* [OE-core][dunfell 01/11] ruby: Upgrade ruby to 2.7.6 for security fix
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 02/11] ruby: Whitelist CVE-2021-28966 as this affects Windows OS only Steve Sakoman
` (9 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Upgrade ruby to 2.7.6
Link: https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/
This includes CVE-2022-28739 security fix
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/ruby/{ruby_2.7.5.bb => ruby_2.7.6.bb} (95%)
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.5.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
similarity index 95%
rename from meta/recipes-devtools/ruby/ruby_2.7.5.bb
rename to meta/recipes-devtools/ruby/ruby_2.7.6.bb
index 44a2527ee7..658a17659a 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -9,8 +9,8 @@ SRC_URI += " \
file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
"
-SRC_URI[md5sum] = "ede247b56fb862f1f67f9471189b04d4"
-SRC_URI[sha256sum] = "2755b900a21235b443bb16dadd9032f784d4a88f143d852bc5d154f22b8781f1"
+SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"
+SRC_URI[sha256sum] = "e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10"
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 02/11] ruby: Whitelist CVE-2021-28966 as this affects Windows OS only
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 01/11] ruby: Upgrade ruby to 2.7.6 for security fix Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 03/11] libsdl2: Add fix for CVE-2021-33657 Steve Sakoman
` (8 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
As per below debian link, CVE-2021-28966 affects Windows only
Link: https://security-tracker.debian.org/tracker/CVE-2021-28966
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/ruby/ruby_2.7.6.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.6.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
index 658a17659a..3af321a83e 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.6.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -12,6 +12,10 @@ SRC_URI += " \
SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"
SRC_URI[sha256sum] = "e7203b0cc09442ed2c08936d483f8ac140ec1c72e37bb5c401646b7866cb5d10"
+# CVE-2021-28966 is Windows specific and not affects Linux OS
+# https://security-tracker.debian.org/tracker/CVE-2021-28966
+CVE_CHECK_WHITELIST += "CVE-2021-28966"
+
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 03/11] libsdl2: Add fix for CVE-2021-33657
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 01/11] ruby: Upgrade ruby to 2.7.6 for security fix Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 02/11] ruby: Whitelist CVE-2021-28966 as this affects Windows OS only Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 04/11] ffmpeg: Fix for CVE-2022-1475 Steve Sakoman
` (7 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Add patch to fix CVE-2021-33657 issue for libsdl2
Link: https://security-tracker.debian.org/tracker/CVE-2021-33657
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsdl2/libsdl2/CVE-2021-33657.patch | 38 +++++++++++++++++++
.../libsdl2/libsdl2_2.0.12.bb | 1 +
2 files changed, 39 insertions(+)
create mode 100644 meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
new file mode 100644
index 0000000000..a4ed7ab8e6
--- /dev/null
+++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2021-33657.patch
@@ -0,0 +1,38 @@
+From 8c91cf7dba5193f5ce12d06db1336515851c9ee9 Mon Sep 17 00:00:00 2001
+From: Sam Lantinga <slouken@libsdl.org>
+Date: Tue, 30 Nov 2021 12:36:46 -0800
+Subject: [PATCH] Always create a full 256-entry map in case color values are
+ out of range
+
+Fixes https://github.com/libsdl-org/SDL/issues/5042
+
+CVE: CVE-2021-33657
+Upstream-Status: Backport [https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9.patch]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/video/SDL_pixels.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/video/SDL_pixels.c b/src/video/SDL_pixels.c
+index ac04533c5d5..9bb02f771d0 100644
+--- a/src/video/SDL_pixels.c
++++ b/src/video/SDL_pixels.c
+@@ -947,7 +947,7 @@ Map1to1(SDL_Palette * src, SDL_Palette * dst, int *identical)
+ }
+ *identical = 0;
+ }
+- map = (Uint8 *) SDL_malloc(src->ncolors);
++ map = (Uint8 *) SDL_calloc(256, sizeof(Uint8));
+ if (map == NULL) {
+ SDL_OutOfMemory();
+ return (NULL);
+@@ -971,7 +971,7 @@ Map1toN(SDL_PixelFormat * src, Uint8 Rmod, Uint8 Gmod, Uint8 Bmod, Uint8 Amod,
+ SDL_Palette *pal = src->palette;
+
+ bpp = ((dst->BytesPerPixel == 3) ? 4 : dst->BytesPerPixel);
+- map = (Uint8 *) SDL_malloc(pal->ncolors * bpp);
++ map = (Uint8 *) SDL_calloc(256, bpp);
+ if (map == NULL) {
+ SDL_OutOfMemory();
+ return (NULL);
diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
index 8e77c18f2d..44d36fca22 100644
--- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
+++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \
file://directfb-spurious-curly-brace-missing-e.patch \
file://directfb-renderfillrect-fix.patch \
file://CVE-2020-14409-14410.patch \
+ file://CVE-2021-33657.patch \
"
S = "${WORKDIR}/SDL2-${PV}"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 04/11] ffmpeg: Fix for CVE-2022-1475
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (2 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 03/11] libsdl2: Add fix for CVE-2021-33657 Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 05/11] ncurses: Fix CVE-2022-29458 Steve Sakoman
` (6 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Virendra Thakur <virendra.thakur@kpit.com>
Add patch to fix CVE-2022-1475
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2022-1475.patch | 36 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
new file mode 100644
index 0000000000..bd8a08a216
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-1475.patch
@@ -0,0 +1,36 @@
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sun, 27 Feb 2022 14:43:04 +0100
+Subject: [PATCH] avcodec/g729_parser: Check channels
+
+Fixes: signed integer overflow: 10 * 808464428 cannot be represented in type 'int'
+Fixes: assertion failure
+Fixes: ticket9651
+
+Reviewed-by: Paul B Mahol <onemda@gmail.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 757da974b21833529cc41bdcc9684c29660cdfa8)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2022-1475
+Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=e9e2ddbc6c78cc18b76093617f82c920e58a8d1f]
+Comment: Patch is refreshed as per ffmpeg codebase
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+---
+ libavcodec/g729_parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: ffmpeg-4.2.2/libavcodec/g729_parser.c
+===================================================================
+--- a/libavcodec/g729_parser.c
++++ b/libavcodec/g729_parser.c
+@@ -48,6 +48,9 @@ static int g729_parse(AVCodecParserConte
+ av_assert1(avctx->codec_id == AV_CODEC_ID_G729);
+ /* FIXME: replace this heuristic block_size with more precise estimate */
+ s->block_size = (avctx->bit_rate < 8000) ? G729D_6K4_BLOCK_SIZE : G729_8K_BLOCK_SIZE;
++ // channels > 2 is invalid, we pass the packet on unchanged
++ if (avctx->channels > 2)
++ s->block_size = 0;
+ s->block_size *= avctx->channels;
+ s->duration = avctx->frame_size;
+ }
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
index 1d6f2e528b..cbfdbf0563 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
file://CVE-2021-3566.patch \
file://CVE-2021-38291.patch \
+ file://CVE-2022-1475.patch \
"
SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3"
SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 05/11] ncurses: Fix CVE-2022-29458
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (3 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 04/11] ffmpeg: Fix for CVE-2022-1475 Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 06/11] libxml2: Fix CVE-2022-29824 for libxml2 Steve Sakoman
` (5 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <MSFT.DanTran@gmail.com>
ncurses 6.3 before patch 20220416 has an out-of-bounds read and
segmentation violation in convert_strings in tinfo/read_entry.c in the
terminfo library.
Backported from the link below, extracting only the relevant changes.
https://github.com/ThomasDickey/ncurses-snapshots/commit/9d1d651878d4bf0695872a64cc65ba0acb825f36
Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ncurses/files/CVE-2022-29458.patch | 135 ++++++++++++++++++
meta/recipes-core/ncurses/ncurses_6.2.bb | 1 +
2 files changed, 136 insertions(+)
create mode 100644 meta/recipes-core/ncurses/files/CVE-2022-29458.patch
diff --git a/meta/recipes-core/ncurses/files/CVE-2022-29458.patch b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
new file mode 100644
index 0000000000..eb1b7c96f9
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2022-29458.patch
@@ -0,0 +1,135 @@
+From 5f40697e37e195069f55528fc7a1d77e619ad104 Mon Sep 17 00:00:00 2001
+From: Dan Tran <dantran@microsoft.com>
+Date: Fri, 13 May 2022 13:28:41 -0700
+Subject: [PATCH] ncurses 6.3 before patch 20220416 has an out-of-bounds read
+ and segmentation violation in convert_strings in tinfo/read_entry.c in the
+ terminfo library.
+
+CVE: CVE-2022-29458
+Upstream-Status: Backport
+[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009870]
+
+Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ ncurses/tinfo/alloc_entry.c | 14 ++++++--------
+ ncurses/tinfo/read_entry.c | 25 +++++++++++++++++++------
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/ncurses/tinfo/alloc_entry.c b/ncurses/tinfo/alloc_entry.c
+index 4bf7d6c8..b49ad6aa 100644
+--- a/ncurses/tinfo/alloc_entry.c
++++ b/ncurses/tinfo/alloc_entry.c
+@@ -48,13 +48,11 @@
+
+ #include <tic.h>
+
+-MODULE_ID("$Id: alloc_entry.c,v 1.64 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: alloc_entry.c,v 1.69 2022/04/16 22:46:53 tom Exp $")
+
+ #define ABSENT_OFFSET -1
+ #define CANCELLED_OFFSET -2
+
+-#define MAX_STRTAB 4096 /* documented maximum entry size */
+-
+ static char *stringbuf; /* buffer for string capabilities */
+ static size_t next_free; /* next free character in stringbuf */
+
+@@ -71,8 +69,8 @@ _nc_init_entry(ENTRY * const tp)
+ }
+ #endif
+
+- if (stringbuf == 0)
+- TYPE_MALLOC(char, (size_t) MAX_STRTAB, stringbuf);
++ if (stringbuf == NULL)
++ TYPE_MALLOC(char, (size_t) MAX_ENTRY_SIZE, stringbuf);
+
+ next_free = 0;
+
+@@ -108,11 +106,11 @@ _nc_save_str(const char *const string)
+ * Cheat a little by making an empty string point to the end of the
+ * previous string.
+ */
+- if (next_free < MAX_STRTAB) {
++ if (next_free < MAX_ENTRY_SIZE) {
+ result = (stringbuf + next_free - 1);
+ }
+- } else if (next_free + len < MAX_STRTAB) {
+- _nc_STRCPY(&stringbuf[next_free], string, MAX_STRTAB);
++ } else if (next_free + len < MAX_ENTRY_SIZE) {
++ _nc_STRCPY(&stringbuf[next_free], string, MAX_ENTRY_SIZE);
+ DEBUG(7, ("Saved string %s", _nc_visbuf(string)));
+ DEBUG(7, ("at location %d", (int) next_free));
+ next_free += len;
+diff --git a/ncurses/tinfo/read_entry.c b/ncurses/tinfo/read_entry.c
+index 5b570b0f..23c2cebc 100644
+--- a/ncurses/tinfo/read_entry.c
++++ b/ncurses/tinfo/read_entry.c
+@@ -1,5 +1,5 @@
+ /****************************************************************************
+- * Copyright 2018-2019,2020 Thomas E. Dickey *
++ * Copyright 2018-2021,2022 Thomas E. Dickey *
+ * Copyright 1998-2016,2017 Free Software Foundation, Inc. *
+ * *
+ * Permission is hereby granted, free of charge, to any person obtaining a *
+@@ -42,7 +42,7 @@
+
+ #include <tic.h>
+
+-MODULE_ID("$Id: read_entry.c,v 1.157 2020/02/02 23:34:34 tom Exp $")
++MODULE_ID("$Id: read_entry.c,v 1.162 2022/04/16 21:00:00 tom Exp $")
+
+ #define TYPE_CALLOC(type,elts) typeCalloc(type, (unsigned)(elts))
+
+@@ -145,6 +145,7 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ {
+ int i;
+ char *p;
++ bool corrupt = FALSE;
+
+ for (i = 0; i < count; i++) {
+ if (IS_NEG1(buf + 2 * i)) {
+@@ -154,8 +155,20 @@ convert_strings(char *buf, char **Strings, int count, int size, char *table)
+ } else if (MyNumber(buf + 2 * i) > size) {
+ Strings[i] = ABSENT_STRING;
+ } else {
+- Strings[i] = (MyNumber(buf + 2 * i) + table);
+- TR(TRACE_DATABASE, ("Strings[%d] = %s", i, _nc_visbuf(Strings[i])));
++ int nn = MyNumber(buf + 2 * i);
++ if (nn >= 0 && nn < size) {
++ Strings[i] = (nn + table);
++ TR(TRACE_DATABASE, ("Strings[%d] = %s", i,
++ _nc_visbuf(Strings[i])));
++ } else {
++ if (!corrupt) {
++ corrupt = TRUE;
++ TR(TRACE_DATABASE,
++ ("ignore out-of-range index %d to Strings[]", nn));
++ _nc_warning("corrupt data found in convert_strings");
++ }
++ Strings[i] = ABSENT_STRING;
++ }
+ }
+
+ /* make sure all strings are NUL terminated */
+@@ -776,7 +789,7 @@ _nc_read_tic_entry(char *filename,
+ * looking for compiled (binary) terminfo data.
+ *
+ * cgetent uses a two-level lookup. On the first it uses the given
+- * name to return a record containing only the aliases for an entry.
++ * name to return a record containing only the aliases for an entry.
+ * On the second (using that list of aliases as a key), it returns the
+ * content of the terminal description. We expect second lookup to
+ * return data beginning with the same set of aliases.
+@@ -833,7 +846,7 @@ _nc_read_tic_entry(char *filename,
+ #endif /* NCURSES_USE_DATABASE */
+
+ /*
+- * Find and read the compiled entry for a given terminal type, if it exists.
++ * Find and read the compiled entry for a given terminal type, if it exists.
+ * We take pains here to make sure no combination of environment variables and
+ * terminal type name can be used to overrun the file buffer.
+ */
+--
+2.36.1
+
diff --git a/meta/recipes-core/ncurses/ncurses_6.2.bb b/meta/recipes-core/ncurses/ncurses_6.2.bb
index 700464f70b..451bfbcb5d 100644
--- a/meta/recipes-core/ncurses/ncurses_6.2.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.2.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \
file://0002-configure-reproducible.patch \
file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
file://CVE-2021-39537.patch \
+ file://CVE-2022-29458.patch \
"
# commit id corresponds to the revision in package version
SRCREV = "a669013cd5e9d6434e5301348ea51baf306c93c4"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 06/11] libxml2: Fix CVE-2022-29824 for libxml2
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (4 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 05/11] ncurses: Fix CVE-2022-29458 Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 07/11] vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs Steve Sakoman
` (4 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Riyaz <Riyaz.Khan@kpit.com>
Add patch for CVE issue: CVE-2022-29824
CVE-2022-29824
Link: [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab]
Dependent patch: [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b]
Signed-off-by: Riyaz <Riyaz.Khan@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml2/CVE-2022-29824-dependent.patch | 53 +++
.../libxml/libxml2/CVE-2022-29824.patch | 348 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +
3 files changed, 403 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
new file mode 100644
index 0000000000..63d613cc21
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824-dependent.patch
@@ -0,0 +1,53 @@
+From b07251215ef48c70c6e56f7351406c47cfca4d5b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 10 Jan 2020 15:55:07 +0100
+Subject: [PATCH] Fix integer overflow in xmlBufferResize
+
+Found by OSS-Fuzz.
+
+CVE: CVE-2022-29824
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+
+---
+ tree.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 0d7fc98c..f43f6de1 100644
+--- a/tree.c
++++ b/tree.c
+@@ -7424,12 +7424,17 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ if (size < buf->size)
+ return 1;
+
++ if (size > UINT_MAX - 10) {
++ xmlTreeErrMemory("growing buffer");
++ return 0;
++ }
++
+ /* figure out new size */
+ switch (buf->alloc){
+ case XML_BUFFER_ALLOC_IO:
+ case XML_BUFFER_ALLOC_DOUBLEIT:
+ /*take care of empty case*/
+- newSize = (buf->size ? buf->size*2 : size + 10);
++ newSize = (buf->size ? buf->size : size + 10);
+ while (size > newSize) {
+ if (newSize > UINT_MAX / 2) {
+ xmlTreeErrMemory("growing buffer");
+@@ -7445,7 +7450,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ if (buf->use < BASE_BUFFER_SIZE)
+ newSize = size;
+ else {
+- newSize = buf->size * 2;
++ newSize = buf->size;
+ while (size > newSize) {
+ if (newSize > UINT_MAX / 2) {
+ xmlTreeErrMemory("growing buffer");
+--
+GitLab
+
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
new file mode 100644
index 0000000000..ad7b87dbc6
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-29824.patch
@@ -0,0 +1,348 @@
+From 2554a2408e09f13652049e5ffb0d26196b02ebab Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 8 Mar 2022 20:10:02 +0100
+Subject: [PATCH] [CVE-2022-29824] Fix integer overflows in xmlBuf and
+ xmlBuffer
+
+In several places, the code handling string buffers didn't check for
+integer overflow or used wrong types for buffer sizes. This could
+result in out-of-bounds writes or other memory errors when working on
+large, multi-gigabyte buffers.
+
+Thanks to Felix Wilhelm for the report.
+
+CVE: CVE-2022-29824
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+
+---
+ buf.c | 86 +++++++++++++++++++++++-----------------------------------
+ tree.c | 72 ++++++++++++++++++------------------------------
+ 2 files changed, 61 insertions(+), 97 deletions(-)
+
+diff --git a/buf.c b/buf.c
+index 24368d37..40a5ee06 100644
+--- a/buf.c
++++ b/buf.c
+@@ -30,6 +30,10 @@
+ #include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */
+ #include "buf.h"
+
++#ifndef SIZE_MAX
++#define SIZE_MAX ((size_t) -1)
++#endif
++
+ #define WITH_BUFFER_COMPAT
+
+ /**
+@@ -156,6 +160,8 @@ xmlBufPtr
+ xmlBufCreateSize(size_t size) {
+ xmlBufPtr ret;
+
++ if (size == SIZE_MAX)
++ return(NULL);
+ ret = (xmlBufPtr) xmlMalloc(sizeof(xmlBuf));
+ if (ret == NULL) {
+ xmlBufMemoryError(NULL, "creating buffer");
+@@ -166,8 +172,8 @@ xmlBufCreateSize(size_t size) {
+ ret->error = 0;
+ ret->buffer = NULL;
+ ret->alloc = xmlBufferAllocScheme;
+- ret->size = (size ? size+2 : 0); /* +1 for ending null */
+- ret->compat_size = (int) ret->size;
++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
++ ret->compat_size = (ret->size > INT_MAX ? INT_MAX : ret->size);
+ if (ret->size){
+ ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
+ if (ret->content == NULL) {
+@@ -442,23 +448,17 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) {
+ CHECK_COMPAT(buf)
+
+ if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+- if (buf->use + len < buf->size)
++ if (len < buf->size - buf->use)
+ return(buf->size - buf->use);
++ if (len > SIZE_MAX - buf->use)
++ return(0);
+
+- /*
+- * Windows has a BIG problem on realloc timing, so we try to double
+- * the buffer size (if that's enough) (bug 146697)
+- * Apparently BSD too, and it's probably best for linux too
+- * On an embedded system this may be something to change
+- */
+-#if 1
+- if (buf->size > (size_t) len)
+- size = buf->size * 2;
+- else
+- size = buf->use + len + 100;
+-#else
+- size = buf->use + len + 100;
+-#endif
++ if (buf->size > (size_t) len) {
++ size = buf->size > SIZE_MAX / 2 ? SIZE_MAX : buf->size * 2;
++ } else {
++ size = buf->use + len;
++ size = size > SIZE_MAX - 100 ? SIZE_MAX : size + 100;
++ }
+
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+@@ -744,7 +744,7 @@ xmlBufIsEmpty(const xmlBufPtr buf)
+ int
+ xmlBufResize(xmlBufPtr buf, size_t size)
+ {
+- unsigned int newSize;
++ size_t newSize;
+ xmlChar* rebuf = NULL;
+ size_t start_buf;
+
+@@ -772,9 +772,13 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ case XML_BUFFER_ALLOC_IO:
+ case XML_BUFFER_ALLOC_DOUBLEIT:
+ /*take care of empty case*/
+- newSize = (buf->size ? buf->size*2 : size + 10);
++ if (buf->size == 0) {
++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
++ } else {
++ newSize = buf->size;
++ }
+ while (size > newSize) {
+- if (newSize > UINT_MAX / 2) {
++ if (newSize > SIZE_MAX / 2) {
+ xmlBufMemoryError(buf, "growing buffer");
+ return 0;
+ }
+@@ -782,15 +786,15 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ }
+ break;
+ case XML_BUFFER_ALLOC_EXACT:
+- newSize = size+10;
++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+ break;
+ case XML_BUFFER_ALLOC_HYBRID:
+ if (buf->use < BASE_BUFFER_SIZE)
+ newSize = size;
+ else {
+- newSize = buf->size * 2;
++ newSize = buf->size;
+ while (size > newSize) {
+- if (newSize > UINT_MAX / 2) {
++ if (newSize > SIZE_MAX / 2) {
+ xmlBufMemoryError(buf, "growing buffer");
+ return 0;
+ }
+@@ -800,7 +804,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ break;
+
+ default:
+- newSize = size+10;
++ newSize = (size > SIZE_MAX - 10 ? SIZE_MAX : size + 10);
+ break;
+ }
+
+@@ -866,7 +870,7 @@ xmlBufResize(xmlBufPtr buf, size_t size)
+ */
+ int
+ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+- unsigned int needSize;
++ size_t needSize;
+
+ if ((str == NULL) || (buf == NULL) || (buf->error))
+ return -1;
+@@ -888,8 +892,10 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {
+ if (len < 0) return -1;
+ if (len == 0) return 0;
+
+- needSize = buf->use + len + 2;
+- if (needSize > buf->size){
++ if ((size_t) len >= buf->size - buf->use) {
++ if ((size_t) len >= SIZE_MAX - buf->use)
++ return(-1);
++ needSize = buf->use + len + 1;
+ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) {
+ /*
+ * Used to provide parsing limits
+@@ -1025,31 +1031,7 @@ xmlBufCat(xmlBufPtr buf, const xmlChar *str) {
+ */
+ int
+ xmlBufCCat(xmlBufPtr buf, const char *str) {
+- const char *cur;
+-
+- if ((buf == NULL) || (buf->error))
+- return(-1);
+- CHECK_COMPAT(buf)
+- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
+- if (str == NULL) {
+-#ifdef DEBUG_BUFFER
+- xmlGenericError(xmlGenericErrorContext,
+- "xmlBufCCat: str == NULL\n");
+-#endif
+- return -1;
+- }
+- for (cur = str;*cur != 0;cur++) {
+- if (buf->use + 10 >= buf->size) {
+- if (!xmlBufResize(buf, buf->use+10)){
+- xmlBufMemoryError(buf, "growing buffer");
+- return XML_ERR_NO_MEMORY;
+- }
+- }
+- buf->content[buf->use++] = *cur;
+- }
+- buf->content[buf->use] = 0;
+- UPDATE_COMPAT(buf)
+- return 0;
++ return xmlBufCat(buf, (const xmlChar *) str);
+ }
+
+ /**
+diff --git a/tree.c b/tree.c
+index 9d94aa42..86afb7d6 100644
+--- a/tree.c
++++ b/tree.c
+@@ -7104,6 +7104,8 @@ xmlBufferPtr
+ xmlBufferCreateSize(size_t size) {
+ xmlBufferPtr ret;
+
++ if (size >= UINT_MAX)
++ return(NULL);
+ ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
+ if (ret == NULL) {
+ xmlTreeErrMemory("creating buffer");
+@@ -7111,7 +7113,7 @@ xmlBufferCreateSize(size_t size) {
+ }
+ ret->use = 0;
+ ret->alloc = xmlBufferAllocScheme;
+- ret->size = (size ? size+2 : 0); /* +1 for ending null */
++ ret->size = (size ? size + 1 : 0); /* +1 for ending null */
+ if (ret->size){
+ ret->content = (xmlChar *) xmlMallocAtomic(ret->size * sizeof(xmlChar));
+ if (ret->content == NULL) {
+@@ -7171,6 +7173,8 @@ xmlBufferCreateStatic(void *mem, size_t size) {
+
+ if ((mem == NULL) || (size == 0))
+ return(NULL);
++ if (size > UINT_MAX)
++ return(NULL);
+
+ ret = (xmlBufferPtr) xmlMalloc(sizeof(xmlBuffer));
+ if (ret == NULL) {
+@@ -7318,28 +7322,23 @@ xmlBufferShrink(xmlBufferPtr buf, unsigned int len) {
+ */
+ int
+ xmlBufferGrow(xmlBufferPtr buf, unsigned int len) {
+- int size;
++ unsigned int size;
+ xmlChar *newbuf;
+
+ if (buf == NULL) return(-1);
+
+ if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0);
+- if (len + buf->use < buf->size) return(0);
++ if (len < buf->size - buf->use)
++ return(0);
++ if (len > UINT_MAX - buf->use)
++ return(-1);
+
+- /*
+- * Windows has a BIG problem on realloc timing, so we try to double
+- * the buffer size (if that's enough) (bug 146697)
+- * Apparently BSD too, and it's probably best for linux too
+- * On an embedded system this may be something to change
+- */
+-#if 1
+- if (buf->size > len)
+- size = buf->size * 2;
+- else
+- size = buf->use + len + 100;
+-#else
+- size = buf->use + len + 100;
+-#endif
++ if (buf->size > (size_t) len) {
++ size = buf->size > UINT_MAX / 2 ? UINT_MAX : buf->size * 2;
++ } else {
++ size = buf->use + len;
++ size = size > UINT_MAX - 100 ? UINT_MAX : size + 100;
++ }
+
+ if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) {
+ size_t start_buf = buf->content - buf->contentIO;
+@@ -7466,7 +7465,10 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ case XML_BUFFER_ALLOC_IO:
+ case XML_BUFFER_ALLOC_DOUBLEIT:
+ /*take care of empty case*/
+- newSize = (buf->size ? buf->size : size + 10);
++ if (buf->size == 0)
++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);
++ else
++ newSize = buf->size;
+ while (size > newSize) {
+ if (newSize > UINT_MAX / 2) {
+ xmlTreeErrMemory("growing buffer");
+@@ -7476,7 +7478,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ }
+ break;
+ case XML_BUFFER_ALLOC_EXACT:
+- newSize = size+10;
++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
+ break;
+ case XML_BUFFER_ALLOC_HYBRID:
+ if (buf->use < BASE_BUFFER_SIZE)
+@@ -7494,7 +7496,7 @@ xmlBufferResize(xmlBufferPtr buf, unsigned int size)
+ break;
+
+ default:
+- newSize = size+10;
++ newSize = (size > UINT_MAX - 10 ? UINT_MAX : size + 10);;
+ break;
+ }
+
+@@ -7580,8 +7582,10 @@ xmlBufferAdd(xmlBufferPtr buf, const xmlChar *str, int len) {
+ if (len < 0) return -1;
+ if (len == 0) return 0;
+
+- needSize = buf->use + len + 2;
+- if (needSize > buf->size){
++ if ((unsigned) len >= buf->size - buf->use) {
++ if ((unsigned) len >= UINT_MAX - buf->use)
++ return XML_ERR_NO_MEMORY;
++ needSize = buf->use + len + 1;
+ if (!xmlBufferResize(buf, needSize)){
+ xmlTreeErrMemory("growing buffer");
+ return XML_ERR_NO_MEMORY;
+@@ -7694,29 +7698,7 @@ xmlBufferCat(xmlBufferPtr buf, const xmlChar *str) {
+ */
+ int
+ xmlBufferCCat(xmlBufferPtr buf, const char *str) {
+- const char *cur;
+-
+- if (buf == NULL)
+- return(-1);
+- if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return -1;
+- if (str == NULL) {
+-#ifdef DEBUG_BUFFER
+- xmlGenericError(xmlGenericErrorContext,
+- "xmlBufferCCat: str == NULL\n");
+-#endif
+- return -1;
+- }
+- for (cur = str;*cur != 0;cur++) {
+- if (buf->use + 10 >= buf->size) {
+- if (!xmlBufferResize(buf, buf->use+10)){
+- xmlTreeErrMemory("growing buffer");
+- return XML_ERR_NO_MEMORY;
+- }
+- }
+- buf->content[buf->use++] = *cur;
+- }
+- buf->content[buf->use] = 0;
+- return 0;
++ return xmlBufferCat(buf, (const xmlChar *) str);
+ }
+
+ /**
+--
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index c4bb8f29e0..b3ebf15751 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -30,6 +30,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te
file://CVE-2021-3541.patch \
file://CVE-2022-23308.patch \
file://CVE-2022-23308-fix-regression.patch \
+ file://CVE-2022-29824-dependent.patch \
+ file://CVE-2022-29824.patch \
"
SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 07/11] vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (5 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 06/11] libxml2: Fix CVE-2022-29824 for libxml2 Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 08/11] cve-check.bbclass: Added do_populate_sdk[recrdeptask] Steve Sakoman
` (3 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Address CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1733, CVE-2022-1735
CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fafce97bd440150ac5c586b53b887ee70a5b66bd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/vim/vim.inc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 4b8f4d1dfb..9d918379b4 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -21,8 +21,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://racefix.patch \
"
-PV .= ".4912"
-SRCREV = "a7583c42cd6b64fd276a5d7bb0db5ce7bfafa730"
+PV .= ".5034"
+SRCREV = "5a6ec10cc80ab02eeff644ab19b82312630ea855"
# Remove when 8.3 is out
UPSTREAM_VERSION_UNKNOWN = "1"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 08/11] cve-check.bbclass: Added do_populate_sdk[recrdeptask].
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (6 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 07/11] vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 09/11] cve-check: Add helper for symlink handling Steve Sakoman
` (2 subsequent siblings)
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: leimaohui <leimaohui@fujitsu.com>
As product, sdk should do cve check as well as rootfs.
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit cc17753935c5f9e08aaa6c5886f059303147c07b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 34c38bdf2d..f7ed2a6ae9 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -213,6 +213,7 @@ python cve_check_write_rootfs_manifest () {
ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
+do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
def get_patches_cves(d):
"""
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 09/11] cve-check: Add helper for symlink handling
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (7 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 08/11] cve-check.bbclass: Added do_populate_sdk[recrdeptask] Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 10/11] cve-check: Only include installed packages for rootfs manifest Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 11/11] cve-check: Allow warnings to be disabled Steve Sakoman
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5046d54df2c3057be2afa4143a2833183fca0d67)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 34 +++++++++++++---------------------
1 file changed, 13 insertions(+), 21 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f7ed2a6ae9..3cae0e8eb2 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -75,6 +75,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+def update_symlinks(target_path, link_path):
+ if link_path != target_path and os.path.exists(target_path):
+ if os.path.exists(os.path.realpath(link_path)):
+ os.remove(link_path)
+ os.symlink(os.path.basename(target_path), link_path)
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -94,10 +100,7 @@ def generate_json_report(d, out_path, link_path):
with open(out_path, "w") as f:
json.dump(summary, f, indent=2)
- if link_path != out_path:
- if os.path.exists(os.path.realpath(link_path)):
- os.remove(link_path)
- os.symlink(os.path.basename(out_path), link_path)
+ update_symlinks(out_path, link_path)
python cve_save_summary_handler () {
import shutil
@@ -114,14 +117,9 @@ python cve_save_summary_handler () {
if os.path.exists(cve_tmp_file):
shutil.copyfile(cve_tmp_file, cve_summary_file)
-
- if cve_summary_file and os.path.exists(cve_summary_file):
- cvefile_link = os.path.join(cvelogpath, cve_summary_name)
- # if the paths are the same don't create the link
- if cvefile_link != cve_summary_file:
- if os.path.exists(os.path.realpath(cvefile_link)):
- os.remove(cvefile_link)
- os.symlink(os.path.basename(cve_summary_file), cvefile_link)
+ cvefile_link = os.path.join(cvelogpath, cve_summary_name)
+ update_symlinks(cve_summary_file, cvefile_link)
+ bb.plain("Complete CVE report summary created at: %s" % cvefile_link)
if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
@@ -193,15 +191,9 @@ python cve_check_write_rootfs_manifest () {
bb.utils.mkdirhier(os.path.dirname(manifest_name))
shutil.copyfile(cve_tmp_file, manifest_name)
- if manifest_name and os.path.exists(manifest_name):
- manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
- # if they are the same don't create the link
- if manifest_link != manifest_name:
- # If we already have another manifest, update symlinks
- if os.path.exists(os.path.realpath(manifest_link)):
- os.remove(manifest_link)
- os.symlink(os.path.basename(manifest_name), manifest_link)
- bb.plain("Image CVE report stored in: %s" % manifest_name)
+ manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
+ update_symlinks(manifest_name, manifest_link)
+ bb.plain("Image CVE report stored in: %s" % manifest_name)
if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
link_path = os.path.join(deploy_dir, "%s.json" % link_name)
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 10/11] cve-check: Only include installed packages for rootfs manifest
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (8 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 09/11] cve-check: Add helper for symlink handling Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
2022-06-02 2:30 ` [OE-core][dunfell 11/11] cve-check: Allow warnings to be disabled Steve Sakoman
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Ernst Sjöstrand <ernstp@gmail.com>
Before this the rootfs manifest and the summary were identical.
We should separate the summary and rootfs manifest more clearly,
now the summary is for all CVEs and the rootfs manifest is only for
things in that image. This is even more useful if you build multiple
images.
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3b8cc6fc45f0ea5677729ee2b1819bdc7a441ab1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 65498411d73e8008d5550c2d0a1148f990717587)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 69 ++++++++++++++++++++++++++--------
1 file changed, 54 insertions(+), 15 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3cae0e8eb2..29b276e491 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -171,6 +171,8 @@ python cve_check_write_rootfs_manifest () {
"""
import shutil
+ import json
+ from oe.rootfs import image_list_installed_packages
from oe.cve_check import cve_check_merge_jsons
if d.getVar("CVE_CHECK_COPY_FILES") == "1":
@@ -181,26 +183,63 @@ python cve_check_write_rootfs_manifest () {
if os.path.exists(deploy_file_json):
bb.utils.remove(deploy_file_json)
- if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
- bb.note("Writing rootfs CVE manifest")
- deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
- link_name = d.getVar("IMAGE_LINK_NAME")
+ # Create a list of relevant recipies
+ recipies = set()
+ for pkg in list(image_list_installed_packages(d)):
+ pkg_info = os.path.join(d.getVar('PKGDATA_DIR'),
+ 'runtime-reverse', pkg)
+ pkg_data = oe.packagedata.read_pkgdatafile(pkg_info)
+ recipies.add(pkg_data["PN"])
+
+ bb.note("Writing rootfs CVE manifest")
+ deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
+ link_name = d.getVar("IMAGE_LINK_NAME")
+
+ json_data = {"version":"1", "package": []}
+ text_data = ""
+ enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1"
+ enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1"
+
+ save_pn = d.getVar("PN")
+
+ for pkg in recipies:
+ # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate
+ # it with the different PN names set each time.
+ d.setVar("PN", pkg)
+ if enable_text:
+ pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE")
+ if os.path.exists(pkgfilepath):
+ with open(pkgfilepath) as pfile:
+ text_data += pfile.read()
+
+ if enable_json:
+ pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
+ if os.path.exists(pkgfilepath):
+ with open(pkgfilepath) as j:
+ data = json.load(j)
+ cve_check_merge_jsons(json_data, data)
+
+ d.setVar("PN", save_pn)
+
+ if enable_text:
+ link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
manifest_name = d.getVar("CVE_CHECK_MANIFEST")
- cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
- bb.utils.mkdirhier(os.path.dirname(manifest_name))
- shutil.copyfile(cve_tmp_file, manifest_name)
+ with open(manifest_name, "w") as f:
+ f.write(text_data)
- manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
- update_symlinks(manifest_name, manifest_link)
+ update_symlinks(manifest_name, link_path)
bb.plain("Image CVE report stored in: %s" % manifest_name)
- if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
- link_path = os.path.join(deploy_dir, "%s.json" % link_name)
- manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
- bb.note("Generating JSON CVE manifest")
- generate_json_report(d, manifest_path, link_path)
- bb.plain("Image CVE JSON report stored in: %s" % link_path)
+ if enable_json:
+ link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+ manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
+
+ with open(manifest_name, "w") as f:
+ json.dump(json_data, f, indent=2)
+
+ update_symlinks(manifest_name, link_path)
+ bb.plain("Image CVE JSON report stored in: %s" % manifest_name)
}
ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread* [OE-core][dunfell 11/11] cve-check: Allow warnings to be disabled
2022-06-02 2:30 [OE-core][dunfell 00/11] Patch review Steve Sakoman
` (9 preceding siblings ...)
2022-06-02 2:30 ` [OE-core][dunfell 10/11] cve-check: Only include installed packages for rootfs manifest Steve Sakoman
@ 2022-06-02 2:30 ` Steve Sakoman
10 siblings, 0 replies; 23+ messages in thread
From: Steve Sakoman @ 2022-06-02 2:30 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
When running CVE checks in CI we're usually not interested in warnings on the
console for any CVEs present. Add a configuration option CVE_CHECK_SHOW_WARNINGS
to allow this to be disabled (it is left enabled by default).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1054d3366ba528f2ad52585cf951e508958c5c68)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 8fd6a9f521ea6b1e10c80fe33968943db30991ba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 29b276e491..0111ec6ba8 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -48,6 +48,7 @@ CVE_CHECK_COPY_FILES ??= "1"
CVE_CHECK_CREATE_MANIFEST ??= "1"
CVE_CHECK_REPORT_PATCHED ??= "1"
+CVE_CHECK_SHOW_WARNINGS ??= "1"
# Provide text output
CVE_CHECK_FORMAT_TEXT ??= "1"
@@ -472,7 +473,7 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data):
write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
- if unpatched_cves:
+ if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
if write_string:
--
2.25.1
^ permalink raw reply related [flat|nested] 23+ messages in thread