)->numchildren = (unsigned int)cn;
+- }
++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib)
++ (jobDest++)->numchildren = (unsigned int)cn;
+ }
+ }
+
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25313.patch b/meta/recipes-core/expat/expat/CVE-2022-25313.patch
new file mode 100644
index 0000000000..470d66e9dd
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25313.patch
@@ -0,0 +1,230 @@
+From 9b4ce651b26557f16103c3a366c91934ecd439ab Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:54:29 +0000
+Subject: [PATCH] Prevent stack exhaustion in build_model
+
+It is possible to trigger stack exhaustion in build_model function if
+depth of nested children in DTD element is large enough. This happens
+because build_node is a recursively called function within build_model.
+
+The code has been adjusted to run iteratively. It uses the already
+allocated heap space as temporary stack (growing from top to bottom).
+
+Output is identical to recursive version. No new fields in data
+structures were added, i.e. it keeps full API and ABI compatibility.
+Instead the numchildren variable is used to temporarily keep the
+index of items (uint vs int).
+
+Documentation and readability improvements kindly added by Sebastian.
+
+Proof of Concept:
+
+1. Compile poc binary which parses XML file line by line
+
+```
+cat > poc.c << EOF
+ #include <err.h>
+ #include <expat.h>
+ #include <stdio.h>
+
+ XML_Parser parser;
+
+ static void XMLCALL
+ dummy_element_decl_handler(void *userData, const XML_Char *name,
+ XML_Content *model) {
+ XML_FreeContentModel(parser, model);
+ }
+
+ int main(int argc, char *argv[]) {
+ FILE *fp;
+ char *p = NULL;
+ size_t s = 0;
+ ssize_t l;
+ if (argc != 2)
+ errx(1, "usage: poc poc.xml");
+ if ((parser = XML_ParserCreate(NULL)) == NULL)
+ errx(1, "XML_ParserCreate");
+ XML_SetElementDeclHandler(parser, dummy_element_decl_handler);
+ if ((fp = fopen(argv[1], "r")) == NULL)
+ err(1, "fopen");
+ while ((l = getline(&p, &s, fp)) > 0)
+ if (XML_Parse(parser, p, (int)l, XML_FALSE) != XML_STATUS_OK)
+ errx(1, "XML_Parse");
+ XML_ParserFree(parser);
+ free(p);
+ fclose(fp);
+ return 0;
+ }
+EOF
+cc -std=c11 -D_POSIX_C_SOURCE=200809L -lexpat -o poc poc.c
+```
+
+2. Create XML file with a lot of nested groups in DTD element
+
+```
+cat > poc.xml.zst.b64 << EOF
+KLUv/aQkACAAPAEA+DwhRE9DVFlQRSB1d3UgWwo8IUVMRU1FTlQgdXd1CigBAHv/58AJAgAQKAIA
+ECgCABAoAgAQKAIAECgCABAoAgAQKHwAAChvd28KKQIA2/8gV24XBAIAECkCABApAgAQKQIAECkC
+ABApAgAQKQIAEClVAAAgPl0+CgEA4A4I2VwwnQ==
+EOF
+base64 -d poc.xml.zst.b64 | zstd -d > poc.xml
+```
+
+3. Run Proof of Concept
+
+```
+./poc poc.xml
+```
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/558/commits/9b4ce651b26557f16103c3a366c91934ecd439ab
+
+CVE: CVE-2022-25313
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 116 +++++++++++++++++++++++++++++--------------
+ 1 file changed, 79 insertions(+), 37 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4b43e613..594cf12c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7317,44 +7317,15 @@ nextScaffoldPart(XML_Parser parser) {
+ return next;
+ }
+
+-static void
+-build_node(XML_Parser parser, int src_node, XML_Content *dest,
+- XML_Content **contpos, XML_Char **strpos) {
+- DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+- dest->type = dtd->scaffold[src_node].type;
+- dest->quant = dtd->scaffold[src_node].quant;
+- if (dest->type == XML_CTYPE_NAME) {
+- const XML_Char *src;
+- dest->name = *strpos;
+- src = dtd->scaffold[src_node].name;
+- for (;;) {
+- *(*strpos)++ = *src;
+- if (! *src)
+- break;
+- src++;
+- }
+- dest->numchildren = 0;
+- dest->children = NULL;
+- } else {
+- unsigned int i;
+- int cn;
+- dest->numchildren = dtd->scaffold[src_node].childcnt;
+- dest->children = *contpos;
+- *contpos += dest->numchildren;
+- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren;
+- i++, cn = dtd->scaffold[cn].nextsib) {
+- build_node(parser, cn, &(dest->children[i]), contpos, strpos);
+- }
+- dest->name = NULL;
+- }
+-}
+-
+ static XML_Content *
+ build_model(XML_Parser parser) {
++ /* Function build_model transforms the existing parser->m_dtd->scaffold
++ * array of CONTENT_SCAFFOLD tree nodes into a new array of
++ * XML_Content tree nodes followed by a gapless list of zero-terminated
++ * strings. */
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ XML_Content *ret;
+- XML_Content *cpos;
+- XML_Char *str;
++ XML_Char *str; /* the current string writing location */
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+@@ -7380,10 +7351,81 @@ build_model(XML_Parser parser) {
+ if (! ret)
+ return NULL;
+
+- str = (XML_Char *)(&ret[dtd->scaffCount]);
+- cpos = &ret[1];
++ /* What follows is an iterative implementation (of what was previously done
++ * recursively in a dedicated function called "build_node". The old recursive
++ * build_node could be forced into stack exhaustion from input as small as a
++ * few megabyte, and so that was a security issue. Hence, a function call
++ * stack is avoided now by resolving recursion.)
++ *
++ * The iterative approach works as follows:
++ *
++ * - We use space in the target array for building a temporary stack structure
++ * while that space is still unused.
++ * The stack grows from the array's end downwards and the "actual data"
++ * grows from the start upwards, sequentially.
++ * (Because stack grows downwards, pushing onto the stack is a decrement
++ * while popping off the stack is an increment.)
++ *
++ * - A stack element appears as a regular XML_Content node on the outside,
++ * but only uses a single field -- numchildren -- to store the source
++ * tree node array index. These are the breadcrumbs leading the way back
++ * during pre-order (node first) depth-first traversal.
++ *
++ * - The reason we know the stack will never grow into (or overlap with)
++ * the area with data of value at the start of the array is because
++ * the overall number of elements to process matches the size of the array,
++ * and the sum of fully processed nodes and yet-to-be processed nodes
++ * on the stack, cannot be more than the total number of nodes.
++ * It is possible for the top of the stack and the about-to-write node
++ * to meet, but that is safe because we get the source index out
++ * before doing any writes on that node.
++ */
++ XML_Content *dest = ret; /* tree node writing location, moves upwards */
++ XML_Content *const destLimit = &ret[dtd->scaffCount];
++ XML_Content *const stackBottom = &ret[dtd->scaffCount];
++ XML_Content *stackTop = stackBottom; /* i.e. stack is initially empty */
++ str = (XML_Char *)&ret[dtd->scaffCount];
++
++ /* Push source tree root node index onto the stack */
++ (--stackTop)->numchildren = 0;
++
++ for (; dest < destLimit; dest++) {
++ /* Pop source tree node index off the stack */
++ const int src_node = (int)(stackTop++)->numchildren;
++
++ /* Convert item */
++ dest->type = dtd->scaffold[src_node].type;
++ dest->quant = dtd->scaffold[src_node].quant;
++ if (dest->type == XML_CTYPE_NAME) {
++ const XML_Char *src;
++ dest->name = str;
++ src = dtd->scaffold[src_node].name;
++ for (;;) {
++ *str++ = *src;
++ if (! *src)
++ break;
++ src++;
++ }
++ dest->numchildren = 0;
++ dest->children = NULL;
++ } else {
++ unsigned int i;
++ int cn;
++ dest->name = NULL;
++ dest->numchildren = dtd->scaffold[src_node].childcnt;
++ dest->children = &dest[1];
++
++ /* Push children to the stack
++ * in a way where the first child ends up at the top of the
++ * (downwards growing) stack, in order to be processed first. */
++ stackTop -= dest->numchildren;
++ for (i = 0, cn = dtd->scaffold[src_node].firstchild;
++ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib) {
++ (stackTop + i)->numchildren = (unsigned int)cn;
++ }
++ }
++ }
+
+- build_node(parser, 0, ret, &cpos, &str);
+ return ret;
+ }
+
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index c0103767b1..4d945a295e 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -15,6 +15,8 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
file://CVE-2022-23990.patch \
file://CVE-2022-25235.patch \
file://CVE-2022-25236.patch \
+ file://CVE-2022-25313.patch \
+ file://CVE-2022-25313-regression.patch \
file://libtool-tag.patch \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 07/18] expat: fix CVE-2022-25314
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (5 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 06/18] expat: fix CVE-2022-25313 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 08/18] expat: fix CVE-2022-25315 Steve Sakoman
` (10 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in
copyString.
Backport patch from:
https://github.com/libexpat/libexpat/pull/560/commits/efcb347440ade24b9f1054671e6bd05e60b4cafd
CVE: CVE-2022-25314
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../expat/expat/CVE-2022-25314.patch | 32 +++++++++++++++++++
meta/recipes-core/expat/expat_2.2.9.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25314.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25314.patch b/meta/recipes-core/expat/expat/CVE-2022-25314.patch
new file mode 100644
index 0000000000..2f713ebb54
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25314.patch
@@ -0,0 +1,32 @@
+From efcb347440ade24b9f1054671e6bd05e60b4cafd Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:56:57 +0000
+Subject: [PATCH] Prevent integer overflow in copyString
+
+The copyString function is only used for encoding string supplied by
+the library user.
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/560/commits/efcb347440ade24b9f1054671e6bd05e60b4cafd
+
+CVE: CVE-2022-25314
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ expat/lib/xmlparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4b43e613..a39377c2 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
+
+ static XML_Char *
+ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+- int charsRequired = 0;
++ size_t charsRequired = 0;
+ XML_Char *result;
+
+ /* First determine how long the string is */
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index 4d945a295e..dd8eeddf80 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
file://CVE-2022-25236.patch \
file://CVE-2022-25313.patch \
file://CVE-2022-25313-regression.patch \
+ file://CVE-2022-25314.patch \
file://libtool-tag.patch \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 08/18] expat: fix CVE-2022-25315
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (6 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 07/18] expat: fix CVE-2022-25314 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 09/18] coreutils: remove obsolete ignored CVE list Steve Sakoman
` (9 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
In Expat (aka libexpat) before 2.4.5, there is an integer overflow
in storeRawNames.
Backport patch from:
https://github.com/libexpat/libexpat/pull/559/commits/eb0362808b4f9f1e2345a0cf203b8cc196d776d9
CVE: CVE-2022-25315
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../expat/expat/CVE-2022-25315.patch | 145 ++++++++++++++++++
meta/recipes-core/expat/expat_2.2.9.bb | 1 +
2 files changed, 146 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-25315.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2022-25315.patch b/meta/recipes-core/expat/expat/CVE-2022-25315.patch
new file mode 100644
index 0000000000..a39771d28a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2022-25315.patch
@@ -0,0 +1,145 @@
+From eb0362808b4f9f1e2345a0cf203b8cc196d776d9 Mon Sep 17 00:00:00 2001
+From: Samanta Navarro <ferivoz@riseup.net>
+Date: Tue, 15 Feb 2022 11:55:46 +0000
+Subject: [PATCH] Prevent integer overflow in storeRawNames
+
+It is possible to use an integer overflow in storeRawNames for out of
+boundary heap writes. Default configuration is affected. If compiled
+with XML_UNICODE then the attack does not work. Compiling with
+-fsanitize=address confirms the following proof of concept.
+
+The problem can be exploited by abusing the m_buffer expansion logic.
+Even though the initial size of m_buffer is a power of two, eventually
+it can end up a little bit lower, thus allowing allocations very close
+to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag
+names can be parsed which are almost INT_MAX in size.
+
+Unfortunately (from an attacker point of view) INT_MAX/2 is also a
+limitation in string pools. Having a tag name of INT_MAX/2 characters
+or more is not possible.
+
+Expat can convert between different encodings. UTF-16 documents which
+contain only ASCII representable characters are twice as large as their
+ASCII encoded counter-parts.
+
+The proof of concept works by taking these three considerations into
+account:
+
+1. Move the m_buffer size slightly below a power of two by having a
+ short root node <a>. This allows the m_buffer to grow very close
+ to INT_MAX.
+2. The string pooling forbids tag names longer than or equal to
+ INT_MAX/2, so keep the attack tag name smaller than that.
+3. To be able to still overflow INT_MAX even though the name is
+ limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag
+ which only contains ASCII characters. UTF-16 always stores two
+ bytes per character while the tag name is converted to using only
+ one. Our attack node byte count must be a bit higher than
+ 2/3 INT_MAX so the converted tag name is around INT_MAX/3 which
+ in sum can overflow INT_MAX.
+
+Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes
+without running into INT_MAX boundary check. The string pooling is
+able to store INT_MAX/3 as tag name because the amount is below
+INT_MAX/2 limitation. And creating the sum of both eventually overflows
+in storeRawNames.
+
+Proof of Concept:
+
+1. Compile expat with -fsanitize=address.
+
+2. Create Proof of Concept binary which iterates through input
+ file 16 MB at once for better performance and easier integer
+ calculations:
+
+```
+cat > poc.c << EOF
+ #include <err.h>
+ #include <expat.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+
+ #define CHUNK (16 * 1024 * 1024)
+ int main(int argc, char *argv[]) {
+ XML_Parser parser;
+ FILE *fp;
+ char *buf;
+ int i;
+
+ if (argc != 2)
+ errx(1, "usage: poc file.xml");
+ if ((parser = XML_ParserCreate(NULL)) == NULL)
+ errx(1, "failed to create expat parser");
+ if ((fp = fopen(argv[1], "r")) == NULL) {
+ XML_ParserFree(parser);
+ err(1, "failed to open file");
+ }
+ if ((buf = malloc(CHUNK)) == NULL) {
+ fclose(fp);
+ XML_ParserFree(parser);
+ err(1, "failed to allocate buffer");
+ }
+ i = 0;
+ while (fread(buf, CHUNK, 1, fp) == 1) {
+ printf("iteration %d: XML_Parse returns %d\n", ++i,
+ XML_Parse(parser, buf, CHUNK, XML_FALSE));
+ }
+ free(buf);
+ fclose(fp);
+ XML_ParserFree(parser);
+ return 0;
+ }
+EOF
+gcc -fsanitize=address -lexpat -o poc poc.c
+```
+
+3. Construct specially prepared UTF-16 XML file:
+
+```
+dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml
+echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml
+echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368
+iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml
+```
+
+4. Run proof of concept:
+
+```
+./poc poc-utf16.xml
+```
+
+Upstream-Status: Backport
+https://github.com/libexpat/libexpat/pull/559/commits/eb0362808b4f9f1e2345a0cf203b8cc196d776d9
+
+CVE: CVE-2022-25315
+
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ lib/xmlparse.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 4b43e613..f34d6ab5 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) {
+ while (tag) {
+ int bufSize;
+ int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
++ size_t rawNameLen;
+ char *rawNameBuf = tag->buf + nameLen;
+ /* Stop if already stored. Since m_tagStack is a stack, we can stop
+ at the first entry that has already been copied; everything
+@@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) {
+ /* For re-use purposes we need to ensure that the
+ size of tag->buf is a multiple of sizeof(XML_Char).
+ */
+- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
++ /* Detect and prevent integer overflow. */
++ if (rawNameLen > (size_t)INT_MAX - nameLen)
++ return XML_FALSE;
++ bufSize = nameLen + (int)rawNameLen;
+ if (bufSize > tag->bufEnd - tag->buf) {
+ char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
+ if (temp == NULL)
diff --git a/meta/recipes-core/expat/expat_2.2.9.bb b/meta/recipes-core/expat/expat_2.2.9.bb
index dd8eeddf80..f50e535922 100644
--- a/meta/recipes-core/expat/expat_2.2.9.bb
+++ b/meta/recipes-core/expat/expat_2.2.9.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/libexpat/libexpat.git;protocol=https;branch=master \
file://CVE-2022-25313.patch \
file://CVE-2022-25313-regression.patch \
file://CVE-2022-25314.patch \
+ file://CVE-2022-25315.patch \
file://libtool-tag.patch \
"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 09/18] coreutils: remove obsolete ignored CVE list
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (7 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 08/18] expat: fix CVE-2022-25315 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 10/18] cve-check: get_cve_info should open the database read-only Steve Sakoman
` (8 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross@burtonini.com>
Three CVEs were meant to be ignored via CVE_WHITELIST, but that wasn't
the correct variable name.
The CPEs for those CVEs mean that they don't get picked up in our report,
so just remove the assignment.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dea00faf30ec7c19b6b5ed4651b430ba3faf69ff)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/coreutils/coreutils_8.31.bb | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/recipes-core/coreutils/coreutils_8.31.bb b/meta/recipes-core/coreutils/coreutils_8.31.bb
index aabeee882c..3d569881e8 100644
--- a/meta/recipes-core/coreutils/coreutils_8.31.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.31.bb
@@ -206,6 +206,3 @@ do_install_ptest () {
}
FILES_${PN}-ptest += "${bindir}/getlimits"
-
-# These are specific to Opensuse
-CVE_WHITELIST += "CVE-2013-0221 CVE-2013-0222 CVE-2013-0223"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 10/18] cve-check: get_cve_info should open the database read-only
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (8 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 09/18] coreutils: remove obsolete ignored CVE list Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 11/18] Revert "cve-check: add lockfile to task" Steve Sakoman
` (7 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross@burtonini.com>
All of the function in cve-check should open the database read-only, as
the only writer is the fetch task in cve-update-db. However,
get_cve_info() was failing to do this, which might be causing locking
issues with sqlite.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8de517238f1f418d9af1ce312d99de04ce2e26fc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6b627464a0..5369b7074c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -323,7 +323,8 @@ def get_cve_info(d, cves):
import sqlite3
cve_data = {}
- conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
+ db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+ conn = sqlite3.connect(db_file, uri=True)
for cve in cves:
for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 11/18] Revert "cve-check: add lockfile to task"
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (9 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 10/18] cve-check: get_cve_info should open the database read-only Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 12/18] wireless-regdb: upgrade 2021.08.28 -> 2022.02.18 Steve Sakoman
` (6 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross@burtonini.com>
Now that all of the functions in cve-check open the database read-only,
we can remove this lockfile.
This means cve-check can run in parallal again, improving runtimes
massively.
This reverts commit d55fbf4779483d2cfd71df78d0f733b599fef739.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e60d149b41d14d177df20dbecaef943696df1586)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 1 -
1 file changed, 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 5369b7074c..75c5b92b96 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -110,7 +110,6 @@ python do_cve_check () {
}
addtask cve_check before do_build after do_fetch
-do_cve_check[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
do_cve_check[depends] = "cve-update-db-native:do_fetch"
do_cve_check[nostamp] = "1"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 12/18] wireless-regdb: upgrade 2021.08.28 -> 2022.02.18
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (10 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 11/18] Revert "cve-check: add lockfile to task" Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 13/18] bootchart2: Add missing python3-math dependency Steve Sakoman
` (5 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: wangmy <wangmy@fujitsu.com>
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5c06ddfd3c0db0d0762c0241c019f59ad310e53)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ireless-regdb_2021.08.28.bb => wireless-regdb_2022.02.18.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2021.08.28.bb => wireless-regdb_2022.02.18.bb} (94%)
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.08.28.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.02.18.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.08.28.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.02.18.bb
index 376311804e..4e6da4cbe1 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2021.08.28.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2022.02.18.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "cff370c410d1e6d316ae0a7fa8ac6278fdf1efca5d3d664aca7cfd2aafa54446"
+SRC_URI[sha256sum] = "8828c25a4ee25020044004f57374bb9deac852809fad70f8d3d01770bf9ac97f"
inherit bin_package allarch
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 13/18] bootchart2: Add missing python3-math dependency
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (11 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 12/18] wireless-regdb: upgrade 2021.08.28 -> 2022.02.18 Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 14/18] cml1.bbclass: Handle ncurses-native being available via pkg-config Steve Sakoman
` (4 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Marek Vasut <marex@denx.de>
Without this dependency, generating the bootchart may fail with:
"
ModuleNotFoundError: No module named 'random'
"
(cherry picked from commit 487e9f16a00f895159b79f1865fe8b626b47ddc2)
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Mingli Yu <mingli.yu@windriver.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
index 66bd897a9a..7f05bd1b0b 100644
--- a/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
+++ b/meta/recipes-devtools/bootchart2/bootchart2_0.14.9.bb
@@ -144,7 +144,7 @@ do_install () {
PACKAGES =+ "pybootchartgui"
FILES_pybootchartgui += "${PYTHON_SITEPACKAGES_DIR}/pybootchartgui ${bindir}/pybootchartgui"
-RDEPENDS_pybootchartgui = "python3-pycairo python3-compression python3-image python3-shell python3-compression python3-codecs"
+RDEPENDS_pybootchartgui = "python3-pycairo python3-compression python3-image python3-math python3-shell python3-compression python3-codecs"
RDEPENDS_${PN}_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'sysvinit-pidof', 'procps', d)}"
RDEPENDS_${PN}_class-target += "lsb-release"
DEPENDS_append_class-native = " python3-pycairo-native"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 14/18] cml1.bbclass: Handle ncurses-native being available via pkg-config
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (12 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 13/18] bootchart2: Add missing python3-math dependency Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 15/18] libxml-parser-perl: Add missing RDEPENDS Steve Sakoman
` (3 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Nathan Rossi <nathan@nathanrossi.com>
The linux kernel will by default use pkg-config to get ncurses(w) paths,
falling back to absolute path checks otherwise. If the build host does
not have ncurses installed this will fail as pkg-config will not search
the native sysroot for ncurses.
To more all kernel/kconfig sources, inject the equivalent native
pkg-config variables similar to what is done by the pkg-config-native
script. This only affects the menuconfig python task itself and the
oe_terminal call inside it.
(cherry picked from commit abb95c421bb67d452691819e3f63dabd02e2ba37)
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cml1.bbclass | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/meta/classes/cml1.bbclass b/meta/classes/cml1.bbclass
index 8ab240589a..46a19fce32 100644
--- a/meta/classes/cml1.bbclass
+++ b/meta/classes/cml1.bbclass
@@ -36,6 +36,14 @@ python do_menuconfig() {
except OSError:
mtime = 0
+ # setup native pkg-config variables (kconfig scripts call pkg-config directly, cannot generically be overriden to pkg-config-native)
+ d.setVar("PKG_CONFIG_DIR", "${STAGING_DIR_NATIVE}${libdir_native}/pkgconfig")
+ d.setVar("PKG_CONFIG_PATH", "${PKG_CONFIG_DIR}:${STAGING_DATADIR_NATIVE}/pkgconfig")
+ d.setVar("PKG_CONFIG_LIBDIR", "${PKG_CONFIG_DIR}")
+ d.setVarFlag("PKG_CONFIG_SYSROOT_DIR", "unexport", "1")
+ # ensure that environment variables are overwritten with this tasks 'd' values
+ d.appendVar("OE_TERMINAL_EXPORTS", " PKG_CONFIG_DIR PKG_CONFIG_PATH PKG_CONFIG_LIBDIR PKG_CONFIG_SYSROOT_DIR")
+
oe_terminal("sh -c \"make %s; if [ \\$? -ne 0 ]; then echo 'Command failed.'; printf 'Press any key to continue... '; read r; fi\"" % d.getVar('KCONFIG_CONFIG_COMMAND'),
d.getVar('PN') + ' Configuration', d)
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 15/18] libxml-parser-perl: Add missing RDEPENDS
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (13 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 14/18] cml1.bbclass: Handle ncurses-native being available via pkg-config Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 16/18] buildhistory.bbclass: create the buildhistory directory when needed Steve Sakoman
` (2 subsequent siblings)
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Running the ptest package in an image alone highlighted missing module
dependencies. Add them to fix those errors.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3859f49db2d694c7b63fdbe25be0018afba5c738)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb b/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
index bc154bbdc5..ef2b292352 100644
--- a/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
+++ b/meta/recipes-devtools/perl/libxml-parser-perl_2.46.bb
@@ -53,6 +53,7 @@ do_install_ptest() {
chown -R root:root ${D}${PTEST_PATH}/samples
}
+RDEPENDS_${PN} += "perl-module-carp perl-module-file-spec"
RDEPENDS_${PN}-ptest += "perl-module-filehandle perl-module-if perl-module-test perl-module-test-more"
BBCLASSEXTEND="native nativesdk"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 16/18] buildhistory.bbclass: create the buildhistory directory when needed
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (14 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 15/18] libxml-parser-perl: Add missing RDEPENDS Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 17/18] uninative: Add version to uninative tarball name Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 18/18] uninative: Upgrade to 3.5 Steve Sakoman
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Jose Quaresma <quaresma.jose@gmail.com>
When the BUILDHISTORY_RESET is enabled we need to move the
content from BUILDHISTORY_DIR to BUILDHISTORY_OLD_DIR but
when we start a clean build in the first run we don't have the
BUILDHISTORY_DIR so the move of files will fail.
| ERROR: Command execution failed: Traceback (most recent call last):
| File "/xxx/poky/bitbake/lib/bb/command.py", line 110, in runAsyncCommand
| commandmethod(self.cmds_async, self, options)
| File "/xxx/poky/bitbake/lib/bb/command.py", line 564, in buildTargets
| command.cooker.buildTargets(pkgs_to_build, task)
| File "/xxx/poky/bitbake/lib/bb/cooker.py", line 1481, in buildTargets
| bb.event.fire(bb.event.BuildStarted(buildname, ntargets), self.databuilder.mcdata[mc])
| File "/xxx/home/builder/src/base/poky/bitbake/lib/bb/event.py", line 214, in fire
| fire_class_handlers(event, d)
| File "/xxx/poky/bitbake/lib/bb/event.py", line 121, in fire_class_handlers
| execute_handler(name, handler, event, d)
| File "/xxx/poky/bitbake/lib/bb/event.py", line 93, in execute_handler
| ret = handler(event)
| File "/xxx/poky/meta/classes/buildhistory.bbclass", line 919, in buildhistory_eventhandler
| entries = [ x for x in os.listdir(rootdir) if not x.startswith('.') ]
| FileNotFoundError: [Errno 2] No such file or directory: '/xxx/buildhistory'
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 97bc2168da7dbacdfbf79cd70db674363ab84f6b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/buildhistory.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 2746996cbb..6a1a20653a 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -865,6 +865,7 @@ python buildhistory_eventhandler() {
if os.path.isdir(olddir):
shutil.rmtree(olddir)
rootdir = e.data.getVar("BUILDHISTORY_DIR")
+ bb.utils.mkdirhier(rootdir)
entries = [ x for x in os.listdir(rootdir) if not x.startswith('.') ]
bb.utils.mkdirhier(olddir)
for entry in entries:
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 17/18] uninative: Add version to uninative tarball name
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (15 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 16/18] buildhistory.bbclass: create the buildhistory directory when needed Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 18/18] uninative: Upgrade to 3.5 Steve Sakoman
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
uninative works via hashes and doesn't need the version in the tarball name but
it does make things easier to inspect in DL_DIR. There were reasons such as
ease of publication of the build tarballs but we can handle those differently
now and the signature issues from the early code aren't an issue now. From 3.4
onwards we can use a version'd name.
[YOCTO #12970]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dadba70d6a24d8ebb5576598efffa973151c7218)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/uninative.bbclass | 2 +-
meta/conf/distro/include/yocto-uninative.inc | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/classes/uninative.bbclass b/meta/classes/uninative.bbclass
index 3c7ccd66f4..4412d7c567 100644
--- a/meta/classes/uninative.bbclass
+++ b/meta/classes/uninative.bbclass
@@ -2,7 +2,7 @@ UNINATIVE_LOADER ?= "${UNINATIVE_STAGING_DIR}-uninative/${BUILD_ARCH}-linux/lib/
UNINATIVE_STAGING_DIR ?= "${STAGING_DIR}"
UNINATIVE_URL ?= "unset"
-UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc.tar.xz"
+UNINATIVE_TARBALL ?= "${BUILD_ARCH}-nativesdk-libc-${UNINATIVE_VERSION}.tar.xz"
# Example checksums
#UNINATIVE_CHECKSUM[aarch64] = "dead"
#UNINATIVE_CHECKSUM[i686] = "dead"
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 3165fc93b8..6833072cd3 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,8 +7,9 @@
#
UNINATIVE_MAXGLIBCVERSION = "2.34"
+UNINATIVE_VERSION = "3.4"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.4/"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
UNINATIVE_CHECKSUM[aarch64] ?= "3013cdda8f0dc6639ce1c80f33eabce66f06b890bd5b58739a6d7a92a0bb7100"
UNINATIVE_CHECKSUM[i686] ?= "abed500de584aad63ec237546db20cdd0c69d8870a6f8e94ac31721ace64b376"
UNINATIVE_CHECKSUM[x86_64] ?= "126f4f7f6f21084ee140dac3eb4c536b963837826b7c38599db0b512c3377ba2"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 18/18] uninative: Upgrade to 3.5
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
` (16 preceding siblings ...)
2022-03-04 15:04 ` [OE-core][dunfell 17/18] uninative: Add version to uninative tarball name Steve Sakoman
@ 2022-03-04 15:04 ` Steve Sakoman
17 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-03-04 15:04 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
Add support for glibc 2.35.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 347b8c87fb4e2c398644f900728cf6e22ba4516d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 6833072cd3..bfe05ce1eb 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.34"
-UNINATIVE_VERSION = "3.4"
+UNINATIVE_MAXGLIBCVERSION = "2.35"
+UNINATIVE_VERSION = "3.5"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "3013cdda8f0dc6639ce1c80f33eabce66f06b890bd5b58739a6d7a92a0bb7100"
-UNINATIVE_CHECKSUM[i686] ?= "abed500de584aad63ec237546db20cdd0c69d8870a6f8e94ac31721ace64b376"
-UNINATIVE_CHECKSUM[x86_64] ?= "126f4f7f6f21084ee140dac3eb4c536b963837826b7c38599db0b512c3377ba2"
+UNINATIVE_CHECKSUM[aarch64] ?= "6de0771bd21e0fcb5e80388e5b561a8023b24083bcbf46e056a089982aff75d7"
+UNINATIVE_CHECKSUM[i686] ?= "8c8745becbfa1c341bae839c7eab56ddf17ce36c303bcd73d3b2f2f788b631c2"
+UNINATIVE_CHECKSUM[x86_64] ?= "e8047a5748e6f266165da141eb6d08b23674f30e477b0e5505b6403d50fbc4b2"
--
2.25.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][dunfell 00/18] Patch review
@ 2023-01-01 17:42 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-01-01 17:42 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4715
The following changes since commit cc8ec63310f9a936371ea1070cb257c926808755:
oeqa/selftest/tinfoil: Add test for separate config_data with recipe_parse_file() (2022-12-14 16:34:29 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
tzdata: update 2022d -> 2022g
Bruce Ashfield (4):
linux-yocto/5.4: update to v5.4.221
linux-yocto/5.4: update to v5.4.224
linux-yocto/5.4: update to v5.4.225
linux-yocto/5.4: update to v5.4.228
Chen Qi (1):
bc: extend to nativesdk
Hitendra Prajapati (1):
grub2: CVE-2022-28735 shim_lock verifier allows non-kernel files to be
loaded
Jagadeesh Krishnanjanappa (1):
qemuboot.bbclass: make sure runqemu boots bundled initramfs kernel
image
Joshua Watt (1):
sudo: Use specific BSD license variant
Minjae Kim (1):
ppp: fix CVE-2022-4603
Peter Marko (1):
externalsrc: fix lookup for .gitmodules
Quentin Schulz (1):
cairo: update patch for CVE-2019-6461 with upstream solution
Robert Andersson (1):
go-crosssdk: avoid host contamination by GOCACHE
Ross Burton (1):
lib/buildstats: fix parsing of trees with reduced_proc_pressure
directories
Vivek Kumbhar (4):
go: fix CVE-2022-41717 Excessive memory use in got server
rsync: fix CVE-2022-29154 remote arbitrary files write inside the
directories of connecting peers
libx11: fix CVE-2022-3555 memory leak in _XFreeX11XCBStructure() of
xcb_disp.c
qemu: fix CVE-2021-3507 fdc heap buffer overflow in DMA read data
transfers
meta/classes/externalsrc.bbclass | 2 +-
meta/classes/qemuboot.bbclass | 3 +-
.../grub/files/CVE-2022-28735.patch | 271 ++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
.../ppp/ppp/CVE-2022-4603.patch | 50 +++
meta/recipes-connectivity/ppp/ppp_2.4.7.bb | 1 +
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-41717.patch | 75 ++++
meta/recipes-devtools/go/go-crosssdk.inc | 2 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3507.patch | 87 +++++
.../rsync/files/CVE-2022-29154.patch | 334 ++++++++++++++++++
meta/recipes-devtools/rsync/rsync_3.1.3.bb | 1 +
meta/recipes-extended/bc/bc_1.07.1.bb | 2 +-
meta/recipes-extended/sudo/sudo.inc | 2 +-
meta/recipes-extended/timezone/timezone.inc | 7 +-
.../cairo/cairo/CVE-2019-6461.patch | 35 +-
.../xorg-lib/libx11/CVE-2022-3555.patch | 38 ++
.../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
scripts/lib/buildstats.py | 4 +-
23 files changed, 919 insertions(+), 35 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735.patch
create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41717.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507.patch
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2022-29154.patch
create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3555.patch
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2023-01-01 17:42 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-04 15:04 [OE-core][dunfell 00/18] Patch review Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 01/18] libarchive: Fix for CVE-2021-36976 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 02/18] go: fix CVE-2022-23806 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 03/18] go: fix CVE-2022-23772 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 04/18] expat: fix CVE-2022-25235 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 05/18] expat: fix CVE-2022-25236 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 06/18] expat: fix CVE-2022-25313 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 07/18] expat: fix CVE-2022-25314 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 08/18] expat: fix CVE-2022-25315 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 09/18] coreutils: remove obsolete ignored CVE list Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 10/18] cve-check: get_cve_info should open the database read-only Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 11/18] Revert "cve-check: add lockfile to task" Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 12/18] wireless-regdb: upgrade 2021.08.28 -> 2022.02.18 Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 13/18] bootchart2: Add missing python3-math dependency Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 14/18] cml1.bbclass: Handle ncurses-native being available via pkg-config Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 15/18] libxml-parser-perl: Add missing RDEPENDS Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 16/18] buildhistory.bbclass: create the buildhistory directory when needed Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 17/18] uninative: Add version to uninative tarball name Steve Sakoman
2022-03-04 15:04 ` [OE-core][dunfell 18/18] uninative: Upgrade to 3.5 Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2023-01-01 17:42 [OE-core][dunfell 00/18] Patch review Steve Sakoman
2021-12-03 18:18 Steve Sakoman
2020-11-13 14:52 Steve Sakoman
2020-09-07 17:01 Steve Sakoman
2020-07-27 15:09 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox