* [OE-core][dunfell 0/7] Patch review
@ 2024-04-03 3:11 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman
` (6 more replies)
0 siblings, 7 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Thursday, April 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6757
The following changes since commit d0811b98fa3847dbbfcfe6a80694509bb29aaf9c:
yocto-uninative: Update to 4.4 for glibc 2.39 (2024-03-18 11:44:32 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Steve Sakoman (2):
tar: bump PR to deal with sstate corruption on autobuilder
perf: bump PR to deal with sstate corruption on autobuilder
Vijay Anusuri (4):
libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356
go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785
tar: Fix for CVE-2023-39804
curl: backport Debian patch for CVE-2024-2398
virendra thakur (1):
openssl: Fix CVE-2024-0727
.../openssl/openssl/CVE-2024-0727.patch | 122 ++++++++
.../openssl/openssl_1.1.1w.bb | 1 +
meta/recipes-devtools/go/go-1.14.inc | 3 +
.../go/go-1.14/CVE-2023-45289.patch | 121 ++++++++
.../go/go-1.14/CVE-2023-45290.patch | 271 ++++++++++++++++++
.../go/go-1.14/CVE-2024-24785.patch | 197 +++++++++++++
.../tar/tar/CVE-2023-39804.patch | 64 +++++
meta/recipes-extended/tar/tar_1.32.bb | 3 +
meta/recipes-kernel/perf/perf.bb | 2 +-
.../libtiff/files/CVE-2023-52356.patch | 53 ++++
.../libtiff/files/CVE-2023-6277-1.patch | 191 ++++++++++++
.../libtiff/files/CVE-2023-6277-2.patch | 152 ++++++++++
.../libtiff/files/CVE-2023-6277-3.patch | 46 +++
.../libtiff/files/CVE-2023-6277-4.patch | 94 ++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 5 +
.../curl/curl/CVE-2024-2398.patch | 88 ++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
17 files changed, 1413 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
create mode 100644 meta/recipes-extended/tar/tar/CVE-2023-39804.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman @ 2024-04-03 3:11 ` Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 Steve Sakoman ` (5 subsequent siblings) 6 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw) To: openembedded-core From: Vijay Anusuri <vanusuri@mvista.com> import patches from ubuntu to fix CVE-2023-6277 CVE-2023-52356 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a & https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa & https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3 & https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a & https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../libtiff/files/CVE-2023-52356.patch | 53 +++++ .../libtiff/files/CVE-2023-6277-1.patch | 191 ++++++++++++++++++ .../libtiff/files/CVE-2023-6277-2.patch | 152 ++++++++++++++ .../libtiff/files/CVE-2023-6277-3.patch | 46 +++++ .../libtiff/files/CVE-2023-6277-4.patch | 94 +++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 5 + 6 files changed, 541 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch new file mode 100644 index 0000000000..1b651e6529 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch @@ -0,0 +1,53 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet); +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 31 Oct 2023 15:58:41 +0100 +Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of + col/row (fixes #622) + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a] +CVE: CVE-2023-52356 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libtiff/tif_getimage.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + + +--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c ++++ tiff-4.1.0+git191117/libtiff/tif_getimage.c +@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r + } + + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) { ++ if (row >= img.height) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row passed to TIFFReadRGBAStrip()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } + + img.row_offset = row; + img.col_offset = 0; +@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co + return( 0 ); + } + ++ if (col >= img.width || row >= img.height) ++ { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), ++ "Invalid row/col passed to TIFFReadRGBATile()."); ++ TIFFRGBAImageEnd(&img); ++ return (0); ++ } ++ + /* + * The TIFFRGBAImageGet() function doesn't allow us to get off the + * edge of the image, even to fill an otherwise valid tile. So we diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch new file mode 100644 index 0000000000..e955b3f2e4 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch @@ -0,0 +1,191 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . included inttypes.h header to support PRIu32 and PRIu64; + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); + . using uint64 instead of uint64_t to preserve the current code usage; + . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); + . calls to the check size, that is the idea of the patch, were added before + _TIFFCheckMalloc and may note match the original patch methods; +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001 +From: Su Laus <sulau@freenet.de> +Date: Tue, 31 Oct 2023 15:43:29 +0000 +Subject: [PATCH] Prevent some out-of-memory attacks + +Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size. + +At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks. + +See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 90 insertions(+), 2 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -37,6 +37,7 @@ + #include "tiffiop.h" + #include <float.h> + #include <stdlib.h> ++#include <inttypes.h> + + #define FAILED_FII ((uint32) -1) + +@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead + datasize=(*count)*typesize; + assert((tmsize_t)datasize>0); + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. ++ */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } ++ + if( isMapped(tif) && datasize > (uint32)tif->tif_size ) + return TIFFReadDirEntryErrIo; + +@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + if( !_TIFFFillStrilesInternal( tif, 0 ) ) + return -1; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } ++ + if (td->td_stripbytecount_p) + _TIFFfree(td->td_stripbytecount_p); + td->td_stripbytecount_p = (uint64*) +@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + + if (td->td_compression != COMPRESSION_NONE) { + uint64 space; +- uint64 filesize; + uint16 n; +- filesize = TIFFGetFileSize(tif); + if (!(tif->tif_flags&TIFF_BIGTIFF)) + space=sizeof(TIFFHeaderClassic)+2+dircount*12+4; + else +@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + dircount16 = (uint16)dircount64; + dirsize = 20; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, "to read TIFF directory"); + if (origdir == NULL) +@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + "Sanity check on directory count failed, zero tag directories not supported"); + return 0; + } ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)dircount16 * dirsize; ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, + "to read TIFF directory"); +@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + } + } + } ++ /* No check against filesize needed here because "dir" should have same size ++ * than "origdir" checked above. */ + dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16, + sizeof(TIFFDirEntry), + "to read TIFF directory"); +@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn + _TIFFfree(data); + return(0); + } +- ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ uint64 filesize = TIFFGetFileSize(tif); ++ uint64 allocsize = (uint64)nstrips * sizeof(uint64); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfree(data); ++ return (0); ++ } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); + if (resizeddata==0) { + _TIFFfree(data); +@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI + } + bytecount = last_offset + last_bytecount - offset; + ++ /* Before allocating a huge amount of memory for corrupted files, check if ++ * size of StripByteCount and StripOffset tags is not greater than ++ * file size. ++ */ ++ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; ++ uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greather than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } ++ + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), + "for chopped \"StripByteCounts\" array"); + newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch new file mode 100644 index 0000000000..644b3fdb3f --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch @@ -0,0 +1,152 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); + . using uint64 instead of uint64_t to preserve the current code usage; +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 31 Oct 2023 19:47:22 +0100 +Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough + RAM requests + +Ammends 5320c9d89c054fa805d037d84c57da874470b01a + +This fixes a performance regression caught by the GDAL regression test +suite. + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------ + 1 file changed, 48 insertions(+), 35 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead + datasize=(*count)*typesize; + assert((tmsize_t)datasize>0); + +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. +- */ +- uint64 filesize = TIFFGetFileSize(tif); +- if (datasize > filesize) ++ if (datasize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", +- "Requested memory size for tag %d (0x%x) %" PRIu32 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, tag not read", +- direntry->tdir_tag, direntry->tdir_tag, datasize, +- filesize); +- return (TIFFReadDirEntryErrAlloc); ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. ++ */ ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (datasize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray", ++ "Requested memory size for tag %d (0x%x) %" PRIu32 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated, tag not read", ++ direntry->tdir_tag, direntry->tdir_tag, datasize, ++ filesize); ++ return (TIFFReadDirEntryErrAlloc); ++ } + } + + if( isMapped(tif) && datasize > (uint32)tif->tif_size ) +@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + if( !_TIFFFillStrilesInternal( tif, 0 ) ) + return -1; + +- /* Before allocating a huge amount of memory for corrupted files, check if +- * size of requested memory is not greater than file size. */ +- uint64 filesize = TIFFGetFileSize(tif); +- uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); +- if (allocsize > filesize) ++ const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64); ++ uint64 filesize = 0; ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, module, +- "Requested memory size for StripByteCounts of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return -1; ++ /* Before allocating a huge amount of memory for corrupted files, check ++ * if size of requested memory is not greater than file size. */ ++ filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for StripByteCounts of %" PRIu64 ++ " is greater than filesize %" PRIu64 ". Memory not allocated", ++ allocsize, filesize); ++ return -1; ++ } + } + + if (td->td_stripbytecount_p) +@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD + return -1; + space+=datasize; + } ++ if (filesize == 0) ++ filesize = TIFFGetFileSize(tif); + if( filesize < space ) +- /* we should perhaps return in error ? */ +- space = filesize; +- else +- space = filesize - space; ++ /* we should perhaps return in error ? */ ++ space = filesize; ++ else ++ space = filesize - space; + if (td->td_planarconfig == PLANARCONFIG_SEPARATE) + space /= td->td_samplesperpixel; + for (strip = 0; strip < td->td_nstrips; strip++) +@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + dircount16 = (uint16)dircount64; + dirsize = 20; + } +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64 filesize = TIFFGetFileSize(tif); +- uint64 allocsize = (uint64)dircount16 * dirsize; +- if (allocsize > filesize) ++ const uint64 allocsize = (uint64)dircount16 * dirsize; ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt( +- tif->tif_clientdata, module, +- "Requested memory size for TIFF directory of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated, TIFF directory not read", +- allocsize, filesize); +- return 0; ++ /* Before allocating a huge amount of memory for corrupted files, ++ * check if size of requested memory is not greater than file size. ++ */ ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for TIFF directory of %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated, TIFF directory not read", ++ allocsize, filesize); ++ return 0; ++ } + } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, "to read TIFF directory"); diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch new file mode 100644 index 0000000000..ed7d7e7b96 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch @@ -0,0 +1,46 @@ +Backport of: + +From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 31 Oct 2023 20:13:45 +0100 +Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize + check + +CoverityScan rightly points that the max value for dircount16 * dirsize +is 4096 * 20. That's small enough not to do any check + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libtiff/tif_dirread.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir + dircount16 = (uint16)dircount64; + dirsize = 20; + } +- const uint64 allocsize = (uint64)dircount16 * dirsize; +- if (allocsize > 100 * 1024 * 1024) +- { +- /* Before allocating a huge amount of memory for corrupted files, +- * check if size of requested memory is not greater than file size. +- */ +- const uint64 filesize = TIFFGetFileSize(tif); +- if (allocsize > filesize) +- { +- TIFFWarningExt( +- tif->tif_clientdata, module, +- "Requested memory size for TIFF directory of %" PRIu64 +- " is greater than filesize %" PRIu64 +- ". Memory not allocated, TIFF directory not read", +- allocsize, filesize); +- return 0; +- } +- } + origdir = _TIFFCheckMalloc(tif, dircount16, + dirsize, "to read TIFF directory"); + if (origdir == NULL) diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch new file mode 100644 index 0000000000..1a43fd3230 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch @@ -0,0 +1,94 @@ +[Ubuntu note: Backport of the following patch from upstream, with a few changes +to match the current version of the file in the present Ubuntu release: + . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet); + . using uint64 instead of uint64_t to preserve the current code usage; + . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet); +-- Rodrigo Figueiredo Zaiden] + +Backport of: + +From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Tue, 31 Oct 2023 21:30:58 +0100 +Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough + RAM requests + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security +Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a] +CVE: CVE-2023-6277 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 23 deletions(-) + +--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c ++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c +@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn + _TIFFfree(data); + return(0); + } +- /* Before allocating a huge amount of memory for corrupted files, check +- * if size of requested memory is not greater than file size. */ +- uint64 filesize = TIFFGetFileSize(tif); +- uint64 allocsize = (uint64)nstrips * sizeof(uint64); +- if (allocsize > filesize) ++ const uint64 allocsize = (uint64)nstrips * sizeof(uint64); ++ if (allocsize > 100 * 1024 * 1024) + { +- TIFFWarningExt(tif->tif_clientdata, module, +- "Requested memory size for StripArray of %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- _TIFFfree(data); +- return (0); ++ /* Before allocating a huge amount of memory for corrupted files, ++ * check if size of requested memory is not greater than file size. ++ */ ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt( ++ tif->tif_clientdata, module, ++ "Requested memory size for StripArray of %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ _TIFFfree(data); ++ return (0); ++ } + } + resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array"); + if (resizeddata==0) { +@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI + * size of StripByteCount and StripOffset tags is not greater than + * file size. + */ +- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; +- uint64 filesize = TIFFGetFileSize(tif); +- if (allocsize > filesize) +- { +- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", +- "Requested memory size for StripByteCount and " +- "StripOffsets %" PRIu64 +- " is greather than filesize %" PRIu64 +- ". Memory not allocated", +- allocsize, filesize); +- return; ++ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2; ++ if (allocsize > 100 * 1024 * 1024) ++ { ++ const uint64 filesize = TIFFGetFileSize(tif); ++ if (allocsize > filesize) ++ { ++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays", ++ "Requested memory size for StripByteCount and " ++ "StripOffsets %" PRIu64 ++ " is greater than filesize %" PRIu64 ++ ". Memory not allocated", ++ allocsize, filesize); ++ return; ++ } + } + + newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64), diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index c739f3a7fa..7efaba3a38 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -49,6 +49,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://CVE-2023-41175.patch \ file://CVE-2022-40090.patch \ file://CVE-2023-6228.patch \ + file://CVE-2023-6277-1.patch \ + file://CVE-2023-6277-2.patch \ + file://CVE-2023-6277-3.patch \ + file://CVE-2023-6277-4.patch \ + file://CVE-2023-52356.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" -- 2.34.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman @ 2024-04-03 3:11 ` Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 Steve Sakoman ` (4 subsequent siblings) 6 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw) To: openembedded-core From: Vijay Anusuri <vanusuri@mvista.com> Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1 & https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0 & https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-devtools/go/go-1.14.inc | 3 + .../go/go-1.14/CVE-2023-45289.patch | 121 ++++++++ .../go/go-1.14/CVE-2023-45290.patch | 271 ++++++++++++++++++ .../go/go-1.14/CVE-2024-24785.patch | 197 +++++++++++++ 4 files changed, 592 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 4fbf9d7590..69b65f3eb2 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -88,6 +88,9 @@ SRC_URI += "\ file://CVE-2023-45287-pre2.patch \ file://CVE-2023-45287-pre3.patch \ file://CVE-2023-45287.patch \ + file://CVE-2023-45289.patch \ + file://CVE-2023-45290.patch \ + file://CVE-2024-24785.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch new file mode 100644 index 0000000000..13d3510504 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch @@ -0,0 +1,121 @@ +From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Thu, 11 Jan 2024 11:31:57 -0800 +Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid + subdomain matches on IPv6 zones + +When deciding whether to forward cookies or sensitive headers +across a redirect, do not attempt to interpret an IPv6 address +as a domain name. + +Avoids a case where a maliciously-crafted redirect to an +IPv6 address with a scoped addressing zone could be +misinterpreted as a within-domain redirect. For example, +we could interpret "::1%.www.example.com" as a subdomain +of "www.example.com". + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes CVE-2023-45289 +Fixes #65385 +For #65065 + +Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938 +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775 +Reviewed-by: Carlos Amedee <amedee@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569239 +Reviewed-by: Carlos Amedee <carlos@golang.org> +Auto-Submit: Michael Knyszek <mknyszek@google.com> +TryBot-Bypass: Michael Knyszek <mknyszek@google.com> + +Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1] +CVE: CVE-2023-45289 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/net/http/client.go | 6 ++++++ + src/net/http/client_test.go | 1 + + src/net/http/cookiejar/jar.go | 7 +++++++ + src/net/http/cookiejar/jar_test.go | 10 ++++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/src/net/http/client.go b/src/net/http/client.go +index a496f1c..2031834 100644 +--- a/src/net/http/client.go ++++ b/src/net/http/client.go +@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool { + if sub == parent { + return true + } ++ // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname). ++ // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone. ++ // For example, "::1%.www.example.com" is not a subdomain of "www.example.com". ++ if strings.ContainsAny(sub, ":%") { ++ return false ++ } + // If sub is "foo.example.com" and parent is "example.com", + // that means sub must end in "."+parent. + // Do it without allocating. +diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go +index 2b4f53f..442fe35 100644 +--- a/src/net/http/client_test.go ++++ b/src/net/http/client_test.go +@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) { + {"cookie2", "http://foo.com/", "http://bar.com/", false}, + {"authorization", "http://foo.com/", "http://bar.com/", false}, + {"www-authenticate", "http://foo.com/", "http://bar.com/", false}, ++ {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false}, + + // But subdomains should work: + {"www-authenticate", "http://foo.com/", "http://foo.com/", true}, +diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go +index 9f19917..18cbfc2 100644 +--- a/src/net/http/cookiejar/jar.go ++++ b/src/net/http/cookiejar/jar.go +@@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string { + + // isIP reports whether host is an IP address. + func isIP(host string) bool { ++ if strings.ContainsAny(host, ":%") { ++ // Probable IPv6 address. ++ // Hostnames can't contain : or %, so this is definitely not a valid host. ++ // Treating it as an IP is the more conservative option, and avoids the risk ++ // of interpeting ::1%.www.example.com as a subtomain of www.example.com. ++ return true ++ } + return net.ParseIP(host) != nil + } + +diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go +index 47fb1ab..fd8d40e 100644 +--- a/src/net/http/cookiejar/jar_test.go ++++ b/src/net/http/cookiejar/jar_test.go +@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{ + "127.0.0.1": true, + "1.2.3.4": true, + "2001:4860:0:2001::68": true, ++ "::1%zone": true, + "example.com": false, + "1.1.1.300": false, + "www.foo.bar.net": false, +@@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{ + {"http://www.host.test:1234/", "a=1"}, + }, + }, ++ { ++ "IPv6 zone is not treated as a host.", ++ "https://example.com/", ++ []string{"a=1"}, ++ "a=1", ++ []query{ ++ {"https://[::1%25.example.com]:80/", ""}, ++ }, ++ }, + } + + func TestBasics(t *testing.T) { +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch new file mode 100644 index 0000000000..ddc2f67c96 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch @@ -0,0 +1,271 @@ +From bf80213b121074f4ad9b449410a4d13bae5e9be0 Mon Sep 17 00:00:00 2001 +From: Damien Neil <dneil@google.com> +Date: Tue, 16 Jan 2024 15:37:52 -0800 +Subject: [PATCH] [release-branch.go1.21] net/textproto, mime/multipart: avoid + unbounded read in MIME header + +mime/multipart.Reader.ReadForm allows specifying the maximum amount +of memory that will be consumed by the form. While this limit is +correctly applied to the parsed form data structure, it was not +being applied to individual header lines in a form. + +For example, when presented with a form containing a header line +that never ends, ReadForm will continue to read the line until it +runs out of memory. + +Limit the amount of data consumed when reading a header. + +Fixes CVE-2023-45290 +Fixes #65389 +For #65383 + +Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435 +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Tatiana Bradley <tatianabradley@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776 +Reviewed-by: Carlos Amedee <amedee@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/569240 +Auto-Submit: Michael Knyszek <mknyszek@google.com> +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0] +CVE: CVE-2023-45290 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++ + src/net/textproto/reader.go | 48 ++++++++++++++++++++--------- + src/net/textproto/reader_test.go | 12 ++++++++ + 3 files changed, 87 insertions(+), 15 deletions(-) + +diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go +index c78eeb7..f729da6 100644 +--- a/src/mime/multipart/formdata_test.go ++++ b/src/mime/multipart/formdata_test.go +@@ -421,6 +421,48 @@ func TestReadFormLimits(t *testing.T) { + } + } + ++func TestReadFormEndlessHeaderLine(t *testing.T) { ++ for _, test := range []struct { ++ name string ++ prefix string ++ }{{ ++ name: "name", ++ prefix: "X-", ++ }, { ++ name: "value", ++ prefix: "X-Header: ", ++ }, { ++ name: "continuation", ++ prefix: "X-Header: foo\r\n ", ++ }} { ++ t.Run(test.name, func(t *testing.T) { ++ const eol = "\r\n" ++ s := `--boundary` + eol ++ s += `Content-Disposition: form-data; name="a"` + eol ++ s += `Content-Type: text/plain` + eol ++ s += test.prefix ++ fr := io.MultiReader( ++ strings.NewReader(s), ++ neverendingReader('X'), ++ ) ++ r := NewReader(fr, "boundary") ++ _, err := r.ReadForm(1 << 20) ++ if err != ErrMessageTooLarge { ++ t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err) ++ } ++ }) ++ } ++} ++ ++type neverendingReader byte ++ ++func (r neverendingReader) Read(p []byte) (n int, err error) { ++ for i := range p { ++ p[i] = byte(r) ++ } ++ return len(p), nil ++} ++ + func BenchmarkReadForm(b *testing.B) { + for _, test := range []struct { + name string +diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go +index ad2d777..cea6613 100644 +--- a/src/net/textproto/reader.go ++++ b/src/net/textproto/reader.go +@@ -17,6 +17,10 @@ import ( + "sync" + ) + ++// TODO: This should be a distinguishable error (ErrMessageTooLarge) ++// to allow mime/multipart to detect it. ++var errMessageTooLarge = errors.New("message too large") ++ + // A Reader implements convenience methods for reading requests + // or responses from a text protocol network connection. + type Reader struct { +@@ -38,13 +42,13 @@ func NewReader(r *bufio.Reader) *Reader { + // ReadLine reads a single line from r, + // eliding the final \n or \r\n from the returned string. + func (r *Reader) ReadLine() (string, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + return string(line), err + } + + // ReadLineBytes is like ReadLine but returns a []byte instead of a string. + func (r *Reader) ReadLineBytes() ([]byte, error) { +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(-1) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -53,7 +57,10 @@ func (r *Reader) ReadLineBytes() ([]byte, error) { + return line, err + } + +-func (r *Reader) readLineSlice() ([]byte, error) { ++// readLineSlice reads a single line from r, ++// up to lim bytes long (or unlimited if lim is less than 0), ++// eliding the final \r or \r\n from the returned string. ++func (r *Reader) readLineSlice(lim int64) ([]byte, error) { + r.closeDot() + var line []byte + for { +@@ -61,6 +68,9 @@ func (r *Reader) readLineSlice() ([]byte, error) { + if err != nil { + return nil, err + } ++ if lim >= 0 && int64(len(line))+int64(len(l)) > lim { ++ return nil, errMessageTooLarge ++ } + // Avoid the copy if the first call produced a full line. + if line == nil && !more { + return l, nil +@@ -93,7 +103,7 @@ func (r *Reader) readLineSlice() ([]byte, error) { + // A line consisting of only white space is never continued. + // + func (r *Reader) ReadContinuedLine() (string, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + return string(line), err + } + +@@ -114,7 +124,7 @@ func trim(s []byte) []byte { + // ReadContinuedLineBytes is like ReadContinuedLine but + // returns a []byte instead of a string. + func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { +- line, err := r.readContinuedLineSlice(noValidation) ++ line, err := r.readContinuedLineSlice(-1, noValidation) + if line != nil { + buf := make([]byte, len(line)) + copy(buf, line) +@@ -127,13 +137,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) { + // returning a byte slice with all lines. The validateFirstLine function + // is run on the first read line, and if it returns an error then this + // error is returned from readContinuedLineSlice. +-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) { ++// It reads up to lim bytes of data (or unlimited if lim is less than 0). ++func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) { + if validateFirstLine == nil { + return nil, fmt.Errorf("missing validateFirstLine func") + } + + // Read the first line. +- line, err := r.readLineSlice() ++ line, err := r.readLineSlice(lim) + if err != nil { + return nil, err + } +@@ -161,13 +172,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([ + // copy the slice into buf. + r.buf = append(r.buf[:0], trim(line)...) + ++ if lim < 0 { ++ lim = math.MaxInt64 ++ } ++ lim -= int64(len(r.buf)) ++ + // Read continuation lines. + for r.skipSpace() > 0 { +- line, err := r.readLineSlice() ++ r.buf = append(r.buf, ' ') ++ if int64(len(r.buf)) >= lim { ++ return nil, errMessageTooLarge ++ } ++ line, err := r.readLineSlice(lim - int64(len(r.buf))) + if err != nil { + break + } +- r.buf = append(r.buf, ' ') + r.buf = append(r.buf, trim(line)...) + } + return r.buf, nil +@@ -512,7 +531,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + // The first line cannot start with a leading space. + if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') { +- line, err := r.readLineSlice() ++ const errorLimit = 80 // arbitrary limit on how much of the line we'll quote ++ line, err := r.readLineSlice(errorLimit) + if err != nil { + return m, err + } +@@ -520,7 +540,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + + for { +- kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon) ++ kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon) + if len(kv) == 0 { + return m, err + } +@@ -541,7 +561,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + + maxHeaders-- + if maxHeaders < 0 { +- return nil, errors.New("message too large") ++ return nil, errMessageTooLarge + } + + // backport 5c55ac9bf1e5f779220294c843526536605f42ab +@@ -567,9 +587,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error) + } + maxMemory -= int64(len(value)) + if maxMemory < 0 { +- // TODO: This should be a distinguishable error (ErrMessageTooLarge) +- // to allow mime/multipart to detect it. +- return m, errors.New("message too large") ++ return m, errMessageTooLarge + } + if vv == nil && len(strs) > 0 { + // More than likely this will be a single-element key. +diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go +index 3ae0de1..db1ed91 100644 +--- a/src/net/textproto/reader_test.go ++++ b/src/net/textproto/reader_test.go +@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) { + } + } + ++func TestReadLineLongLine(t *testing.T) { ++ line := strings.Repeat("12345", 10000) ++ r := reader(line + "\r\n") ++ s, err := r.ReadLine() ++ if err != nil { ++ t.Fatalf("Line 1: %v", err) ++ } ++ if s != line { ++ t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line)) ++ } ++} ++ + func TestReadContinuedLine(t *testing.T) { + r := reader("line1\nline\n 2\nline3\n") + s, err := r.ReadContinuedLine() +-- +2.25.1 + diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch new file mode 100644 index 0000000000..1398a2ca48 --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch @@ -0,0 +1,197 @@ +From 3643147a29352ca2894fd5d0d2069bc4b4335a7e Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <roland@golang.org> +Date: Wed, 14 Feb 2024 17:18:36 -0800 +Subject: [PATCH] [release-branch.go1.21] html/template: escape additional + tokens in MarshalJSON errors + +Escape "</script" and "<!--" in errors returned from MarshalJSON errors +when attempting to marshal types in script blocks. This prevents any +user controlled content from prematurely terminating the script block. + +Updates #65697 +Fixes #65968 + +Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b +Reviewed-on: https://go-review.googlesource.com/c/go/+/564196 +LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> +Reviewed-by: Damien Neil <dneil@google.com> +(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa) +Reviewed-on: https://go-review.googlesource.com/c/go/+/567515 +Reviewed-by: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e] +CVE: CVE-2024-24785 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/html/template/js.go | 22 ++++++++- + src/html/template/js_test.go | 96 ++++++++++++++++++++---------------- + 2 files changed, 74 insertions(+), 44 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index 35994f0..4d3b25d 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string { + // cyclic data. This may be an unacceptable DoS risk. + b, err := json.Marshal(a) + if err != nil { +- // Put a space before comment so that if it is flush against ++ // While the standard JSON marshaller does not include user controlled ++ // information in the error message, if a type has a MarshalJSON method, ++ // the content of the error message is not guaranteed. Since we insert ++ // the error into the template, as part of a comment, we attempt to ++ // prevent the error from either terminating the comment, or the script ++ // block itself. ++ // ++ // In particular we: ++ // * replace "*/" comment end tokens with "* /", which does not ++ // terminate the comment ++ // * replace "</script" with "\x3C/script", and "<!--" with ++ // "\x3C!--", which prevents confusing script block termination ++ // semantics ++ // ++ // We also put a space before the comment so that if it is flush against + // a division operator it is not turned into a line comment: + // x/{{y}} + // turning into + // x//* error marshaling y: + // second line of error message */null +- return fmt.Sprintf(" /* %s */null ", strings.ReplaceAll(err.Error(), "*/", "* /")) ++ errStr := err.Error() ++ errStr = strings.ReplaceAll(errStr, "*/", "* /") ++ errStr = strings.ReplaceAll(errStr, "</script", `\x3C/script`) ++ errStr = strings.ReplaceAll(errStr, "<!--", `\x3C!--`) ++ return fmt.Sprintf(" /* %s */null ", errStr) + } + + // TODO: maybe post-process output to prevent it from containing +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index de9ef28..3fc3baf 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -5,6 +5,7 @@ + package template + + import ( ++ "errors" + "bytes" + "math" + "strings" +@@ -104,61 +105,72 @@ func TestNextJsCtx(t *testing.T) { + } + } + ++type jsonErrType struct{} ++ ++func (e *jsonErrType) MarshalJSON() ([]byte, error) { ++ return nil, errors.New("beep */ boop </script blip <!--") ++} ++ + func TestJSValEscaper(t *testing.T) { + tests := []struct { +- x interface{} +- js string ++ x interface{} ++ js string ++ skipNest bool + }{ +- {int(42), " 42 "}, +- {uint(42), " 42 "}, +- {int16(42), " 42 "}, +- {uint16(42), " 42 "}, +- {int32(-42), " -42 "}, +- {uint32(42), " 42 "}, +- {int16(-42), " -42 "}, +- {uint16(42), " 42 "}, +- {int64(-42), " -42 "}, +- {uint64(42), " 42 "}, +- {uint64(1) << 53, " 9007199254740992 "}, ++ {int(42), " 42 ", false}, ++ {uint(42), " 42 ", false}, ++ {int16(42), " 42 ", false}, ++ {uint16(42), " 42 ", false}, ++ {int32(-42), " -42 ", false}, ++ {uint32(42), " 42 ", false}, ++ {int16(-42), " -42 ", false}, ++ {uint16(42), " 42 ", false}, ++ {int64(-42), " -42 ", false}, ++ {uint64(42), " 42 ", false}, ++ {uint64(1) << 53, " 9007199254740992 ", false}, + // ulp(1 << 53) > 1 so this loses precision in JS + // but it is still a representable integer literal. +- {uint64(1)<<53 + 1, " 9007199254740993 "}, +- {float32(1.0), " 1 "}, +- {float32(-1.0), " -1 "}, +- {float32(0.5), " 0.5 "}, +- {float32(-0.5), " -0.5 "}, +- {float32(1.0) / float32(256), " 0.00390625 "}, +- {float32(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {float64(1.0), " 1 "}, +- {float64(-1.0), " -1 "}, +- {float64(0.5), " 0.5 "}, +- {float64(-0.5), " -0.5 "}, +- {float64(0), " 0 "}, +- {math.Copysign(0, -1), " -0 "}, +- {"", `""`}, +- {"foo", `"foo"`}, ++ {uint64(1)<<53 + 1, " 9007199254740993 ", false}, ++ {float32(1.0), " 1 ", false}, ++ {float32(-1.0), " -1 ", false}, ++ {float32(0.5), " 0.5 ", false}, ++ {float32(-0.5), " -0.5 ", false}, ++ {float32(1.0) / float32(256), " 0.00390625 ", false}, ++ {float32(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {float64(1.0), " 1 ", false}, ++ {float64(-1.0), " -1 ", false}, ++ {float64(0.5), " 0.5 ", false}, ++ {float64(-0.5), " -0.5 ", false}, ++ {float64(0), " 0 ", false}, ++ {math.Copysign(0, -1), " -0 ", false}, ++ {"", `""`, false}, ++ {"foo", `"foo"`, false}, + // Newlines. +- {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`}, ++ {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false}, + // "\v" == "v" on IE 6 so use "\u000b" instead. +- {"\t\x0b", `"\t\u000b"`}, +- {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`}, +- {[]interface{}{}, "[]"}, +- {[]interface{}{42, "foo", nil}, `[42,"foo",null]`}, +- {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`}, +- {"<!--", `"\u003c!--"`}, +- {"-->", `"--\u003e"`}, +- {"<![CDATA[", `"\u003c![CDATA["`}, +- {"]]>", `"]]\u003e"`}, +- {"</script", `"\u003c/script"`}, +- {"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E" +- {nil, " null "}, ++ {"\t\x0b", `"\t\u000b"`, false}, ++ {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false}, ++ {[]interface{}{}, "[]", false}, ++ {[]interface{}{42, "foo", nil}, `[42,"foo",null]`, false}, ++ {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false}, ++ {"<!--", `"\u003c!--"`, false}, ++ {"-->", `"--\u003e"`, false}, ++ {"<![CDATA[", `"\u003c![CDATA["`, false}, ++ {"]]>", `"]]\u003e"`, false}, ++ {"</script", `"\u003c/script"`, false}, ++ {"\U0001D11E", "\"\U0001D11E\"", false}, // or "\uD834\uDD1E" ++ {nil, " null ", false}, ++ {&jsonErrType{}, " /* json: error calling MarshalJSON for type *template.jsonErrType: beep * / boop \\x3C/script blip \\x3C!-- */null ", true}, + } + + for _, test := range tests { + if js := jsValEscaper(test.x); js != test.js { + t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js) + } ++ if test.skipNest { ++ continue ++ } + // Make sure that escaping corner cases are not broken + // by nesting. + a := []interface{}{test.x} +-- +2.25.1 + -- 2.34.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 Steve Sakoman @ 2024-04-03 3:11 ` Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman ` (3 subsequent siblings) 6 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw) To: openembedded-core From: Vijay Anusuri <vanusuri@mvista.com> Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../tar/tar/CVE-2023-39804.patch | 64 +++++++++++++++++++ meta/recipes-extended/tar/tar_1.32.bb | 1 + 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-extended/tar/tar/CVE-2023-39804.patch diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch new file mode 100644 index 0000000000..f550928540 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch @@ -0,0 +1,64 @@ +From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sat, 28 Aug 2021 16:02:12 +0300 +Subject: Fix handling of extended header prefixes + +* src/xheader.c (locate_handler): Recognize prefix keywords only +when followed by a dot. +(xattr_decoder): Use xmalloc/xstrdup instead of alloc + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4] +CVE: CVE-2023-39804 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/xheader.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/xheader.c b/src/xheader.c +index 4f8b2b2..3cd694d 100644 +--- a/src/xheader.c ++++ b/src/xheader.c +@@ -637,11 +637,11 @@ static struct xhdr_tab const * + locate_handler (char const *keyword) + { + struct xhdr_tab const *p; +- + for (p = xhdr_tab; p->keyword; p++) + if (p->prefix) + { +- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0) ++ size_t kwlen = strlen (p->keyword); ++ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0) + return p; + } + else +@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st, + char const *keyword, char const *arg, size_t size) + { + char *xstr, *xkey; +- ++ + /* copy keyword */ +- size_t klen_raw = strlen (keyword); +- xkey = alloca (klen_raw + 1); +- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */; ++ xkey = xstrdup (keyword); + + /* copy value */ +- xstr = alloca (size + 1); ++ xstr = xmalloc (size + 1); + memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */; + + xattr_decode_keyword (xkey); + +- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size); ++ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size); ++ ++ free (xkey); ++ free (xstr); + } + + static void +-- +cgit v1.1 + diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index 1246f01256..c560741599 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb @@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://musl_dirent.patch \ file://CVE-2021-20193.patch \ file://CVE-2022-48303.patch \ + file://CVE-2023-39804.patch \ " SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" -- 2.34.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman ` (2 preceding siblings ...) 2024-04-03 3:11 ` [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 Steve Sakoman @ 2024-04-03 3:11 ` Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 Steve Sakoman ` (2 subsequent siblings) 6 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw) To: openembedded-core From: Vijay Anusuri <vanusuri@mvista.com> import patch from ubuntu to fix CVE-2024-2398 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../curl/curl/CVE-2024-2398.patch | 88 +++++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 2 files changed, 89 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch new file mode 100644 index 0000000000..a3840336f0 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch @@ -0,0 +1,88 @@ +Backport of: + +From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing <stefan@eissing.org> +Date: Wed, 6 Mar 2024 09:36:08 +0100 +Subject: [PATCH] http2: push headers better cleanup + +- provide common cleanup method for push headers + +Closes #13054 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security +Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764] +CVE: CVE-2024-2398 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + lib/http2.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc + } + + ++static void free_push_headers(struct HTTP *stream) ++{ ++ size_t i; ++ for(i = 0; i<stream->push_headers_used; i++) ++ free(stream->push_headers[i]); ++ Curl_safefree(stream->push_headers); ++ stream->push_headers_used = 0; ++} ++ + static int push_promise(struct Curl_easy *data, + struct connectdata *conn, + const nghttp2_push_promise *frame) +@@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy + struct curl_pushheaders heads; + CURLMcode rc; + struct http_conn *httpc; +- size_t i; + /* clone the parent */ + struct Curl_easy *newhandle = duphandle(data); + if(!newhandle) { +@@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy + Curl_set_in_callback(data, false); + + /* free the headers again */ +- for(i = 0; i<stream->push_headers_used; i++) +- free(stream->push_headers[i]); +- free(stream->push_headers); +- stream->push_headers = NULL; +- stream->push_headers_used = 0; ++ free_push_headers(stream); + + if(rv) { + /* denied, kill off the new handle again */ +@@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se + stream->push_headers_alloc) { + char **headp; + stream->push_headers_alloc *= 2; +- headp = Curl_saferealloc(stream->push_headers, +- stream->push_headers_alloc * sizeof(char *)); ++ headp = realloc(stream->push_headers, ++ stream->push_headers_alloc * sizeof(char *)); + if(!headp) { +- stream->push_headers = NULL; ++ free_push_headers(stream); + return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } + stream->push_headers = headp; +@@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d + if(http->header_recvbuf) { + Curl_add_buffer_free(&http->header_recvbuf); + Curl_add_buffer_free(&http->trailer_recvbuf); +- if(http->push_headers) { +- /* if they weren't used and then freed before */ +- for(; http->push_headers_used > 0; --http->push_headers_used) { +- free(http->push_headers[http->push_headers_used - 1]); +- } +- free(http->push_headers); +- http->push_headers = NULL; +- } ++ free_push_headers(http); + } + + if(!httpc->h2) /* not HTTP/2 ? */ diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index 980b4224a8..2f351d585a 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -58,6 +58,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2023-28321.patch \ file://CVE-2023-28322.patch \ file://CVE-2023-46218.patch \ + file://CVE-2024-2398.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" -- 2.34.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman ` (3 preceding siblings ...) 2024-04-03 3:11 ` [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman @ 2024-04-03 3:11 ` Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 7/7] perf: " Steve Sakoman 6 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw) To: openembedded-core From: virendra thakur <thakur.virendra1810@gmail.com> PKCS12 structures contain PKCS7 ContentInfo fields. These fields are optional and can be NULL even if the "type" is a valid value. OpenSSL was not properly accounting for this and a NULL dereference can occur causing a crash. Signed-off-by: virendra thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../openssl/openssl/CVE-2024-0727.patch | 122 ++++++++++++++++++ .../openssl/openssl_1.1.1w.bb | 1 + 2 files changed, 123 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch new file mode 100644 index 0000000000..3da6879ccb --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch @@ -0,0 +1,122 @@ +Backport of: + +From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 19 Jan 2024 11:28:58 +0000 +Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL + +PKCS12 structures contain PKCS7 ContentInfo fields. These fields are +optional and can be NULL even if the "type" is a valid value. OpenSSL +was not properly accounting for this and a NULL dereference can occur +causing a crash. + +CVE-2024-0727 + +Reviewed-by: Tomas Mraz <tomas@openssl.org> +Reviewed-by: Hugo Landau <hlandau@openssl.org> +Reviewed-by: Neil Horman <nhorman@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/23362) + +(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c] + +CVE: CVE-2024-0727 + +Signed-off-by: virendra thakur <virendrak@kpit.com> +--- + crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + crypto/pkcs12/p12_mutl.c | 5 +++++ + crypto/pkcs12/p12_npas.c | 5 +++-- + crypto/pkcs7/pk7_mime.c | 7 +++++-- + 4 files changed, 31 insertions(+), 4 deletions(-) + +--- a/crypto/pkcs12/p12_add.c ++++ b/crypto/pkcs12/p12_add.c +@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, ++ PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, ++ PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + } +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (!p12->mac->iter) +--- a/crypto/pkcs12/p12_npas.c ++++ b/crypto/pkcs12/p12_npas.c +@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +--- a/crypto/pkcs7/pk7_mime.c ++++ b/crypto/pkcs7/pk7_mime.c +@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p + { + STACK_OF(X509_ALGOR) *mdalgs; + int ctype_nid = OBJ_obj2nid(p7->type); +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb index 8a53b06862..0e490eabc3 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb @@ -20,6 +20,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://reproducibility.patch \ file://0001-Configure-add-2-missing-key-sorts.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ + file://CVE-2024-0727.patch \ " SRC_URI_append_class-nativesdk = " \ -- 2.34.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman ` (4 preceding siblings ...) 2024-04-03 3:11 ` [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 Steve Sakoman @ 2024-04-03 3:11 ` Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 7/7] perf: " Steve Sakoman 6 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw) To: openembedded-core Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-extended/tar/tar_1.32.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index c560741599..9297480e85 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb @@ -6,6 +6,8 @@ SECTION = "base" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" +PR = "r1" + SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://musl_dirent.patch \ file://CVE-2021-20193.patch \ -- 2.34.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 7/7] perf: bump PR to deal with sstate corruption on autobuilder 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman ` (5 preceding siblings ...) 2024-04-03 3:11 ` [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder Steve Sakoman @ 2024-04-03 3:11 ` Steve Sakoman 6 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw) To: openembedded-core Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-kernel/perf/perf.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb index 91bf648caa..42621e47d3 100644 --- a/meta/recipes-kernel/perf/perf.bb +++ b/meta/recipes-kernel/perf/perf.bb @@ -9,7 +9,7 @@ HOMEPAGE = "https://perf.wiki.kernel.org/index.php/Main_Page" LICENSE = "GPLv2" -PR = "r9" +PR = "r10" PACKAGECONFIG ??= "scripting tui libunwind" PACKAGECONFIG[dwarf] = ",NO_DWARF=1" -- 2.34.1 ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2024-02-13 21:43 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-13 21:43 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Thursday, February 15
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6564
The following changes since commit 18ae4fea4bf8681f9138d21124589918e336ff6b:
systemtap: Fix build with gcc-12 (2024-01-25 03:58:24 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Matthias Schmitz (1):
rsync: Fix rsync hanging when used with --relative
Ming Liu (1):
go: add a complementary fix for CVE-2023-29406
Peter Marko (1):
curl: ignore CVE-2023-42915
Vijay Anusuri (1):
ghostscript: Backport fix for CVE-2020-36773
Zahir Hussain (1):
cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES
virendra thakur (2):
perl: Whitelist CVE-2023-47039
ncurses: Fix CVE-2023-29491
.../ncurses/files/CVE-2023-29491.patch | 45 +++++++
meta/recipes-core/ncurses/ncurses_6.2.bb | 3 +-
.../cmake/cmake/OEToolchainConfig.cmake | 3 +
meta/recipes-devtools/go/go-1.14.inc | 3 +-
...023-29406.patch => CVE-2023-29406-1.patch} | 0
.../go/go-1.14/CVE-2023-29406-2.patch | 114 ++++++++++++++++++
meta/recipes-devtools/perl/perl_5.30.1.bb | 4 +
...lative-when-copying-an-absolute-path.patch | 31 +++++
meta/recipes-devtools/rsync/rsync_3.1.3.bb | 1 +
.../ghostscript/CVE-2020-36773.patch | 109 +++++++++++++++++
.../ghostscript/ghostscript_9.52.bb | 1 +
meta/recipes-support/curl/curl_7.69.1.bb | 3 +
12 files changed, 315 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-29491.patch
rename meta/recipes-devtools/go/go-1.14/{CVE-2023-29406.patch => CVE-2023-29406-1.patch} (100%)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
create mode 100644 meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 0/7] Patch review @ 2023-09-26 14:12 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-09-26 14:12 UTC (permalink / raw) To: openembedded-core Please review this set of changes for dunfell and have comments back by end of day Thursday, September 28 Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5947 The following changes since commit 8b91c463fb3546836789e1890b3c68acf69c162a: build-appliance-image: Update to dunfell head revision (2023-09-16 11:16:49 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Archana Polampalli (1): vim: upgrade 9.0.1592 -> 9.0.1664 Michael Opdenacker (1): flac: fix CVE-2020-22219 Richard Purdie (1): vim: Upgrade 9.0.1664 -> 9.0.1894 Ross Burton (1): gcc: Fix -fstack-protector issue on aarch64 Siddharth Doshi (2): gdb: Fix CVE-2023-39128 libxml2: Fix CVE-2023-39615 Vijay Anusuri (1): go: Backport fix for CVE-2022-41725 and CVE-2023-24536 .../libxml/libxml2/CVE-2023-39615-0001.patch | 36 + .../libxml/libxml2/CVE-2023-39615-0002.patch | 71 + .../libxml/libxml2/CVE-2023-39615-pre.patch | 44 + meta/recipes-core/libxml/libxml2_2.9.10.bb | 3 + meta/recipes-devtools/gcc/gcc-9.5.inc | 1 + .../gcc/gcc-9.5/CVE-2023-4039.patch | 1506 +++++++++++++++++ meta/recipes-devtools/gdb/gdb-9.1.inc | 1 + .../gdb/gdb/0012-CVE-2023-39128.patch | 75 + meta/recipes-devtools/go/go-1.14.inc | 7 + .../go/go-1.14/CVE-2022-41725-pre1.patch | 85 + .../go/go-1.14/CVE-2022-41725-pre2.patch | 97 ++ .../go/go-1.14/CVE-2022-41725-pre3.patch | 98 ++ .../go/go-1.14/CVE-2022-41725.patch | 660 ++++++++ .../go/go-1.14/CVE-2023-24536_1.patch | 134 ++ .../go/go-1.14/CVE-2023-24536_2.patch | 184 ++ .../go/go-1.14/CVE-2023-24536_3.patch | 349 ++++ .../flac/files/CVE-2020-22219.patch | 197 +++ meta/recipes-multimedia/flac/flac_1.3.3.bb | 1 + meta/recipes-support/vim/vim.inc | 6 +- 19 files changed, 3552 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch create mode 100644 meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch create mode 100644 meta/recipes-multimedia/flac/files/CVE-2020-22219.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2023-05-11 21:28 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-05-11 21:28 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5294
The following changes since commit fd4cc8d7b5156c43d162a1a5a809fae507457ef4:
build-appliance-image: Update to dunfell head revision (2023-05-03 12:29:24 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Arturo Buzarra (1):
run-postinsts: Set dependency for ldconfig to avoid boot issues
Ashish Sharma (1):
connman: Fix CVE-2023-28488 DoS in client.c
Peter Marko (1):
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Ranjitsinh Rathod (1):
libbsd: Add correct license for all packages
Shubham Kulkarni (1):
go: Security fix for CVE-2023-24538
Vivek Kumbhar (1):
freetype: fix CVE-2023-2004 integer overflowin in
tt_hvadvance_adjust() in src/truetype/ttgxvar.c
Yoann Congal (1):
linux-yocto: Exclude 294 CVEs already fixed upstream
.../connman/connman/CVE-2023-28488.patch | 54 +
.../connman/connman_1.37.bb | 1 +
.../libxml/libxml2/CVE-2023-28484.patch | 79 +
.../libxml/libxml2/CVE-2023-29469.patch | 42 +
meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +
meta/recipes-devtools/go/go-1.14.inc | 3 +
.../go/go-1.14/CVE-2023-24538-1.patch | 125 ++
.../go/go-1.14/CVE-2023-24538-2.patch | 196 ++
.../go/go-1.14/CVE-2023-24538-3.patch | 208 ++
.../run-postinsts/run-postinsts.service | 2 +-
.../freetype/freetype/CVE-2023-2004.patch | 40 +
.../freetype/freetype_2.10.1.bb | 1 +
meta/recipes-kernel/linux/cve-exclusion.inc | 1840 +++++++++++++++++
meta/recipes-kernel/linux/linux-yocto.inc | 3 +
meta/recipes-support/libbsd/libbsd_0.10.0.bb | 6 +
15 files changed, 2601 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 0/7] Patch review @ 2023-04-22 15:57 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-04-22 15:57 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Tuesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5210 The following changes since commit 9aefb4e46cf4fbf14b46f9adaf3771854553e7f3: curl: CVE-2023-27534 SFTP path ~ resolving discrepancy (2023-04-14 07:14:33 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Hitendra Prajapati (2): curl: CVE-2023-27538 fix SSH connection too eager reuse screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs Peter Marko (1): go: ignore CVE-2022-41716 Shubham Kulkarni (2): go-runtime: Security fix for CVE-2022-41722 go: Security fix for CVE-2020-29510 Vivek Kumbhar (1): go: fix CVE-2023-24537 Infinite loop in parsing rajmohan r (1): systemd: Fix CVE-2023-26604 .../systemd/systemd/CVE-2023-26604-1.patch | 115 ++++++++ .../systemd/systemd/CVE-2023-26604-2.patch | 264 ++++++++++++++++++ .../systemd/systemd/CVE-2023-26604-3.patch | 182 ++++++++++++ .../systemd/systemd/CVE-2023-26604-4.patch | 32 +++ meta/recipes-core/systemd/systemd_244.5.bb | 4 + meta/recipes-devtools/go/go-1.14.inc | 7 + .../go/go-1.14/CVE-2020-29510.patch | 65 +++++ .../go/go-1.14/CVE-2022-41722-1.patch | 53 ++++ .../go/go-1.14/CVE-2022-41722-2.patch | 104 +++++++ .../go/go-1.14/CVE-2023-24537.patch | 76 +++++ .../screen/screen/CVE-2023-24626.patch | 40 +++ meta/recipes-extended/screen/screen_4.8.0.bb | 1 + .../curl/curl/CVE-2023-27538.patch | 31 ++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 14 files changed, 975 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review @ 2023-04-04 2:39 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2023-04-04 2:39 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Wednesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5141 The following changes since commit 1c7d555379c4b0962bccd018870989050d87675f: classes/package: Use gzip for extended package data (2023-03-27 16:29:20 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Geoffrey GIRY (1): cve-check: Fix false negative version issue Hitendra Prajapati (2): curl: CVE-2023-23916 HTTP multi-header compression denial of service qemu: fix compile error which imported by CVE-2022-4144 Martin Jansa (1): bmap-tools: switch to main branch Randy MacLeod (1): vim: upgrade 9.0.1403 -> 9.0.1429 Shubham Kulkarni (1): go-runtime: Security fix for CVE-2022-41723 Vijay Anusuri (1): git: Security fix for CVE-2023-22490 and CVE-2023-23946 meta/classes/cve-check.bbclass | 5 +- meta/lib/oe/cve_check.py | 37 +++ meta/lib/oeqa/selftest/cases/cve_check.py | 19 ++ .../git/files/CVE-2023-22490-1.patch | 179 +++++++++++++ .../git/files/CVE-2023-22490-2.patch | 122 +++++++++ .../git/files/CVE-2023-22490-3.patch | 154 ++++++++++++ .../git/files/CVE-2023-23946.patch | 184 ++++++++++++++ meta/recipes-devtools/git/git.inc | 4 + meta/recipes-devtools/go/go-1.14.inc | 1 + .../go/go-1.14/CVE-2022-41723.patch | 156 ++++++++++++ meta/recipes-devtools/qemu/qemu.inc | 1 + ...ass-requested-buffer-size-to-qxl_phy.patch | 236 ++++++++++++++++++ .../bmap-tools/bmap-tools_3.5.bb | 2 +- .../curl/curl/CVE-2023-23916.patch | 231 +++++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + meta/recipes-support/vim/vim.inc | 4 +- 16 files changed, 1332 insertions(+), 4 deletions(-) create mode 100644 meta/recipes-devtools/git/files/CVE-2023-22490-1.patch create mode 100644 meta/recipes-devtools/git/files/CVE-2023-22490-2.patch create mode 100644 meta/recipes-devtools/git/files/CVE-2023-22490-3.patch create mode 100644 meta/recipes-devtools/git/files/CVE-2023-23946.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch create mode 100644 meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2022-12-01 15:25 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-12-01 15:25 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4565
The following changes since commit 408bf1b4bb4f4ed126c17fb3676f9fa0513065ba:
sstate: Account for reserved characters when shortening sstate filenames (2022-11-23 00:26:19 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
linux-firmware: upgrade 20220913 -> 20221012
Chen Qi (1):
kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild
Dmitry Baryshkov (1):
linux-firmware: upgrade 20221012 -> 20221109
Mike Crowe (1):
kernel: improve transformation from KERNEL_IMAGETYPE_FOR_MAKE
Ross Burton (1):
pixman: backport fix for CVE-2022-44638
Vivek Kumbhar (1):
qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead
to guest crash
Wang Mingyu (1):
mobile-broadband-provider-info: upgrade 20220725 -> 20221107
meta/classes/kernel.bbclass | 29 ++++++++-
.../mobile-broadband-provider-info_git.bb | 4 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-20196.patch | 62 +++++++++++++++++++
.../xorg-lib/pixman/CVE-2022-44638.patch | 34 ++++++++++
.../xorg-lib/pixman_0.38.4.bb | 1 +
...20220913.bb => linux-firmware_20221109.bb} | 6 +-
7 files changed, 129 insertions(+), 8 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
create mode 100644 meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220913.bb => linux-firmware_20221109.bb} (99%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 0/7] Patch review
@ 2022-10-24 14:24 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-10-24 14:24 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4364
The following changes since commit aa9d0c2b777c10bb6c68b0232d54cbcd1af1493f:
qemu: Avoid accidental librdmacm linkage (2022-10-12 05:13:44 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.216
linux-yocto/5.4: update to v5.4.219
Omkar (1):
dbus: upgrade 1.12.22 -> 1.12.24
Paul Eggleton (1):
classes/kernel-fitimage: add ability to add additional signing options
Steve Sakoman (2):
devtool: add HostKeyAlgorithms option to ssh and scp commands
selftest: skip virgl test on all Alma Linux
wangmy (1):
dbus: upgrade 1.12.20 -> 1.12.22
meta/classes/kernel-fitimage.bbclass | 6 ++++-
meta/lib/oeqa/selftest/cases/devtool.py | 2 +-
meta/lib/oeqa/selftest/cases/runtime_test.py | 4 ++--
...s-test_1.12.20.bb => dbus-test_1.12.24.bb} | 0
meta/recipes-core/dbus/dbus.inc | 3 +--
.../dbus/{dbus_1.12.20.bb => dbus_1.12.24.bb} | 0
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
scripts/lib/devtool/deploy.py | 8 +++----
10 files changed, 31 insertions(+), 28 deletions(-)
rename meta/recipes-core/dbus/{dbus-test_1.12.20.bb => dbus-test_1.12.24.bb} (100%)
rename meta/recipes-core/dbus/{dbus_1.12.20.bb => dbus_1.12.24.bb} (100%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 0/7] Patch review @ 2022-09-08 2:28 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2022-09-08 2:28 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Friday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4200 The following changes since commit 345193f36d08cfe4899c65e8edf3f79db09c50d2: relocate_sdk.py: ensure interpreter size error causes relocation to fail (2022-08-29 05:02:16 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Hitendra Prajapati (1): sqlite: CVE-2022-35737 assertion failure Joshua Watt (1): classes: cve-check: Get shared database lock Ranjitsinh Rathod (2): libarchive: Fix CVE-2021-23177 issue libarchive: Fix CVE-2021-31566 issue Richard Purdie (1): vim: Upgrade 9.0.0242 -> 9.0.0341 Robert Joslyn (1): curl: Backport patch for CVE-2022-35252 Ross Burton (1): cve-check: close cursors as soon as possible meta/classes/cve-check.bbclass | 36 ++-- .../recipes-core/meta/cve-update-db-native.bb | 51 ++--- .../libarchive/CVE-2021-23177.patch | 183 ++++++++++++++++++ .../libarchive/CVE-2021-31566-01.patch | 23 +++ .../libarchive/CVE-2021-31566-02.patch | 172 ++++++++++++++++ .../libarchive/libarchive_3.4.2.bb | 3 + .../curl/curl/CVE-2022-35252.patch | 72 +++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + .../sqlite/files/CVE-2022-35737.patch | 29 +++ meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 + meta/recipes-support/vim/vim.inc | 4 +- 11 files changed, 535 insertions(+), 40 deletions(-) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-35252.patch create mode 100644 meta/recipes-support/sqlite/files/CVE-2022-35737.patch -- 2.25.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2022-07-29 15:24 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-07-29 15:24 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3993
The following changes since commit 3f40d5f095ceb099b604750db96058df00fcd49e:
build-appliance-image: Update to dunfell head revision (2022-07-25 15:09:15 +0100)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Hitendra Prajapati (5):
gnupg: CVE-2022-34903 possible signature forgery via injection into
the status line
grub2: Fix buffer underflow write in the heap
qemu: CVE-2022-35414 can perform an uninitialized read on the
translate_fail path, leading to an io_readx or io_writex crash
libTiff: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 DoS from Divide By
Zero Error
libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections
LUIS ENRIQUEZ (1):
kernel-fitimage.bbclass: add padding algorithm property in config
nodes
Sana.Kazi (1):
libjpeg-turbo: Fix CVE-2021-46822
meta/classes/kernel-fitimage.bbclass | 5 +
.../grub/files/CVE-2021-3695.patch | 178 +++++++++++++++++
.../grub/files/CVE-2021-3696.patch | 46 +++++
.../grub/files/CVE-2021-3697.patch | 82 ++++++++
meta/recipes-bsp/grub/grub2.inc | 5 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2022-35414.patch | 53 +++++
.../libtirpc/libtirpc/CVE-2021-46828.patch | 155 +++++++++++++++
.../libtirpc/libtirpc_1.2.6.bb | 4 +-
.../jpeg/files/CVE-2021-46822.patch | 133 +++++++++++++
.../jpeg/libjpeg-turbo_2.0.4.bb | 1 +
...022-2056-CVE-2022-2057-CVE-2022-2058.patch | 183 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
.../gnupg/gnupg/CVE-2022-34903.patch | 44 +++++
meta/recipes-support/gnupg/gnupg_2.2.27.bb | 1 +
15 files changed, 890 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
create mode 100644 meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 0/7] Patch review
@ 2022-03-30 2:27 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-03-30 2:27 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3445
The following changes since commit da5cba5ec56cc437ede46d8aa71219a2a34cbe9e:
oeqa/selftest/tinfoil: Fix intermittent event loss issue in test (2022-03-26 16:25:24 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Steve Sakoman (7):
util-linux: fix CVE-2022-0563
xserver-xorg: update to 1.20.9
xserver-xorg: update to 1.20.10
xserver-xorg: update to 1.20.11
xserver-xorg: update to 1.20.12
xserver-xorg: update to 1.20.13
xserver-xorg: update to 1.20.14
.../util-linux/util-linux/CVE-2022-0563.patch | 161 ++++++++++++++++
.../util-linux/util-linux_2.35.1.bb | 1 +
.../xorg-xserver/xserver-xorg.inc | 2 +-
.../xserver-xorg/CVE-2020-14345.patch | 182 ------------------
.../xserver-xorg/CVE-2020-14346.patch | 36 ----
.../xserver-xorg/CVE-2020-14347.patch | 38 ----
.../xserver-xorg/CVE-2020-14360.patch | 132 -------------
.../xserver-xorg/CVE-2020-14361.patch | 36 ----
.../xserver-xorg/CVE-2020-14362.patch | 70 -------
.../xserver-xorg/CVE-2020-25712.patch | 102 ----------
...xorg_1.20.8.bb => xserver-xorg_1.20.14.bb} | 11 +-
11 files changed, 165 insertions(+), 606 deletions(-)
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_1.20.8.bb => xserver-xorg_1.20.14.bb} (73%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 0/7] Patch review @ 2021-07-15 14:07 Steve Sakoman 2021-07-15 14:16 ` Andrej Valek 0 siblings, 1 reply; 22+ messages in thread From: Steve Sakoman @ 2021-07-15 14:07 UTC (permalink / raw) To: openembedded-core Please review this next set of patches for dunfell and have comments back by end of day Monday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2350 The following changes since commit cfd74f2bae51413d9c327e0f08ecf751325c2d74: report-error: Drop pointless inherit (2021-07-11 06:19:43 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Andrej Valek (1): busybox: add tmpdir option into mktemp applet Richard Purdie (3): pseudo: Add uninative configuration sanity check pseudo: Update to latest version including statx fix sstate: Drop pseudo exclusion Steve Sakoman (3): bluez: fix CVE-2021-3588 gstreamer-plugins-base: ignore CVE-2021-3522 since it is fixed gstreamer-plugins-good: ignore CVE-2021-3497/8 since they are fixed meta/classes/sstate.bbclass | 2 - meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2021-3588.patch | 34 ++++++++ .../0001-mktemp-add-tmpdir-option.patch | 81 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.31.1.bb | 1 + meta/recipes-devtools/pseudo/pseudo.inc | 13 +++ meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +- .../gstreamer1.0-plugins-base_1.16.3.bb | 4 + .../gstreamer1.0-plugins-good_1.16.3.bb | 5 ++ 9 files changed, 140 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch create mode 100644 meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch -- 2.25.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [OE-core][dunfell 0/7] Patch review 2021-07-15 14:07 Steve Sakoman @ 2021-07-15 14:16 ` Andrej Valek 0 siblings, 0 replies; 22+ messages in thread From: Andrej Valek @ 2021-07-15 14:16 UTC (permalink / raw) To: steve@sakoman.com; +Cc: openembedded-core@lists.openembedded.org Hello Steve, Busybox patch looks fine. Cheers, Andrej > Please review this next set of patches for dunfell and have comments back by end of day Monday. > > Passed a-full on autobuilder: > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fautobuilder.yoctoproject.org%2Ftyphoon%2F%23%2Fbuilders%2F83%2Fbuilds%2F2350&data=04%7C01%7Candrej.valek%40siemens.com%> 7C0b3180079754416d5b4808d9479a07ea%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637619549152185601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lHIY6jrIIjgQrMFGZI5aGHjaqK4A5Y17uptGKbI%2ByXQ%3D&reserved=0 > > The following changes since commit cfd74f2bae51413d9c327e0f08ecf751325c2d74: > > report-error: Drop pointless inherit (2021-07-11 06:19:43 -1000) > > are available in the Git repository at: > > git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcgit.openembedded.org%2Fopenembedded-core-contrib%2Flog%2F%3Fh%3Dstable%2Fdunfell-nut&data=04%7C01%7Candrej.valek%40siemens.com%7C0b3180079754416d5b4808d9479a07ea%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637619549152185601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RqxpOBjsL%2B6GJnZwWtQ7KHLi%2FAcp1A0KZza9ow9p%2FPc%3D&reserved=0 > Andrej Valek (1): > busybox: add tmpdir option into mktemp applet > > Richard Purdie (3): > pseudo: Add uninative configuration sanity check > pseudo: Update to latest version including statx fix > sstate: Drop pseudo exclusion > > Steve Sakoman (3): > bluez: fix CVE-2021-3588 > gstreamer-plugins-base: ignore CVE-2021-3522 since it is fixed > gstreamer-plugins-good: ignore CVE-2021-3497/8 since they are fixed > > meta/classes/sstate.bbclass | 2 - > meta/recipes-connectivity/bluez5/bluez5.inc | 1 + > .../bluez5/bluez5/CVE-2021-3588.patch | 34 ++++++++ > .../0001-mktemp-add-tmpdir-option.patch | 81 +++++++++++++++++++ > meta/recipes-core/busybox/busybox_1.31.1.bb | 1 + > meta/recipes-devtools/pseudo/pseudo.inc | 13 +++ > meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +- > .../gstreamer1.0-plugins-base_1.16.3.bb | 4 + > .../gstreamer1.0-plugins-good_1.16.3.bb | 5 ++ > 9 files changed, 140 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-> 2021-3588.patch > create mode 100644 meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch > > -- > 2.25.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2020-09-18 16:15 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2020-09-18 16:15 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Monday.
The following changes since commit b98e50f08b2bcf61fbc75ea1b0ad83a17c0a736a:
cve-check: avoid FileNotFoundError if no do_cve_check task has run (2020-09-14 04:26:37 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Christophe GUIBOUT (1):
initramfs-framework: support kernel cmdline with double quotes
Geoff Parker (1):
systemd-serialgetty: Replace sed quoting using ' with " to allow var
expansion
Khem Raj (1):
populate_sdk_ext: Do not assume local.conf will always exist
Michael Gloff (1):
sysvinit: Remove ${B} assignment
Pierre-Jean Texier (1):
libubootenv: upgrade 0.3 -> 0.3.1
Rahul Kumar (1):
systemd-serialgetty: Fix sed expression quoting
Steve Sakoman (1):
Revert "kernel.bbclass: run do_symlink_kernsrc before do_patch"
meta/classes/kernel.bbclass | 2 +-
meta/classes/populate_sdk_ext.bbclass | 5 +++--
.../{libubootenv_0.3.bb => libubootenv_0.3.1.bb} | 2 +-
.../initrdscripts/initramfs-framework/init | 13 +++++++++++++
meta/recipes-core/systemd/systemd-serialgetty.bb | 4 ++--
meta/recipes-core/sysvinit/sysvinit_2.96.bb | 1 -
6 files changed, 20 insertions(+), 7 deletions(-)
rename meta/recipes-bsp/u-boot/{libubootenv_0.3.bb => libubootenv_0.3.1.bb} (94%)
--
2.17.1
^ permalink raw reply [flat|nested] 22+ messages in thread* [OE-core][dunfell 0/7] Patch review @ 2020-08-17 15:11 Steve Sakoman 0 siblings, 0 replies; 22+ messages in thread From: Steve Sakoman @ 2020-08-17 15:11 UTC (permalink / raw) To: openembedded-core Please review this next set of patches for dunfell and have comments back by end of day Wednesday. Passed a-full on autobuilder (other than 500 server error posting report for qemumips-alt): https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1265 The following changes since commit b95d6aeafb70765e22d2e1254e749a48f508d489: uninative: Handle PREMIRRORS generically (2020-08-09 09:26:54 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Bruce Ashfield (3): linux-yocto-rt/5.4: update to rt32 linux-yocto/5.4: update to v5.4.56 linux-yocto/5.4: update to v5.4.57 Khem Raj (4): glibc: Bring in CVE fixes and other bugfixes from 2.31 release branch gcc-9.3.inc: Mark CVE-2019-15847 as fixed go: update 1.14.4 -> 1.14.6 go: Upgrade to 1.14.7 meta/recipes-core/glibc/glibc-version.inc | 2 +- .../glibc/0016-Add-unused-attribute.patch | 31 --- .../glibc/glibc/CVE-2020-6096.patch | 112 ---------- .../glibc/glibc/CVE-2020-6096_2.patch | 194 ------------------ meta/recipes-core/glibc/glibc_2.31.bb | 5 +- meta/recipes-devtools/gcc/gcc-9.3.inc | 2 + meta/recipes-devtools/go/go-1.14.inc | 5 +- .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +- 10 files changed, 24 insertions(+), 363 deletions(-) delete mode 100644 meta/recipes-core/glibc/glibc/0016-Add-unused-attribute.patch delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096.patch delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch -- 2.17.1 ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2024-04-03 3:12 UTC | newest] Thread overview: 22+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder Steve Sakoman 2024-04-03 3:11 ` [OE-core][dunfell 7/7] perf: " Steve Sakoman -- strict thread matches above, loose matches on Subject: below -- 2024-02-13 21:43 [OE-core][dunfell 0/7] Patch review Steve Sakoman 2023-09-26 14:12 Steve Sakoman 2023-05-11 21:28 Steve Sakoman 2023-04-22 15:57 Steve Sakoman 2023-04-04 2:39 Steve Sakoman 2022-12-01 15:25 Steve Sakoman 2022-10-24 14:24 Steve Sakoman 2022-09-08 2:28 Steve Sakoman 2022-07-29 15:24 Steve Sakoman 2022-03-30 2:27 Steve Sakoman 2021-07-15 14:07 Steve Sakoman 2021-07-15 14:16 ` Andrej Valek 2020-09-18 16:15 Steve Sakoman 2020-08-17 15:11 Steve Sakoman
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox