* [OE-core][kirkstone 00/13] Patch review
@ 2022-06-06 14:38 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-06-06 14:38 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by end
of day Wednesday.
This is a set of "housekeeping" commits: updating the Upstream-Status of patches
and removing obsolete patches.
The following changes since commit e63013cc38b82659658365da53b14952711d6701:
gcc: Upgrade to 11.3 release (2022-06-02 06:48:32 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (3):
bash: submit patch upstream
valgrind: submit arm patches upstream
zip/unzip: mark all submittable patches as Inactive-Upstream
Jiaqing Zhao (4):
systemd: Drop 0001-test-parse-argument-Include-signal.h.patch
systemd: Remove __compare_fn_t type in musl-specific patch
systemd: Drop 0002-don-t-use-glibc-specific-qsort_r.patch
systemd: Correct path returned in sd_path_lookup()
Khem Raj (4):
systemd: Drop redundant musl patches
systemd: Document future actions needed for set of musl patches
systemd: Drop
0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
systemd: Update patch status
Martin Jansa (1):
makedevs: Don't use COPYING.patch just to add license file into ${S}
Richard Purdie (1):
lzo: Add further info to a patch and mark as Inactive-Upstream
...sysctl.d-binfmt.d-modules-load.d-to-.patch | 73 ++++
...se-ROOTPREFIX-without-suffixed-slash.patch | 42 ---
...test-parse-argument-Include-signal.h.patch | 27 --
.../0002-Add-sys-stat.h-for-S_IFDIR.patch | 2 +-
...002-don-t-use-glibc-specific-qsort_r.patch | 163 ---------
...-missing_type.h-add-comparison_fn_t.patch} | 41 +--
...missing.h-check-for-missing-strndupa.patch | 14 +-
...008-add-missing-FTW_-macros-for-musl.patch | 3 +
..._register_atfork-for-non-glibc-build.patch | 3 +
...S_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch | 33 --
...ype.h-add-__compar_d_fn_t-definition.patch | 28 --
.../systemd/0019-Handle-missing-LOCK_EX.patch | 24 --
...ible-pointer-type-struct-sockaddr_un.patch | 38 --
.../0021-test-json.c-define-M_PIl.patch | 4 +
meta/recipes-core/systemd/systemd_250.5.bb | 10 +-
.../makedevs/makedevs/COPYING.patch | 346 ------------------
.../makedevs/makedevs/makedevs.c | 4 +
.../makedevs/makedevs_1.0.1.bb | 5 +-
...etting-mcpu-to-cortex-a8-on-arm-arch.patch | 2 +-
...n-for-targets-which-don-t-support-it.patch | 2 +-
...te-march-mcpu-mfpu-for-ARM-test-apps.patch | 2 +-
.../bash/bash/makerace2.patch | 2 +-
...ass-LDFLAGS-to-tests-doing-link-step.patch | 2 +-
.../unzip/unzip/CVE-2021-4217.patch | 2 +-
.../unzip/unzip/avoid-strip.patch | 2 +-
.../unzip/unzip/define-ldflags.patch | 2 +-
.../unzip/unzip/fix-security-format.patch | 2 +-
.../unzip/unzip/symlink.patch | 2 +-
...LAGS-and-LDFLAGS-when-doing-link-tes.patch | 2 +-
.../zip/zip-3.0/10-remove-build-date.patch | 2 +-
.../zip/zip-3.0/fix-security-format.patch | 2 +-
.../zipnote-crashes-with-segfault.patch | 2 +-
...Use-memcpy-instead-of-reinventing-it.patch | 10 +-
33 files changed, 136 insertions(+), 762 deletions(-)
create mode 100644 meta/recipes-core/systemd/systemd/0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0001-test-parse-argument-Include-signal.h.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0002-don-t-use-glibc-specific-qsort_r.patch
rename meta/recipes-core/systemd/systemd/{0003-missing_type.h-add-__compare_fn_t-and-comparison_fn_.patch => 0003-missing_type.h-add-comparison_fn_t.patch} (63%)
delete mode 100644 meta/recipes-core/systemd/systemd/0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0017-missing_type.h-add-__compar_d_fn_t-definition.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0019-Handle-missing-LOCK_EX.patch
delete mode 100644 meta/recipes-core/systemd/systemd/0020-Fix-incompatible-pointer-type-struct-sockaddr_un.patch
delete mode 100644 meta/recipes-devtools/makedevs/makedevs/COPYING.patch
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2022-06-21 23:27 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-06-21 23:27 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by end
of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3811
The following changes since commit b2d10487f80deb04a0893325a1ae79c8629a7655:
liberror-perl: Update sstate/equiv versions to clean cache (2022-06-17 05:02:15 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
python3: use built-in distutils for ptest, rather than setuptools'
'fork'
Davide Gardenal (1):
efivar: add musl libc compatibility
Dmitry Baryshkov (2):
linux-firmware: add support for building snapshots
linux-firmware: upgrade 20220509 -> 20220610
Marta Rybczynska (2):
cve-check: add support for Ignored CVEs
oeqa/selftest/cve_check: add tests for Ignored and partial reports
Martin Jansa (1):
mesa: backport a patch to support compositors without
zwp_linux_dmabuf_v1 again
Michael Opdenacker (1):
rootfs-postcommands.bbclass: correct comments
Nick Potenski (1):
systemd: systemd-systemctl: Support instance conf files during enable
Paulo Neves (2):
python: Avoid shebang overflow on python-config.py
gtk-doc: Fix potential shebang overflow on gtkdoc-mkhtml2
Richard Purdie (2):
python3: Remove problematic paths from sysroot files
python3: Ensure stale empty python module directories don't break the
build
meta/classes/cve-check.bbclass | 43 ++--
meta/classes/rootfs-postcommands.bbclass | 8 +-
meta/lib/oeqa/selftest/cases/cve_check.py | 82 ++++++++
.../efisecdb-fix-build-with-musl-libc.patch | 184 ++++++++++++++++++
meta/recipes-bsp/efivar/efivar_38.bb | 3 +-
.../systemd/systemd-systemctl/systemctl | 14 +-
...shebang-overflow-on-python-config.py.patch | 33 ++++
.../python3/deterministic_imports.patch | 32 +++
.../recipes-devtools/python/python3/run-ptest | 2 +-
.../recipes-devtools/python/python3_3.10.4.bb | 12 +-
meta/recipes-gnome/gtk-doc/gtk-doc_1.33.2.bb | 1 +
...nd-deprecate-drm_handle_format-and-d.patch | 158 +++++++++++++++
meta/recipes-graphics/mesa/mesa.inc | 1 +
...01-Makefile-replace-mkdir-by-install.patch | 84 --------
...20220509.bb => linux-firmware_20220610.bb} | 11 +-
15 files changed, 555 insertions(+), 113 deletions(-)
create mode 100644 meta/recipes-bsp/efivar/efivar/efisecdb-fix-build-with-musl-libc.patch
create mode 100644 meta/recipes-devtools/python/python3/0001-Avoid-shebang-overflow-on-python-config.py.patch
create mode 100644 meta/recipes-devtools/python/python3/deterministic_imports.patch
create mode 100644 meta/recipes-graphics/mesa/files/0001-Revert-egl-wayland-deprecate-drm_handle_format-and-d.patch
delete mode 100644 meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220509.bb => linux-firmware_20220610.bb} (99%)
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2022-10-17 23:08 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2022-10-17 23:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4347
The following changes since commit e728d0965d6fda8ac54e065ca7bf7eb9da9a8170:
coreutils: add openssl PACKAGECONFIG (2022-09-30 09:35:23 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Adrian Freihofer (1):
own-mirrors: add crate
Bhabu Bindu (1):
qemu: Fix CVE-2021-3611
Chen Qi (1):
image_types_wic.bbclass: fix cross binutils dependency
He Zhe (2):
lttng-tools: Upgrade 2.13.4 -> 2.13.8
lttng-modules: Fix crash on powerpc64
Michael Halstead (1):
uninative: Upgrade to 3.7 to work with glibc 2.36
Ross Burton (1):
qemu: fix CVE-2022-2962
Teoh Jay Shen (1):
tiff: Security fixes CVE-2022-2867,CVE-2022-2868 and CVE-2022-2869
Tim Orling (1):
python3: upgrade 3.10.4 -> 3.10.7
Virendra Thakur (1):
qemu: Fix CVE-2021-3750 for qemu
Xiangyu Chen (2):
qemu: Backport patches from upstream to support float128 on qemu-ppc64
linux-yocto-dev: add qemuarm64
pgowda (1):
binutils : Fix CVE-2022-38128
meta/classes/image_types_wic.bbclass | 2 +-
meta/classes/own-mirrors.bbclass | 1 +
meta/classes/sanity.bbclass | 2 +-
meta/conf/distro/include/yocto-uninative.inc | 10 +-
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0018-CVE-2022-38128-1.patch | 350 ++++
.../binutils/0018-CVE-2022-38128-2.patch | 436 +++++
.../binutils/0018-CVE-2022-38128-3.patch | 95 ++
...h-92036-Fix-gc_fini_untrack-GH-92037.patch | 54 -
...report-missing-dependencies-for-disa.patch | 8 +-
.../{python3_3.10.4.bb => python3_3.10.7.bb} | 3 +-
meta/recipes-devtools/qemu/qemu.inc | 49 +
...ulip-Restrict-DMA-engine-to-memories.patch | 64 +
...end-float_exception_flags-to-16-bits.patch | 75 +
...32t-for-reply-queue-head-tail-values.patch | 83 +
...ftfloat-Add-flag-specific-to-Inf-Inf.patch | 59 +
...id_function_take_MemTxAttrs_argument.patch | 60 +
...softfloat-Add-flag-specific-to-Inf-0.patch | 126 ++
...et_function_take_MemTxAttrs_argument.patch | 98 ++
...dd-flags-specific-to-Inf-Inf-and-0-0.patch | 73 +
...ed_function_take_MemTxAttrs_argument.patch | 78 +
...-Add-flag-specific-to-signaling-nans.patch | 121 ++
...rw_function_take_MemTxAttrs_argument.patch | 158 ++
...e-float_invalid_op_addsub-for-new-fl.patch | 114 ++
...te_function_take_MemTxAttrs_argument.patch | 1453 +++++++++++++++++
...e-float_invalid_op_mul-for-new-flags.patch | 86 +
...ap_function_take_MemTxAttrs_argument.patch | 227 +++
...e-float_invalid_op_div-for-new-flags.patch | 99 ++
..._buf_rw_function_take_a_void_pointer.patch | 41 +
...arget-ppc-Update-fmadd-for-new-flags.patch | 102 ++
..._dma_buf_write_functions_take_a_void.patch | 167 ++
.../0010-target-ppc-Split-out-do_fmadd.patch | 71 +
...rw_function_take_MemTxAttrs_argument.patch | 91 ++
...s-max-min-cj-dp-to-use-VSX-registers.patch | 93 ++
...rw_function_take_MemTxAttrs_argument.patch | 65 +
...-Move-xs-max-min-cj-dp-to-decodetree.patch | 121 ++
...te_function_take_MemTxAttrs_argument.patch | 129 ++
...get-ppc-fix-xscvqpdp-register-access.patch | 41 +
...ad_function_take_MemTxAttrs_argument.patch | 222 +++
...rget-ppc-move-xscvqpdp-to-decodetree.patch | 130 ++
...uf_rw_function_propagate_MemTxResult.patch | 91 ++
...tore_fpscr-doesn-t-update-bits-0-to-.patch | 70 +
...ma_function_take_MemTxAttrs_argument.patch | 120 ++
...get-ppc-Introduce-TRANS-FLAGS-macros.patch | 133 ++
...ma_function_take_MemTxAttrs_argument.patch | 151 ++
...get-ppc-Implement-Vector-Expand-Mask.patch | 105 ++
...r_dma_function_propagate_MemTxResult.patch | 65 +
...et-ppc-Implement-Vector-Extract-Mask.patch | 141 ++
...r_dma_function_propagate_MemTxResult.patch | 175 ++
...ppc-Implement-Vector-Mask-Move-insns.patch | 187 +++
...ma_function_take_MemTxAttrs_argument.patch | 303 ++++
...xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch | 258 +++
...ma_function_take_MemTxAttrs_argument.patch | 271 +++
...mplement-xs-n-maddqp-o-xs-n-msubqp-o.patch | 174 ++
...i_dma_function_propagate_MemTxResult.patch | 47 +
...i_dma_function_propagate_MemTxResult.patch | 296 ++++
.../qemu/qemu/CVE-2021-3611_1.patch | 74 +
.../qemu/qemu/CVE-2021-3611_2.patch | 43 +
.../qemu/qemu/CVE-2021-3750-1.patch | 59 +
.../qemu/qemu/CVE-2021-3750-2.patch | 65 +
.../qemu/qemu/CVE-2021-3750-3.patch | 156 ++
meta/recipes-kernel/linux/linux-yocto-dev.bb | 2 +-
...4-fix-kernel-crash-caused-by-do_get_.patch | 94 ++
.../lttng/lttng-modules_2.13.4.bb | 1 +
...-tools_2.13.4.bb => lttng-tools_2.13.8.bb} | 2 +-
.../libtiff/tiff/CVE-2022-2867.patch | 129 ++
.../libtiff/tiff/CVE-2022-2869.patch | 84 +
...ed69a485a9cfb299d9f060eb2a46c54e5903.patch | 45 +
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 +
69 files changed, 8536 insertions(+), 68 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-2.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0018-CVE-2022-38128-3.patch
delete mode 100644 meta/recipes-devtools/python/python3/0001-gh-92036-Fix-gc_fini_untrack-GH-92037.patch
rename meta/recipes-devtools/python/{python3_3.10.4.bb => python3_3.10.7.bb} (99%)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-net-tulip-Restrict-DMA-engine-to-memories.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-softfloat-Extend-float_exception_flags-to-16-bits.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-use-uint32t-for-reply-queue-head-tail-values.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0002-softfloat-Add-flag-specific-to-Inf-Inf.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0002_let_dma_memory_valid_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0003-softfloat-Add-flag-specific-to-Inf-0.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0003_let_dma_memory_set_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0004-softfloat-Add-flags-specific-to-Inf-Inf-and-0-0.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0004_let_dma_memory_rw_relaxed_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0005-softfloat-Add-flag-specific-to-signaling-nans.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0005_let_dma_memory_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0006-target-ppc-Update-float_invalid_op_addsub-for-new-fl.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0006_let_dma_memory_read_write_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0007-target-ppc-Update-float_invalid_op_mul-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0007_let_dma_memory_map_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0008-target-ppc-Update-float_invalid_op_div-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0008_have_dma_buf_rw_function_take_a_void_pointer.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0009-target-ppc-Update-fmadd-for-new-flags.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0009_have_dma_buf_read_and_dma_buf_write_functions_take_a_void.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0010-target-ppc-Split-out-do_fmadd.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0010_let_pci_dma_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0011-target-ppc-Fix-xs-max-min-cj-dp-to-use-VSX-registers.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0011_let_dma_buf_rw_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0012-target-ppc-Move-xs-max-min-cj-dp-to-decodetree.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0012_let_dma_buf_write_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0013-target-ppc-fix-xscvqpdp-register-access.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0013_let_dma_buf_read_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0014-target-ppc-move-xscvqpdp-to-decodetree.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0014_let_dma_buf_rw_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0015-target-ppc-ppc_store_fpscr-doesn-t-update-bits-0-to-.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0015_let_st_pointer_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0016-target-ppc-Introduce-TRANS-FLAGS-macros.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0016_let_ld_pointer_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0017-target-ppc-Implement-Vector-Expand-Mask.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0017_let_st_pointer_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0018-target-ppc-Implement-Vector-Extract-Mask.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0018_let_ld_pointer_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0019-target-ppc-Implement-Vector-Mask-Move-insns.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0019_let_st_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0020-target-ppc-move-xs-n-madd-am-ds-p-xs-n-msub-am-ds-p-.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0020_let_ld_pointer_pci_dma_function_take_MemTxAttrs_argument.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0021-target-ppc-implement-xs-n-maddqp-o-xs-n-msubqp-o.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0021_let_st_pointer_pci_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0022_let_ld_pointer_pci_dma_function_propagate_MemTxResult.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3611_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3750-3.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-wrapper-powerpc64-fix-kernel-crash-caused-by-do_get_.patch
rename meta/recipes-kernel/lttng/{lttng-tools_2.13.4.bb => lttng-tools_2.13.8.bb} (98%)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2867.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-2869.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/b258ed69a485a9cfb299d9f060eb2a46c54e5903.patch
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-02-01 22:15 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-02-01 22:15 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4872
The following changes since commit a8c82902384f7430519a31732a4bb631f21693ac:
build-appliance-image: Update to kirkstone head revision (2023-01-26 23:40:27 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Armin Kuster (1):
lttng-modules: Fix for 5.10.163 kernel version
Bruce Ashfield (1):
linux-yocto/5.15: update to v5.15.87
Khem Raj (3):
libtirpc: Check if file exists before operating on it
libusb1: Link with latomic only if compiler has no atomic builtins
libusb1: Strip trailing whitespaces
Niko Mauno (1):
Fix missing leading whitespace with ':append'
Richard Purdie (1):
native: Drop special variable handling
Ross Burton (4):
ppp: backport fix for CVE-2022-4603
quilt: fix intermittent failure in faildiff.test
spirv-headers: set correct branch name
quilt: use upstreamed faildiff.test fix
Thomas Roos (1):
devtool: fix devtool finish when gitmodules file is empty
Xiangyu Chen (1):
numactl: skip test case when target platform doesn't have 2 CPU node
meta/classes/core-image.bbclass | 2 +-
meta/classes/externalsrc.bbclass | 2 +-
meta/classes/native.bbclass | 2 +-
meta/classes/populate_sdk_ext.bbclass | 2 +-
.../distro/include/ptest-packagelists.inc | 2 +-
.../ppp/ppp/CVE-2022-4603.patch | 48 +++++++++++++++
meta/recipes-connectivity/ppp/ppp_2.4.9.bb | 1 +
meta/recipes-devtools/quilt/quilt.inc | 1 +
.../quilt/quilt/faildiff-order.patch | 41 +++++++++++++
.../libtirpc/libtirpc_1.3.2.bb | 2 +-
.../spir/spirv-headers_1.3.204.1.bb | 2 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 ++++----
.../fix-jbd2-upper-bound-for-v5.10.163.patch | 52 ++++++++++++++++
...e-the-correct-print-format-v5.10.163.patch | 61 +++++++++++++++++++
.../lttng/lttng-modules_2.13.8.bb | 2 +
...k-with-latomic-only-if-no-atomic-bui.patch | 46 ++++++++++++++
meta/recipes-support/libusb/libusb1_1.0.26.bb | 13 ++--
.../numactl/Fix-the-test-output-format.patch | 3 +-
.../recipes-support/numactl/numactl/run-ptest | 6 +-
21 files changed, 292 insertions(+), 34 deletions(-)
create mode 100644 meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch
create mode 100644 meta/recipes-devtools/quilt/quilt/faildiff-order.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-upper-bound-for-v5.10.163.patch
create mode 100644 meta/recipes-kernel/lttng/lttng-modules/fix-jbd2-use-the-correct-print-format-v5.10.163.patch
create mode 100644 meta/recipes-support/libusb/libusb1/0001-configure.ac-Link-with-latomic-only-if-no-atomic-bui.patch
--
2.25.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-04-29 17:20 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-04-29 17:20 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5234
The following changes since commit 15c07dff384ce4fb0e90f4f32c182a82101a1c82:
go: fix CVE-2023-24537 Infinite loop in parsing (2023-04-21 03:57:50 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
nasm: fix CVE-2022-44370
Bruce Ashfield (3):
linux-yocto/5.15: update to v5.15.106
linux-yocto/5.15: update to v5.15.107
linux-yocto/5.15: update to v5.15.108
Christoph Lauer (1):
populate_sdk_base: add zip options
Deepthi Hemraj (1):
glibc: stable 2.35 branch updates.
Joe Slater (1):
ghostscript: fix CVE-2023-29979
Mingli Yu (1):
ruby: Fix CVE-2023-28755
Pascal Bach (1):
cmake: add CMAKE_SYSROOT to generated toolchain file
Ross Burton (1):
xserver-xorg: backport fix for CVE-2023-1393
Virendra Thakur (1):
qemu: Whitelist CVE-2023-0664
Yogita Urade (2):
xorg-lib-common: Add variable to set tarball type
libxpm: upgrade 3.5.13 -> 3.5.15
meta/classes/cmake.bbclass | 5 +
meta/classes/populate_sdk_base.bbclass | 4 +-
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../nasm/nasm/CVE-2022-44370.patch | 104 ++++++++++++++++++
meta/recipes-devtools/nasm/nasm_2.15.05.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 5 +
.../ruby/ruby/CVE-2023-28755.patch | 68 ++++++++++++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
.../ghostscript/cve-2023-28879.patch | 60 ++++++++++
.../ghostscript/ghostscript_9.55.0.bb | 1 +
.../{libxpm_3.5.13.bb => libxpm_3.5.15.bb} | 8 +-
.../xorg-lib/xorg-lib-common.inc | 3 +-
...posite-Fix-use-after-free-of-the-COW.patch | 46 ++++++++
.../xorg-xserver/xserver-xorg_21.1.7.bb | 3 +-
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 ++---
17 files changed, 323 insertions(+), 26 deletions(-)
create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-44370.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/cve-2023-28879.patch
rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.13.bb => libxpm_3.5.15.bb} (67%)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-composite-Fix-use-after-free-of-the-COW.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-05-31 2:34 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-05-31 2:34 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5365
The following changes since commit 5e26ead1ca016d1691dccba1b58060ac853bf0d2:
piglit: Add missing glslang dependencies (2023-05-25 05:42:54 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bhabu Bindu (4):
curl: Fix CVE-2023-28319
curl: Fix CVE-2023-28320
curl: Fix CVE-2023-28321
curl: Fix CVE-2023-28322
Bruce Ashfield (5):
linux-yocto/5.10: update to v5.10.176
linux-yocto/5.10: update to v5.10.177
linux-yocto/5.10: update to v5.10.178
linux-yocto/5.10: update to v5.10.179
linux-yocto/5.10: update to v5.10.180
Martin Jansa (1):
kernel-devicetree: make shell scripts posix compliant
Randolph Sapp (3):
kernel-devicetree: allow specification of dtb directory
package: enable recursion on file globs
kernel-devicetree: recursively search for dtbs
meta/classes/kernel-devicetree.bbclass | 22 +-
meta/classes/kernel.bbclass | 2 +
meta/classes/package.bbclass | 2 +-
.../linux/linux-yocto-rt_5.10.bb | 6 +-
.../linux/linux-yocto-tiny_5.10.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +-
.../curl/curl/CVE-2023-28319.patch | 33 ++
.../curl/curl/CVE-2023-28320.patch | 83 ++++
.../curl/curl/CVE-2023-28321.patch | 302 ++++++++++++
.../curl/curl/CVE-2023-28322-1.patch | 84 ++++
.../curl/curl/CVE-2023-28322-2.patch | 436 ++++++++++++++++++
meta/recipes-support/curl/curl_7.82.0.bb | 5 +
12 files changed, 982 insertions(+), 25 deletions(-)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28319.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28321.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28322-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28322-2.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2023-10-14 21:44 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2023-10-14 21:44 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kikrstone and have comments back by
end of day Tuesday, October 17
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6044
The following changes since commit bca43f95850d395f9dc56644fa1d12910cabb0c5:
glibc: Update to latest on stable 2.35 branch (2023-10-06 12:03:30 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (2):
python3-urllib3: upgrade 1.26.10 -> 1.26.11
python3-urllib3: upgrade 1.26.12 -> 1.26.13
Hitendra Prajapati (2):
libtiff: fix CVE-2022-40090 improved IFD-Loop handling
xdg-utils: Fix CVE-2022-4055
Khem Raj (1):
apt: add missing <cstdint> for uint16_t
Lee Chee Yang (1):
python3-urllib3: 1.26.15 -> 1.26.17
Siddharth Doshi (1):
vim: Upgrade 9.0.1894 -> 9.0.2009
Tim Orling (1):
python3-urllib3: upgrade 1.26.13 -> 1.26.14
Wang Mingyu (1):
python3-urllib3: upgrade 1.26.14 -> 1.26.15
Yash Shinde (2):
binutils: Fix CVE-2022-44840
binutils: Fix CVE-2022-45703
wangmy (2):
python3-urllib3: upgrade 1.26.9 -> 1.26.10
python3-urllib3: upgrade 1.26.11 -> 1.26.12
...001-add-missing-cstdint-for-uint16_t.patch | 35 ++
meta/recipes-devtools/apt/apt_2.4.5.bb | 1 +
.../binutils/binutils-2.38.inc | 3 +
.../binutils/0030-CVE-2022-44840.patch | 151 +++++
.../binutils/0031-CVE-2022-45703-1.patch | 147 +++++
.../binutils/0031-CVE-2022-45703-2.patch | 31 +
...3_1.26.9.bb => python3-urllib3_1.26.17.bb} | 3 +-
.../xdg-utils/xdg-utils/CVE-2022-4055.patch | 165 +++++
.../xdg-utils/xdg-utils_1.1.3.bb | 1 +
.../libtiff/tiff/CVE-2022-40090.patch | 569 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
12 files changed, 1108 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-devtools/apt/apt/0001-add-missing-cstdint-for-uint16_t.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0030-CVE-2022-44840.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0031-CVE-2022-45703-2.patch
rename meta/recipes-devtools/python/{python3-urllib3_1.26.9.bb => python3-urllib3_1.26.17.bb} (82%)
create mode 100644 meta/recipes-extended/xdg-utils/xdg-utils/CVE-2022-4055.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2022-40090.patch
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 00/13] Patch review
@ 2025-01-07 13:31 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 01/13] libsndfile1: Backport fix for CVE-2022-33065 Steve Sakoman
` (12 more replies)
0 siblings, 13 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, January 9
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/751
The following changes since commit a20b02fdfe64c005f7587a1d9077bdc282f7b6b1:
base-passwd: Add the sgx group (2024-12-18 07:06:28 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (3):
ffmpeg: fix CVE-2024-35366
ffmpeg: fix CVE-2024-35367
ffmpeg: fix CVE-2024-35368
Mikko Rapeli (1):
ovmf-native: remove .pyc files from install
Peter Marko (6):
ghostscript: ignore CVE-2024-46954
tiff: ignore CVE-2023-2731
tiff: patch CVE-2023-3164
gstreame1.0: ignore CVEs from gstreamer1.0-plugins-bad
xwayland: patch CVE-2023-5380 CVE-2024-0229
python3: upgrade 3.10.15 -> 3.10.16
Rohini Sangam (1):
webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780
Vijay Anusuri (1):
libsndfile1: Backport fix for CVE-2022-33065
aszh07 (1):
libarchive: Fix CVE-2024-20696
meta/recipes-core/ovmf/ovmf_git.bb | 1 +
...-search-system-for-headers-libraries.patch | 2 +-
...{python3_3.10.15.bb => python3_3.10.16.bb} | 2 +-
.../ghostscript/ghostscript_9.55.0.bb | 2 +-
.../libarchive/CVE-2024-20696.patch | 114 +++++++++
.../libarchive/libarchive_3.6.2.bb | 1 +
.../xwayland/xwayland/CVE-2023-5380.patch | 103 ++++++++
.../xwayland/xwayland/CVE-2024-0229-1.patch | 88 +++++++
.../xwayland/xwayland/CVE-2024-0229-2.patch | 222 +++++++++++++++++
.../xwayland/xwayland/CVE-2024-0229-3.patch | 42 ++++
.../xwayland/xwayland/CVE-2024-0229-4.patch | 46 ++++
.../xwayland/xwayland_22.1.8.bb | 5 +
.../ffmpeg/ffmpeg/CVE-2024-35366.patch | 37 +++
.../ffmpeg/ffmpeg/CVE-2024-35367.patch | 47 ++++
.../ffmpeg/ffmpeg/CVE-2024-35368.patch | 41 ++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +
.../gstreamer/gstreamer1.0_1.20.7.bb | 4 +-
...022-33065.patch => CVE-2022-33065-1.patch} | 0
.../libsndfile1/CVE-2022-33065-10.patch | 39 +++
.../libsndfile1/CVE-2022-33065-11.patch | 35 +++
.../libsndfile1/CVE-2022-33065-12.patch | 40 +++
.../libsndfile1/CVE-2022-33065-13.patch | 58 +++++
.../libsndfile1/CVE-2022-33065-2.patch | 58 +++++
.../libsndfile1/CVE-2022-33065-3.patch | 34 +++
.../libsndfile1/CVE-2022-33065-4.patch | 60 +++++
.../libsndfile1/CVE-2022-33065-5.patch | 39 +++
.../libsndfile1/CVE-2022-33065-6.patch | 82 +++++++
.../libsndfile1/CVE-2022-33065-7.patch | 48 ++++
.../libsndfile1/CVE-2022-33065-8.patch | 179 ++++++++++++++
.../libsndfile1/CVE-2022-33065-9.patch | 231 ++++++++++++++++++
.../libsndfile/libsndfile1_1.0.31.bb | 14 +-
.../libtiff/tiff/CVE-2023-3164.patch | 114 +++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +-
.../webkit/webkitgtk/CVE-2024-40776.patch | 141 +++++++++++
.../webkit/webkitgtk/CVE-2024-40780.patch | 94 +++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 2 +
36 files changed, 2025 insertions(+), 8 deletions(-)
rename meta/recipes-devtools/python/{python3_3.10.15.bb => python3_3.10.16.bb} (99%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
rename meta/recipes-multimedia/libsndfile/libsndfile1/{CVE-2022-33065.patch => CVE-2022-33065-1.patch} (100%)
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 01/13] libsndfile1: Backport fix for CVE-2022-33065
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 02/13] ghostscript: ignore CVE-2024-46954 Steve Sakoman
` (11 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Added missing commits for complete CVE fix
Ref: https://github.com/libsndfile/libsndfile/issues/833
https://ubuntu.com/security/CVE-2022-33065
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...022-33065.patch => CVE-2022-33065-1.patch} | 0
.../libsndfile1/CVE-2022-33065-10.patch | 39 +++
.../libsndfile1/CVE-2022-33065-11.patch | 35 +++
.../libsndfile1/CVE-2022-33065-12.patch | 40 +++
.../libsndfile1/CVE-2022-33065-13.patch | 58 +++++
.../libsndfile1/CVE-2022-33065-2.patch | 58 +++++
.../libsndfile1/CVE-2022-33065-3.patch | 34 +++
.../libsndfile1/CVE-2022-33065-4.patch | 60 +++++
.../libsndfile1/CVE-2022-33065-5.patch | 39 +++
.../libsndfile1/CVE-2022-33065-6.patch | 82 +++++++
.../libsndfile1/CVE-2022-33065-7.patch | 48 ++++
.../libsndfile1/CVE-2022-33065-8.patch | 179 ++++++++++++++
.../libsndfile1/CVE-2022-33065-9.patch | 231 ++++++++++++++++++
.../libsndfile/libsndfile1_1.0.31.bb | 14 +-
14 files changed, 916 insertions(+), 1 deletion(-)
rename meta/recipes-multimedia/libsndfile/libsndfile1/{CVE-2022-33065.patch => CVE-2022-33065-1.patch} (100%)
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-1.patch
similarity index 100%
rename from meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065.patch
rename to meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-1.patch
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch
new file mode 100644
index 0000000000..17867fc308
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-10.patch
@@ -0,0 +1,39 @@
+From cd44bfaf3708e778c8670cb7f707a597c3334376 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 11:50:53 -0400
+Subject: [PATCH 14/17] nms_adpcm: fix int overflow in sf.frames calc
+
+When calculating sf.frames from the blocks_total PNMS variable, it is
+theoretically possible to overflow the blocks_total int boundaries,
+leading to undefined behavior.
+
+Cast blocks_total to a long-sized sf_count_t before the calculation, to
+provide it with enough numeric space and because that is the final
+typing regardless.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-10.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/cd44bfaf3708e778c8670cb7f707a597c3334376]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/nms_adpcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/nms_adpcm.c b/src/nms_adpcm.c
+index dca85f0b0..61d171c73 100644
+--- a/src/nms_adpcm.c
++++ b/src/nms_adpcm.c
+@@ -1090,7 +1090,7 @@ nms_adpcm_init (SF_PRIVATE *psf)
+ else
+ pnms->blocks_total = psf->datalength / (pnms->shortsperblock * sizeof (short)) ;
+
+- psf->sf.frames = pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
++ psf->sf.frames = (sf_count_t) pnms->blocks_total * NMS_SAMPLES_PER_BLOCK ;
+ psf->codec_close = nms_adpcm_close ;
+ psf->seek = nms_adpcm_seek ;
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch
new file mode 100644
index 0000000000..a147a0d593
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-11.patch
@@ -0,0 +1,35 @@
+From 915e154e2deb327612ca413c838365b7c9bfbf16 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 11:57:23 -0400
+Subject: [PATCH 15/17] pcm: fix int overflow in pcm_init()
+
+Cast the int-sized bytewidth variable to a long-sized sf_count_t type
+prior to calculating the blockwidth, to provide the calculation with
+enough numeric space and sf_count_t is the final typing regardless.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-11.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/915e154e2deb327612ca413c838365b7c9bfbf16]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/pcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pcm.c b/src/pcm.c
+index bdf461839..a42e48681 100644
+--- a/src/pcm.c
++++ b/src/pcm.c
+@@ -127,7 +127,7 @@ pcm_init (SF_PRIVATE *psf)
+ return SFE_INTERNAL ;
+ } ;
+
+- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
+
+ if ((SF_CODEC (psf->sf.format)) == SF_FORMAT_PCM_S8)
+ chars = SF_CHARS_SIGNED ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch
new file mode 100644
index 0000000000..659a6a4c22
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-12.patch
@@ -0,0 +1,40 @@
+From ec149a79d457916479489d71b55e4d63015a08ea Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 12:01:00 -0400
+Subject: [PATCH 16/17] rf64: fix int overflow in rf64_read_header()
+
+When checking for mismatches between the filelength and riff_size, it is
+possible to overflow the temporary riff_size value used in the
+comparison by adding a static offset; which is probably fine, but it is
+offensive to overflow fuzzers.
+
+Since filelength is always a positive value, simply move the offset to
+the other side of the comparison operator as a negative value, avoid the
+possibility of an overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-12.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/ec149a79d457916479489d71b55e4d63015a08ea]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/rf64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rf64.c b/src/rf64.c
+index 123db445a..c60399fb3 100644
+--- a/src/rf64.c
++++ b/src/rf64.c
+@@ -242,7 +242,7 @@ rf64_read_header (SF_PRIVATE *psf, int *blockalign, int *framesperblock)
+ } ;
+ } ;
+
+- if (psf->filelength != riff_size + 8)
++ if (psf->filelength - 8 != riff_size)
+ psf_log_printf (psf, " Riff size : %D (should be %D)\n", riff_size, psf->filelength - 8) ;
+ else
+ psf_log_printf (psf, " Riff size : %D\n", riff_size) ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch
new file mode 100644
index 0000000000..107b1dcae4
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-13.patch
@@ -0,0 +1,58 @@
+From 9f097e492a07c96e3b250d6ac0044499f64f6cea Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Tue, 17 Oct 2023 12:19:12 -0400
+Subject: [PATCH 17/17] ima_adpcm: fix int overflow in ima_reader_init()
+
+When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to
+provide the calculation with enough numeric space to avoid overflows.
+
+Other changes in this commit are syntactic, and only to satisfy the git
+pre-commit syntax checker.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-13.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/9f097e492a07c96e3b250d6ac0044499f64f6cea]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/ima_adpcm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- libsndfile-1.0.31.orig/src/ima_adpcm.c
++++ libsndfile-1.0.31/src/ima_adpcm.c
+@@ -182,7 +182,12 @@ ima_reader_init (SF_PRIVATE *psf, int bl
+ if (psf->file.mode != SFM_READ)
+ return SFE_BAD_MODE_RW ;
+
+- pimasize = sizeof (IMA_ADPCM_PRIVATE) + blockalign * psf->sf.channels + 3 * psf->sf.channels * samplesperblock ;
++ /*
++ ** Allocate enough space for 1 more than a multiple of 8 samples
++ ** to avoid having to branch when pulling apart the nibbles.
++ */
++ count = ((samplesperblock - 2) | 7) + 2 ;
++ pimasize = sizeof (IMA_ADPCM_PRIVATE) + psf->sf.channels * (blockalign + samplesperblock + sizeof (short) * count) ;
+
+ if (! (pima = calloc (1, pimasize)))
+ return SFE_MALLOC_FAILED ;
+@@ -233,7 +238,7 @@ ima_reader_init (SF_PRIVATE *psf, int bl
+ case SF_FORMAT_AIFF :
+ psf_log_printf (psf, "still need to check block count\n") ;
+ pima->decode_block = aiff_ima_decode_block ;
+- psf->sf.frames = pima->samplesperblock * pima->blocks / pima->channels ;
++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks / pima->channels ;
+ break ;
+
+ default :
+@@ -386,7 +391,7 @@ aiff_ima_encode_block (SF_PRIVATE *psf,
+ static int
+ wavlike_ima_decode_block (SF_PRIVATE *psf, IMA_ADPCM_PRIVATE *pima)
+ { int chan, k, predictor, blockindx, indx, indxstart, diff ;
+- short step, bytecode, stepindx [2] ;
++ short step, bytecode, stepindx [2] = { 0 } ;
+
+ pima->blockcount ++ ;
+ pima->samplecount = 0 ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch
new file mode 100644
index 0000000000..93b8856e41
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-2.patch
@@ -0,0 +1,58 @@
+From 56e6c5408f1ee6d476b234c105fb28b4998e811b Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:36:02 -0400
+Subject: [PATCH 06/17] au: avoid int overflow while calculating data_end
+
+At several points in au_read_header(), we calculate the functional end
+of the data segment by adding the (int)au_fmt.dataoffset and the
+(int)au_fmt.datasize. This can overflow the implicit int_32 return value
+and cause undefined behavior.
+
+Instead, precalculate the value and assign it to a 64-bit
+(sf_count_t)data_end variable.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-2.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/56e6c5408f1ee6d476b234c105fb28b4998e811b]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/au.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/au.c b/src/au.c
+index 62bd691d6..f68f25871 100644
+--- a/src/au.c
++++ b/src/au.c
+@@ -291,6 +291,7 @@ static int
+ au_read_header (SF_PRIVATE *psf)
+ { AU_FMT au_fmt ;
+ int marker, dword ;
++ sf_count_t data_end ;
+
+ memset (&au_fmt, 0, sizeof (au_fmt)) ;
+ psf_binheader_readf (psf, "pm", 0, &marker) ;
+@@ -317,14 +318,15 @@ au_read_header (SF_PRIVATE *psf)
+ return SFE_AU_EMBED_BAD_LEN ;
+ } ;
+
++ data_end = (sf_count_t) au_fmt.dataoffset + (sf_count_t) au_fmt.datasize ;
+ if (psf->fileoffset > 0)
+- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
++ { psf->filelength = data_end ;
+ psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
+ }
+- else if (au_fmt.datasize == -1 || au_fmt.dataoffset + au_fmt.datasize == psf->filelength)
++ else if (au_fmt.datasize == -1 || data_end == psf->filelength)
+ psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
+- else if (au_fmt.dataoffset + au_fmt.datasize < psf->filelength)
+- { psf->filelength = au_fmt.dataoffset + au_fmt.datasize ;
++ else if (data_end < psf->filelength)
++ { psf->filelength = data_end ;
+ psf_log_printf (psf, " Data Size : %d\n", au_fmt.datasize) ;
+ }
+ else
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch
new file mode 100644
index 0000000000..80af387081
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-3.patch
@@ -0,0 +1,34 @@
+From 839fa9131820d689b2038c81531b618b2932fbe3 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:46:29 -0400
+Subject: [PATCH 07/17] avr: fix int overflow in avr_read_header()
+
+Pre-cast hdr.frames to sf_count_t, to provide the calculation with
+enough numeric space to avoid an int-overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-3.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/839fa9131820d689b2038c81531b618b2932fbe3]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/avr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/avr.c b/src/avr.c
+index 6c78ff69b..1bc1ffc90 100644
+--- a/src/avr.c
++++ b/src/avr.c
+@@ -162,7 +162,7 @@ avr_read_header (SF_PRIVATE *psf)
+ psf->endian = SF_ENDIAN_BIG ;
+
+ psf->dataoffset = AVR_HDR_SIZE ;
+- psf->datalength = hdr.frames * (hdr.rez / 8) ;
++ psf->datalength = (sf_count_t) hdr.frames * (hdr.rez / 8) ;
+
+ if (psf->fileoffset > 0)
+ psf->filelength = AVR_HDR_SIZE + psf->datalength ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch
new file mode 100644
index 0000000000..2c1e10f66c
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-4.patch
@@ -0,0 +1,60 @@
+From 1116fa173ea8785c9d881936b2174be6a58c0055 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:54:21 -0400
+Subject: [PATCH 08/17] sds: fix int overflow warning in sample calculations
+
+The sds_*byte_read() functions compose their uint_32 sample buffers by
+shifting 7bit samples into a 32bit wide buffer, and adding them
+together. Because the 7bit samples are stored in 32bit ints, code
+fuzzers become concerned that the addition operation can overflow and
+cause undefined behavior.
+
+Instead, bitwise-OR the bytes together - which should accomplish the
+same arithmetic operation, without risking an int-overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Do the same for the 3byte and 4byte read functions.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-4.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/1116fa173ea8785c9d881936b2174be6a58c0055]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/sds.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/sds.c b/src/sds.c
+index 6bc761716..2a0f164c3 100644
+--- a/src/sds.c
++++ b/src/sds.c
+@@ -454,7 +454,7 @@ sds_2byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
+
+ ucptr = psds->read_data + 5 ;
+ for (k = 0 ; k < 120 ; k += 2)
+- { sample = arith_shift_left (ucptr [k], 25) + arith_shift_left (ucptr [k + 1], 18) ;
++ { sample = arith_shift_left (ucptr [k], 25) | arith_shift_left (ucptr [k + 1], 18) ;
+ psds->read_samples [k / 2] = (int) (sample - 0x80000000) ;
+ } ;
+
+@@ -498,7 +498,7 @@ sds_3byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
+
+ ucptr = psds->read_data + 5 ;
+ for (k = 0 ; k < 120 ; k += 3)
+- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) ;
++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) ;
+ psds->read_samples [k / 3] = (int) (sample - 0x80000000) ;
+ } ;
+
+@@ -542,7 +542,7 @@ sds_4byte_read (SF_PRIVATE *psf, SDS_PRIVATE *psds)
+
+ ucptr = psds->read_data + 5 ;
+ for (k = 0 ; k < 120 ; k += 4)
+- { sample = (((uint32_t) ucptr [k]) << 25) + (ucptr [k + 1] << 18) + (ucptr [k + 2] << 11) + (ucptr [k + 3] << 4) ;
++ { sample = (((uint32_t) ucptr [k]) << 25) | (ucptr [k + 1] << 18) | (ucptr [k + 2] << 11) | (ucptr [k + 3] << 4) ;
+ psds->read_samples [k / 4] = (int) (sample - 0x80000000) ;
+ } ;
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch
new file mode 100644
index 0000000000..a96e5fefa4
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-5.patch
@@ -0,0 +1,39 @@
+From 23188c9b1c34f06ca7f17243425d59403e9eb0db Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 17:26:51 -0400
+Subject: [PATCH 09/17] aiff: fix int overflow when counting header elements
+
+aiff_read_basc_chunk() tries to count the AIFF header size by keeping
+track of the bytes returned by psf_binheader_readf(). Though improbable,
+it is technically possible for these added bytes to exceed the int-sized
+`count` accumulator.
+
+Use a 64-bit sf_count_t type for `count`, to ensure that it always has
+enough numeric space.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-5.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/23188c9b1c34f06ca7f17243425d59403e9eb0db]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/aiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/aiff.c b/src/aiff.c
+index ac3655e9d..6d8f1bc83 100644
+--- a/src/aiff.c
++++ b/src/aiff.c
+@@ -1702,7 +1702,7 @@ static int
+ aiff_read_basc_chunk (SF_PRIVATE * psf, int datasize)
+ { const char * type_str ;
+ basc_CHUNK bc ;
+- int count ;
++ sf_count_t count ;
+
+ count = psf_binheader_readf (psf, "E442", &bc.version, &bc.numBeats, &bc.rootNote) ;
+ count += psf_binheader_readf (psf, "E222", &bc.scaleType, &bc.sigNumerator, &bc.sigDenominator) ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch
new file mode 100644
index 0000000000..0f89c47d59
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-6.patch
@@ -0,0 +1,82 @@
+From 00bd0320d895ef5f3027c75a9df26546bc18f8b7 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 17:43:02 -0400
+Subject: [PATCH 10/17] ircam: fix int overflow in ircam_read_header()
+
+When reading the IRCAM header, it is possible for the calculated
+blockwidth to exceed the bounds of a signed int32.
+
+Use a 64bit sf_count_t to store the blockwidth.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-6.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/00bd0320d895ef5f3027c75a9df26546bc18f8b7]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/common.h | 2 +-
+ src/ircam.c | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/common.h b/src/common.h
+index cd9ac8b07..01f6ae095 100644
+--- a/src/common.h
++++ b/src/common.h
+@@ -439,7 +439,7 @@ typedef struct sf_private_tag
+ sf_count_t datalength ; /* Length in bytes of the audio data. */
+ sf_count_t dataend ; /* Offset to file tailer. */
+
+- int blockwidth ; /* Size in bytes of one set of interleaved samples. */
++ sf_count_t blockwidth ; /* Size in bytes of one set of interleaved samples. */
+ int bytewidth ; /* Size in bytes of one sample (one channel). */
+
+ void *dither ;
+diff --git a/src/ircam.c b/src/ircam.c
+index 8e7cdba81..3d73ba442 100644
+--- a/src/ircam.c
++++ b/src/ircam.c
+@@ -171,35 +171,35 @@ ircam_read_header (SF_PRIVATE *psf)
+ switch (encoding)
+ { case IRCAM_PCM_16 :
+ psf->bytewidth = 2 ;
+- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_16 ;
+ break ;
+
+ case IRCAM_PCM_32 :
+ psf->bytewidth = 4 ;
+- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_PCM_32 ;
+ break ;
+
+ case IRCAM_FLOAT :
+ psf->bytewidth = 4 ;
+- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_FLOAT ;
+ break ;
+
+ case IRCAM_ALAW :
+ psf->bytewidth = 1 ;
+- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ALAW ;
+ break ;
+
+ case IRCAM_ULAW :
+ psf->bytewidth = 1 ;
+- psf->blockwidth = psf->sf.channels * psf->bytewidth ;
++ psf->blockwidth = (sf_count_t) psf->sf.channels * psf->bytewidth ;
+
+ psf->sf.format = SF_FORMAT_IRCAM | SF_FORMAT_ULAW ;
+ break ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch
new file mode 100644
index 0000000000..a26c14294d
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-7.patch
@@ -0,0 +1,48 @@
+From 590608bbbded2ca0966dc89c5d9b6bf659f4cb71 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Wed, 11 Oct 2023 16:12:22 -0400
+Subject: [PATCH 11/17] mat4/mat5: fix int overflow when calculating blockwidth
+
+Pre-cast the components of the blockwidth calculation to sf_count_t to
+avoid overflowing integers during calculation.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-7.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/590608bbbded2ca0966dc89c5d9b6bf659f4cb71]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mat4.c | 2 +-
+ src/mat5.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mat4.c b/src/mat4.c
+index 575683ba1..9f046f0c6 100644
+--- a/src/mat4.c
++++ b/src/mat4.c
+@@ -104,7 +104,7 @@ mat4_open (SF_PRIVATE *psf)
+
+ psf->container_close = mat4_close ;
+
+- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
+
+ switch (subformat)
+ { case SF_FORMAT_PCM_16 :
+diff --git a/src/mat5.c b/src/mat5.c
+index da5a6eca0..20f0ea64b 100644
+--- a/src/mat5.c
++++ b/src/mat5.c
+@@ -114,7 +114,7 @@ mat5_open (SF_PRIVATE *psf)
+
+ psf->container_close = mat5_close ;
+
+- psf->blockwidth = psf->bytewidth * psf->sf.channels ;
++ psf->blockwidth = (sf_count_t) psf->bytewidth * psf->sf.channels ;
+
+ switch (subformat)
+ { case SF_FORMAT_PCM_U8 :
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch
new file mode 100644
index 0000000000..641f73ad55
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-8.patch
@@ -0,0 +1,179 @@
+From 4ec860910a4ee91ed4fdf1c0a49f2dad96d595c9 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Mon, 16 Oct 2023 12:37:47 -0400
+Subject: [PATCH 12/17] common: fix int overflow in psf_binheader_readf()
+
+The psf_binheader_readf() function attempts to count and return the
+number of bytes traversed in the header. During this accumulation, it is
+possible to overflow the int-sized byte_count variable.
+
+Avoid this overflow by checking that the accumulated bytes do not exceed
+INT_MAX and throwing an error if they do. This implies that files with
+multi-gigabyte headers threaten to produce this error, but I imagine
+those files don't really exist - and this error is better than the
+undefined behavior which would have resulted previously.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-8.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/4ec860910a4ee91ed4fdf1c0a49f2dad96d595c9]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/common.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- libsndfile-1.0.31.orig/src/common.c
++++ libsndfile-1.0.31/src/common.c
+@@ -18,6 +18,7 @@
+
+ #include <config.h>
+
++#include <limits.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #if HAVE_UNISTD_H
+@@ -962,6 +963,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ double *doubleptr ;
+ char c ;
+ int byte_count = 0, count = 0 ;
++ int read_bytes = 0 ;
+
+ if (! format)
+ return psf_ftell (psf) ;
+@@ -970,6 +972,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+
+ while ((c = *format++))
+ {
++ read_bytes = 0 ;
+ if (psf->header.indx + 16 >= psf->header.len && psf_bump_header_allocation (psf, 16))
+ return count ;
+
+@@ -986,7 +989,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ intptr = va_arg (argptr, unsigned int*) ;
+ *intptr = 0 ;
+ ucptr = (unsigned char*) intptr ;
+- byte_count += header_read (psf, ucptr, sizeof (int)) ;
++ read_bytes = header_read (psf, ucptr, sizeof (int)) ;
+ *intptr = GET_MARKER (ucptr) ;
+ break ;
+
+@@ -994,7 +997,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ intptr = va_arg (argptr, unsigned int*) ;
+ *intptr = 0 ;
+ ucptr = (unsigned char*) intptr ;
+- byte_count += header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
++ read_bytes = header_read (psf, sixteen_bytes, sizeof (sixteen_bytes)) ;
+ { int k ;
+ intdata = 0 ;
+ for (k = 0 ; k < 16 ; k++)
+@@ -1006,14 +1009,14 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ case '1' :
+ charptr = va_arg (argptr, char*) ;
+ *charptr = 0 ;
+- byte_count += header_read (psf, charptr, sizeof (char)) ;
++ read_bytes = header_read (psf, charptr, sizeof (char)) ;
+ break ;
+
+ case '2' : /* 2 byte value with the current endian-ness */
+ shortptr = va_arg (argptr, unsigned short*) ;
+ *shortptr = 0 ;
+ ucptr = (unsigned char*) shortptr ;
+- byte_count += header_read (psf, ucptr, sizeof (short)) ;
++ read_bytes = header_read (psf, ucptr, sizeof (short)) ;
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+ *shortptr = GET_BE_SHORT (ucptr) ;
+ else
+@@ -1023,7 +1026,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ case '3' : /* 3 byte value with the current endian-ness */
+ intptr = va_arg (argptr, unsigned int*) ;
+ *intptr = 0 ;
+- byte_count += header_read (psf, sixteen_bytes, 3) ;
++ read_bytes = header_read (psf, sixteen_bytes, 3) ;
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+ *intptr = GET_BE_3BYTE (sixteen_bytes) ;
+ else
+@@ -1034,7 +1037,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ intptr = va_arg (argptr, unsigned int*) ;
+ *intptr = 0 ;
+ ucptr = (unsigned char*) intptr ;
+- byte_count += header_read (psf, ucptr, sizeof (int)) ;
++ read_bytes = header_read (psf, ucptr, sizeof (int)) ;
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+ *intptr = psf_get_be32 (ucptr, 0) ;
+ else
+@@ -1044,7 +1047,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ case '8' : /* 8 byte value with the current endian-ness */
+ countptr = va_arg (argptr, sf_count_t *) ;
+ *countptr = 0 ;
+- byte_count += header_read (psf, sixteen_bytes, 8) ;
++ read_bytes = header_read (psf, sixteen_bytes, 8) ;
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+ countdata = psf_get_be64 (sixteen_bytes, 0) ;
+ else
+@@ -1055,7 +1058,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ case 'f' : /* Float conversion */
+ floatptr = va_arg (argptr, float *) ;
+ *floatptr = 0.0 ;
+- byte_count += header_read (psf, floatptr, sizeof (float)) ;
++ read_bytes = header_read (psf, floatptr, sizeof (float)) ;
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+ *floatptr = float32_be_read ((unsigned char*) floatptr) ;
+ else
+@@ -1065,7 +1068,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ case 'd' : /* double conversion */
+ doubleptr = va_arg (argptr, double *) ;
+ *doubleptr = 0.0 ;
+- byte_count += header_read (psf, doubleptr, sizeof (double)) ;
++ read_bytes = header_read (psf, doubleptr, sizeof (double)) ;
+ if (psf->rwf_endian == SF_ENDIAN_BIG)
+ *doubleptr = double64_be_read ((unsigned char*) doubleptr) ;
+ else
+@@ -1089,7 +1092,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ charptr = va_arg (argptr, char*) ;
+ count = va_arg (argptr, size_t) ;
+ memset (charptr, 0, count) ;
+- byte_count += header_read (psf, charptr, count) ;
++ read_bytes = header_read (psf, charptr, count) ;
+ break ;
+
+ case 'G' :
+@@ -1100,7 +1103,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ if (psf->header.indx + count >= psf->header.len && psf_bump_header_allocation (psf, count))
+ return 0 ;
+
+- byte_count += header_gets (psf, charptr, count) ;
++ read_bytes = header_gets (psf, charptr, count) ;
+ break ;
+
+ case 'z' :
+@@ -1124,7 +1127,7 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ case 'j' : /* Seek to position from current position. */
+ count = va_arg (argptr, size_t) ;
+ header_seek (psf, count, SEEK_CUR) ;
+- byte_count += count ;
++ read_bytes = count ;
+ break ;
+
+ default :
+@@ -1132,8 +1135,17 @@ psf_binheader_readf (SF_PRIVATE *psf, ch
+ psf->error = SFE_INTERNAL ;
+ break ;
+ } ;
++
++ if (read_bytes > 0 && byte_count > (INT_MAX - read_bytes))
++ { psf_log_printf (psf, "Header size exceeds INT_MAX. Aborting.", c) ;
++ psf->error = SFE_INTERNAL ;
++ break ;
++ } else
++ { byte_count += read_bytes ;
+ } ;
+
++ } ; /*end while*/
++
+ va_end (argptr) ;
+
+ return byte_count ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch
new file mode 100644
index 0000000000..88dc80addf
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2022-33065-9.patch
@@ -0,0 +1,231 @@
+From 6e162cb767e81cd15f4dc2a2fa253d2e36adfd70 Mon Sep 17 00:00:00 2001
+From: Alex Stewart <alex.stewart@ni.com>
+Date: Thu, 19 Oct 2023 14:07:19 -0400
+Subject: [PATCH 13/17] nms_adpcm: fix int overflow in signal estimate
+
+It is possible (though functionally incorrect) for the signal estimate
+calculation in nms_adpcm_update() to overflow the int value of s_e,
+resulting in undefined behavior.
+
+Since adpcm state signal values are never practically larger than
+16 bits, use smaller numeric sizes throughout the file to avoid the
+overflow.
+
+CVE: CVE-2022-33065
+Fixes: https://github.com/libsndfile/libsndfile/issues/833
+
+Authored-by: Arthur Taylor <art@ified.ca>
+Signed-off-by: Alex Stewart <alex.stewart@ni.com>
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsndfile/tree/debian/patches/CVE-2022-33065/CVE-2022-33065-9.patch?h=ubuntu/jammy-security
+Upstream commit https://github.com/libsndfile/libsndfile/commit/6e162cb767e81cd15f4dc2a2fa253d2e36adfd70]
+CVE: CVE-2022-33065
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/nms_adpcm.c | 81 ++++++++++++++++++++++++-------------------------
+ 1 file changed, 40 insertions(+), 41 deletions(-)
+
+--- libsndfile-1.2.0.orig/src/nms_adpcm.c
++++ libsndfile-1.2.0/src/nms_adpcm.c
+@@ -48,36 +48,36 @@
+ /* Variable names from ITU G.726 spec */
+ struct nms_adpcm_state
+ { /* Log of the step size multiplier. Operated on by codewords. */
+- int yl ;
++ short yl ;
+
+ /* Quantizer step size multiplier. Generated from yl. */
+- int y ;
++ short y ;
+
+ /* Coefficents of the pole predictor */
+- int a [2] ;
++ short a [2] ;
+
+ /* Coefficents of the zero predictor */
+- int b [6] ;
++ short b [6] ;
+
+ /* Previous quantized deltas (multiplied by 2^14) */
+- int d_q [7] ;
++ short d_q [7] ;
+
+ /* d_q [x] + s_ez [x], used by the pole-predictor for signs only. */
+- int p [3] ;
++ short p [3] ;
+
+ /* Previous reconstructed signal values. */
+- int s_r [2] ;
++ short s_r [2] ;
+
+ /* Zero predictor components of the signal estimate. */
+- int s_ez ;
++ short s_ez ;
+
+ /* Signal estimate, (including s_ez). */
+- int s_e ;
++ short s_e ;
+
+ /* The most recent codeword (enc:generated, dec:inputted) */
+- int Ik ;
++ char Ik ;
+
+- int parity ;
++ char parity ;
+
+ /*
+ ** Offset into code tables for the bitrate.
+@@ -109,7 +109,7 @@ typedef struct
+ } NMS_ADPCM_PRIVATE ;
+
+ /* Pre-computed exponential interval used in the antilog approximation. */
+-static unsigned int table_expn [] =
++static unsigned short table_expn [] =
+ { 0x4000, 0x4167, 0x42d5, 0x444c, 0x45cb, 0x4752, 0x48e2, 0x4a7a,
+ 0x4c1b, 0x4dc7, 0x4f7a, 0x5138, 0x52ff, 0x54d1, 0x56ac, 0x5892,
+ 0x5a82, 0x5c7e, 0x5e84, 0x6096, 0x62b4, 0x64dd, 0x6712, 0x6954,
+@@ -117,21 +117,21 @@ static unsigned int table_expn [] =
+ } ;
+
+ /* Table mapping codewords to scale factor deltas. */
+-static int table_scale_factor_step [] =
++static short table_scale_factor_step [] =
+ { 0x0, 0x0, 0x0, 0x0, 0x4b0, 0x0, 0x0, 0x0, /* 2-bit */
+ -0x3c, 0x0, 0x90, 0x0, 0x2ee, 0x0, 0x898, 0x0, /* 3-bit */
+ -0x30, 0x12, 0x6b, 0xc8, 0x188, 0x2e0, 0x551, 0x1150, /* 4-bit */
+ } ;
+
+ /* Table mapping codewords to quantized delta interval steps. */
+-static unsigned int table_step [] =
++static unsigned short table_step [] =
+ { 0x73F, 0, 0, 0, 0x1829, 0, 0, 0, /* 2-bit */
+ 0x3EB, 0, 0xC18, 0, 0x1581, 0, 0x226E, 0, /* 3-bit */
+ 0x20C, 0x635, 0xA83, 0xF12, 0x1418, 0x19E3, 0x211A, 0x2BBA, /* 4-bit */
+ } ;
+
+ /* Binary search lookup table for quantizing using table_step. */
+-static int table_step_search [] =
++static short table_step_search [] =
+ { 0, 0x1F6D, 0, -0x1F6D, 0, 0, 0, 0, /* 2-bit */
+ 0x1008, 0x1192, 0, -0x219A, 0x1656, -0x1656, 0, 0, /* 3-bit */
+ 0x872, 0x1277, -0x8E6, -0x232B, 0xD06, -0x17D7, -0x11D3, 0, /* 4-bit */
+@@ -179,23 +179,23 @@ static sf_count_t nms_adpcm_seek (SF_PRI
+ ** Maps [1,20480] to [1,1024] in an exponential relationship. This is
+ ** approximately ret = b^exp where b = e^(ln(1024)/ln(20480)) ~= 1.0003385
+ */
+-static inline int
+-nms_adpcm_antilog (int exp)
+-{ int ret ;
+-
+- ret = 0x1000 ;
+- ret += (((exp & 0x3f) * 0x166b) >> 12) ;
+- ret *= table_expn [(exp & 0x7c0) >> 6] ;
+- ret >>= (26 - (exp >> 11)) ;
++static inline short
++nms_adpcm_antilog (short exp)
++{ int_fast32_t r ;
++
++ r = 0x1000 ;
++ r += (((int_fast32_t) (exp & 0x3f) * 0x166b) >> 12) ;
++ r *= table_expn [(exp & 0x7c0) >> 6] ;
++ r >>= (26 - (exp >> 11)) ;
+
+- return ret ;
++ return (short) r ;
+ } /* nms_adpcm_antilog */
+
+ static void
+ nms_adpcm_update (struct nms_adpcm_state *s)
+ { /* Variable names from ITU G.726 spec */
+- int a1ul ;
+- int fa1 ;
++ short a1ul, fa1 ;
++ int_fast32_t se ;
+ int i ;
+
+ /* Decay and Modify the scale factor in the log domain based on the codeword. */
+@@ -222,7 +222,7 @@ nms_adpcm_update (struct nms_adpcm_state
+ else if (fa1 > 256)
+ fa1 = 256 ;
+
+- s->a [0] = (0xff * s->a [0]) >> 8 ;
++ s->a [0] = (s->a [0] * 0xff) >> 8 ;
+ if (s->p [0] != 0 && s->p [1] != 0 && ((s->p [0] ^ s->p [1]) < 0))
+ s->a [0] -= 192 ;
+ else
+@@ -230,7 +230,7 @@ nms_adpcm_update (struct nms_adpcm_state
+ fa1 = -fa1 ;
+ }
+
+- s->a [1] = fa1 + ((0xfe * s->a [1]) >> 8) ;
++ s->a [1] = fa1 + ((s->a [1] * 0xfe) >> 8) ;
+ if (s->p [0] != 0 && s->p [2] != 0 && ((s->p [0] ^ s->p [2]) < 0))
+ s->a [1] -= 128 ;
+ else
+@@ -250,19 +250,18 @@ nms_adpcm_update (struct nms_adpcm_state
+ s->a [0] = a1ul ;
+ } ;
+
+- /* Compute the zero predictor estimate. Rotate past deltas too. */
+- s->s_ez = 0 ;
++ /* Compute the zero predictor estimate and rotate past deltas. */
++ se = 0 ;
+ for (i = 5 ; i >= 0 ; i--)
+- { s->s_ez += s->d_q [i] * s->b [i] ;
++ { se += (int_fast32_t) s->d_q [i] * s->b [i] ;
+ s->d_q [i + 1] = s->d_q [i] ;
+ } ;
++ s->s_ez = se >> 14 ;
+
+- /* Compute the signal estimate. */
+- s->s_e = s->a [0] * s->s_r [0] + s->a [1] * s->s_r [1] + s->s_ez ;
+-
+- /* Return to scale */
+- s->s_ez >>= 14 ;
+- s->s_e >>= 14 ;
++ /* Complete the signal estimate. */
++ se += (int_fast32_t) s->a [0] * s->s_r [0] ;
++ se += (int_fast32_t) s->a [1] * s->s_r [1] ;
++ s->s_e = se >> 14 ;
+
+ /* Rotate members to prepare for next iteration. */
+ s->s_r [1] = s->s_r [0] ;
+@@ -274,7 +273,7 @@ nms_adpcm_update (struct nms_adpcm_state
+ static int16_t
+ nms_adpcm_reconstruct_sample (struct nms_adpcm_state *s, uint8_t I)
+ { /* Variable names from ITU G.726 spec */
+- int dqx ;
++ int_fast32_t dqx ;
+
+ /*
+ ** The ordering of the 12-bit right-shift is a precision loss. It agrees
+@@ -308,17 +307,17 @@ nms_adpcm_codec_init (struct nms_adpcm_s
+ /*
+ ** nms_adpcm_encode_sample()
+ **
+-** Encode a linear 16-bit pcm sample into a 2,3, or 4 bit NMS-ADPCM codeword
++** Encode a linear 16-bit pcm sample into a 2, 3, or 4 bit NMS-ADPCM codeword
+ ** using and updating the predictor state.
+ */
+ static uint8_t
+ nms_adpcm_encode_sample (struct nms_adpcm_state *s, int16_t sl)
+ { /* Variable names from ITU G.726 spec */
+- int d ;
++ int_fast32_t d ;
+ uint8_t I ;
+
+ /* Down scale the sample from 16 => ~14 bits. */
+- sl = (sl * 0x1fdf) / 0x7fff ;
++ sl = ((int_fast32_t) sl * 0x1fdf) / 0x7fff ;
+
+ /* Compute estimate, and delta from actual value */
+ nms_adpcm_update (s) ;
+@@ -407,7 +406,7 @@ nms_adpcm_encode_sample (struct nms_adpc
+ */
+ static int16_t
+ nms_adpcm_decode_sample (struct nms_adpcm_state *s, uint8_t I)
+-{ int sl ;
++{ int_fast32_t sl ;
+
+ nms_adpcm_update (s) ;
+ sl = nms_adpcm_reconstruct_sample (s, I) ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb
index 20240635f7..6a6ccf7567 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.31.bb
@@ -11,7 +11,19 @@ LICENSE = "LGPL-2.1-only"
SRC_URI = "https://github.com/libsndfile/libsndfile/releases/download/${PV}/libsndfile-${PV}.tar.bz2 \
file://noopus.patch \
file://0001-flac-Fix-improper-buffer-reusing-732.patch \
- file://CVE-2022-33065.patch \
+ file://CVE-2022-33065-1.patch \
+ file://CVE-2022-33065-2.patch \
+ file://CVE-2022-33065-3.patch \
+ file://CVE-2022-33065-4.patch \
+ file://CVE-2022-33065-5.patch \
+ file://CVE-2022-33065-6.patch \
+ file://CVE-2022-33065-7.patch \
+ file://CVE-2022-33065-8.patch \
+ file://CVE-2022-33065-9.patch \
+ file://CVE-2022-33065-10.patch \
+ file://CVE-2022-33065-11.patch \
+ file://CVE-2022-33065-12.patch \
+ file://CVE-2022-33065-13.patch \
file://CVE-2024-50612.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libsndfile/libsndfile/releases/"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 02/13] ghostscript: ignore CVE-2024-46954
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 01/13] libsndfile1: Backport fix for CVE-2022-33065 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 03/13] tiff: ignore CVE-2023-2731 Steve Sakoman
` (10 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe.
[1] points to [2] as patch, while file base/gp_utf8.c is not part of
ghostscript source tarball.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-46954
[2] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=55f587dd039282316f512e1bea64218fd991f934
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index cd0a7de70e..6d425710b5 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -24,7 +24,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
CVE_CHECK_IGNORE += "CVE-2013-6629"
# Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe.
-CVE_CHECK_IGNORE += "CVE-2023-38560"
+CVE_CHECK_IGNORE += "CVE-2023-38560 CVE-2024-46954"
def gs_verdir(v):
return "".join(v.split("."))
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 03/13] tiff: ignore CVE-2023-2731
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 01/13] libsndfile1: Backport fix for CVE-2022-33065 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 02/13] ghostscript: ignore CVE-2024-46954 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 04/13] tiff: patch CVE-2023-3164 Steve Sakoman
` (9 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This further tweaks fix for CVE-2022-1622/CVE-2022-1623 by adding it to
one additional goto label.
Previous fix:
https://gitlab.com/libtiff/libtiff/-/commit/b4e79bfa0c7d2d08f6f1e7ec38143fc8cb11394a
Additional fix:
https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 27bb306e94..a47fc4bd34 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -65,8 +65,8 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
# and 4.3.0 doesn't have the issue
CVE_CHECK_IGNORE += "CVE-2015-7313"
# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
+# caused by 3079627e and fixed by b4e79bfa and again by 9be22b63
+CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623 CVE-2023-2731"
# Issue is in jbig which we don't enable
CVE_CHECK_IGNORE += "CVE-2022-1210"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 04/13] tiff: patch CVE-2023-3164
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 03/13] tiff: ignore CVE-2023-2731 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 05/13] gstreame1.0: ignore CVEs from gstreamer1.0-plugins-bad Steve Sakoman
` (8 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport fix from upstream.
There was style refactoring done in the code meanwhile, so the patch mas
assembled manually by applying each change on 4.3.0 sources.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/tiff/CVE-2023-3164.patch | 114 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 1 +
2 files changed, 115 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
diff --git a/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
new file mode 100644
index 0000000000..4a47db8789
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/tiff/CVE-2023-3164.patch
@@ -0,0 +1,114 @@
+From a20298c4785c369469510613dfbc5bf230164fed Mon Sep 17 00:00:00 2001
+From: Lee Howard <faxguy@howardsilvan.com>
+Date: Fri, 17 May 2024 15:11:10 +0000
+Subject: [PATCH] tiffcrop: fixes #542, #550, #552 (buffer overflows, use after
+ free)
+
+CVE: CVE-2023-3164
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/commit/a20298c4785c369469510613dfbc5bf230164fed]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ tools/tiffcrop.c | 31 +++++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index b11fec93a..aaf6bb280 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -449,6 +449,7 @@ static uint16_t defcompression = (uint16_t) -1;
+ static uint16_t defpredictor = (uint16_t) -1;
+ static int pageNum = 0;
+ static int little_endian = 1;
++static tmsize_t check_buffsize = 0;
+
+ /* Functions adapted from tiffcp with additions or significant modifications */
+ static int readContigStripsIntoBuffer (TIFF*, uint8_t*);
+@@ -2081,6 +2082,11 @@ void process_command_opts (int argc, char *argv[], char *mp, char *mode, uint32
+ TIFFError ("Limit for subdivisions, ie rows x columns, exceeded", "%d", MAX_SECTIONS);
+ exit (EXIT_FAILURE);
+ }
++ if ((page->cols * page->rows) < 1)
++ {
++ TIFFError("No subdivisions", "%d", (page->cols * page->rows));
++ exit(EXIT_FAILURE);
++ }
+ page->mode |= PAGE_MODE_ROWSCOLS;
+ break;
+ case 'U': /* units for measurements and offsets */
+@@ -4433,7 +4439,7 @@ combineSeparateTileSamplesBytes (unsigned char *srcbuffs[], unsigned char *out,
+ dst = out + (row * dst_rowsize);
+ src_offset = row * src_rowsize;
+ #ifdef DEVELMODE
+- TIFFError("","Tile row %4d, Src offset %6d Dst offset %6d",
++ TIFFError("","Tile row %4d, Src offset %6d Dst offset %6zd",
+ row, src_offset, dst - out);
+ #endif
+ for (col = 0; col < cols; col++)
+@@ -5028,7 +5034,7 @@ static int readSeparateStripsIntoBuffer (TIFF *in, uint8_t *obuf, uint32_t lengt
+ break;
+ }
+ #ifdef DEVELMODE
+- TIFFError("", "Strip %2"PRIu32", read %5"PRId32" bytes for %4"PRIu32" scanlines, shift width %d",
++ TIFFError("", "Strip %2"PRIu32", read %5zd bytes for %4"PRIu32" scanlines, shift width %d",
+ strip, bytes_read, rows_this_strip, shift_width);
+ #endif
+ }
+@@ -6446,6 +6452,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ TIFFError("loadImage", "Unable to allocate read buffer");
+ return (-1);
+ }
++ check_buffsize = buffsize + NUM_BUFF_OVERSIZE_BYTES;
+
+ read_buff[buffsize] = 0;
+ read_buff[buffsize+1] = 0;
+@@ -7076,6 +7083,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ #ifdef DEVELMODE
+ TIFFError ("", "Src offset: %8"PRIu32", Dst offset: %8"PRIu32, src_offset, dst_offset);
+ #endif
++ if (src_offset + full_bytes >= check_buffsize)
++ {
++ printf("Bad input. Preventing reading outside of input buffer.\n");
++ return(-1);
++ }
+ _TIFFmemcpy (sect_buff + dst_offset, src_buff + src_offset, full_bytes);
+ dst_offset += full_bytes;
+ }
+@@ -7110,6 +7122,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ bytebuff1 = bytebuff2 = 0;
+ if (shift1 == 0) /* the region is byte and sample aligned */
+ {
++ if (offset1 + full_bytes >= check_buffsize)
++ {
++ printf("Bad input. Preventing reading outside of input buffer.\n");
++ return(-1);
++ }
+ _TIFFmemcpy (sect_buff + dst_offset, src_buff + offset1, full_bytes);
+
+ #ifdef DEVELMODE
+@@ -7129,6 +7146,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ if (trailing_bits != 0)
+ {
+ /* Only copy higher bits of samples and mask lower bits of not wanted column samples to zero */
++ if (offset1 + full_bytes >= check_buffsize)
++ {
++ printf("Bad input. Preventing reading outside of input buffer.\n");
++ return(-1);
++ }
+ bytebuff2 = src_buff[offset1 + full_bytes] & ((unsigned char)255 << (8 - trailing_bits));
+ sect_buff[dst_offset] = bytebuff2;
+ #ifdef DEVELMODE
+@@ -7154,6 +7176,11 @@ extractImageSection(struct image_data *image, struct pageseg *section,
+ {
+ /* Skip the first shift1 bits and shift the source up by shift1 bits before save to destination.*/
+ /* Attention: src_buff size needs to be some bytes larger than image size, because could read behind image here. */
++ if (offset1 + j + 1 >= check_buffsize)
++ {
++ printf("Bad input. Preventing reading outside of input buffer.\n");
++ return(-1);
++ }
+ bytebuff1 = src_buff[offset1 + j] & ((unsigned char)255 >> shift1);
+ bytebuff2 = src_buff[offset1 + j + 1] & ((unsigned char)255 << (8 - shift1));
+ sect_buff[dst_offset + j] = (bytebuff1 << shift1) | (bytebuff2 >> (8 - shift1));
+--
+GitLab
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index a47fc4bd34..5ec7b20e61 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -54,6 +54,7 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-6277-3.patch \
file://CVE-2023-6277-4.patch \
file://CVE-2024-7006.patch \
+ file://CVE-2023-3164.patch \
"
SRC_URI[sha256sum] = "0e46e5acb087ce7d1ac53cf4f56a09b221537fc86dfc5daaad1c2e89e1b37ac8"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 05/13] gstreame1.0: ignore CVEs from gstreamer1.0-plugins-bad
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 04/13] tiff: patch CVE-2023-3164 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 06/13] xwayland: patch CVE-2023-5380 CVE-2024-0229 Steve Sakoman
` (7 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
These CVEs are patched in gstreamer1.0-plugins-bad.
CPE for gstreamer-plugins-bad mostly hits original gstreamer recipe.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb
index 2c9c6944b0..cf81620833 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb
@@ -69,7 +69,7 @@ FILES:${PN}-dbg += "${datadir}/gdb ${datadir}/gstreamer-1.0/gdb"
CVE_PRODUCT = "gstreamer"
-# this CVE is patched in gstreamer1.0-plugins-bad
-CVE_CHECK_IGNORE += "CVE-2024-0444"
+# these CVEs are patched in gstreamer1.0-plugins-bad
+CVE_CHECK_IGNORE += "CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-44429 CVE-2023-44446 CVE-2023-50186 CVE-2024-0444"
PTEST_BUILD_HOST_FILES = ""
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 06/13] xwayland: patch CVE-2023-5380 CVE-2024-0229
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 05/13] gstreame1.0: ignore CVEs from gstreamer1.0-plugins-bad Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 07/13] libarchive: Fix CVE-2024-20696 Steve Sakoman
` (6 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
The patches are copied from xserver-xorg recipe.
The CVES are reported for both and patched apply on both.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2023-5380.patch | 103 ++++++++
.../xwayland/xwayland/CVE-2024-0229-1.patch | 88 +++++++
.../xwayland/xwayland/CVE-2024-0229-2.patch | 222 ++++++++++++++++++
.../xwayland/xwayland/CVE-2024-0229-3.patch | 42 ++++
.../xwayland/xwayland/CVE-2024-0229-4.patch | 46 ++++
.../xwayland/xwayland_22.1.8.bb | 5 +
6 files changed, 506 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
new file mode 100644
index 0000000000..ee2aa01b0e
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2023-5380.patch
@@ -0,0 +1,103 @@
+From 564ccf2ce9616620456102727acb8b0256b7bbd7 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 5 Oct 2023 12:19:45 +1000
+Subject: [PATCH] mi: reset the PointerWindows reference on screen switch
+
+PointerWindows[] keeps a reference to the last window our sprite
+entered - changes are usually handled by CheckMotion().
+
+If we switch between screens via XWarpPointer our
+dev->spriteInfo->sprite->win is set to the new screen's root window.
+If there's another window at the cursor location CheckMotion() will
+trigger the right enter/leave events later. If there is not, it skips
+that process and we never trigger LeaveWindow() - PointerWindows[] for
+the device still refers to the previous window.
+
+If that window is destroyed we have a dangling reference that will
+eventually cause a use-after-free bug when checking the window hierarchy
+later.
+
+To trigger this, we require:
+- two protocol screens
+- XWarpPointer to the other screen's root window
+- XDestroyWindow before entering any other window
+
+This is a niche bug so we hack around it by making sure we reset the
+PointerWindows[] entry so we cannot have a dangling pointer. This
+doesn't handle Enter/Leave events correctly but the previous code didn't
+either.
+
+CVE-2023-5380, ZDI-CAN-21608
+
+This vulnerability was discovered by:
+Sri working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/564ccf2ce9616620456102727acb8b0256b7bbd7]
+CVE: CVE-2023-5380
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dix/enterleave.h | 2 --
+ include/eventstr.h | 3 +++
+ mi/mipointer.c | 17 +++++++++++++++--
+ 3 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/dix/enterleave.h b/dix/enterleave.h
+index 4b833d8a3b..e8af924c68 100644
+--- a/dix/enterleave.h
++++ b/dix/enterleave.h
+@@ -58,8 +58,6 @@ extern void DeviceFocusEvent(DeviceIntPtr dev,
+
+ extern void EnterWindow(DeviceIntPtr dev, WindowPtr win, int mode);
+
+-extern void LeaveWindow(DeviceIntPtr dev);
+-
+ extern void CoreFocusEvent(DeviceIntPtr kbd,
+ int type, int mode, int detail, WindowPtr pWin);
+
+diff --git a/include/eventstr.h b/include/eventstr.h
+index 93308f9b24..a9926eaeef 100644
+--- a/include/eventstr.h
++++ b/include/eventstr.h
+@@ -335,4 +335,7 @@ union _InternalEvent {
+ GestureEvent gesture_event;
+ };
+
++extern void
++LeaveWindow(DeviceIntPtr dev);
++
+ #endif
+diff --git a/mi/mipointer.c b/mi/mipointer.c
+index a638f25d4a..8cf0035140 100644
+--- a/mi/mipointer.c
++++ b/mi/mipointer.c
+@@ -397,8 +397,21 @@ miPointerWarpCursor(DeviceIntPtr pDev, ScreenPtr pScreen, int x, int y)
+ #ifdef PANORAMIX
+ && noPanoramiXExtension
+ #endif
+- )
+- UpdateSpriteForScreen(pDev, pScreen);
++ ) {
++ DeviceIntPtr master = GetMaster(pDev, MASTER_POINTER);
++ /* Hack for CVE-2023-5380: if we're moving
++ * screens PointerWindows[] keeps referring to the
++ * old window. If that gets destroyed we have a UAF
++ * bug later. Only happens when jumping from a window
++ * to the root window on the other screen.
++ * Enter/Leave events are incorrect for that case but
++ * too niche to fix.
++ */
++ LeaveWindow(pDev);
++ if (master)
++ LeaveWindow(master);
++ UpdateSpriteForScreen(pDev, pScreen);
++ }
+ }
+
+ /**
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
new file mode 100644
index 0000000000..03ee6978ca
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-1.patch
@@ -0,0 +1,88 @@
+From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 14:27:50 +1000
+Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
+
+If a device has both a button class and a key class and numButtons is
+zero, we can get an OOB write due to event under-allocation.
+
+This function seems to assume a device has either keys or buttons, not
+both. It has two virtually identical code paths, both of which assume
+they're applying to the first event in the sequence.
+
+A device with both a key and button class triggered a logic bug - only
+one xEvent was allocated but the deviceStateNotify pointer was pushed on
+once per type. So effectively this logic code:
+
+ int count = 1;
+ if (button && nbuttons > 32) count++;
+ if (key && nbuttons > 0) count++;
+ if (key && nkeys > 32) count++; // this is basically always true
+ // count is at 2 for our keys + zero button device
+
+ ev = alloc(count * sizeof(xEvent));
+ FixDeviceStateNotify(ev);
+ if (button)
+ FixDeviceStateNotify(ev++);
+ if (key)
+ FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
+
+If the device has more than 3 valuators, the OOB is pushed back - we're
+off by one so it will happen when the last deviceValuator event is
+written instead.
+
+Fix this by allocating the maximum number of events we may allocate.
+Note that the current behavior is not protocol-correct anyway, this
+patch fixes only the allocation issue.
+
+Note that this issue does not trigger if the device has at least one
+button. While the server does not prevent a button class with zero
+buttons, it is very unlikely.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index ded8679d76..17964b00a4 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -675,7 +675,8 @@ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
+ int evcount = 1;
+- deviceStateNotify *ev, *sev;
++ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
++ deviceStateNotify *ev;
+ deviceKeyStateNotify *kev;
+ deviceButtonStateNotify *bev;
+
+@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ }
+ }
+
+- sev = ev = xallocarray(evcount, sizeof(xEvent));
++ ev = sev;
+ FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+
+ if (b != NULL) {
+@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+
+ DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+ DeviceStateNotifyMask, NullGrab);
+- free(sev);
+ }
+
+ void
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
new file mode 100644
index 0000000000..098b263332
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-2.patch
@@ -0,0 +1,222 @@
+From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 12:26:20 +1000
+Subject: [PATCH] dix: fix DeviceStateNotify event calculation
+
+The previous code only made sense if one considers buttons and keys to
+be mutually exclusive on a device. That is not necessarily true, causing
+a number of issues.
+
+This function allocates and fills in the number of xEvents we need to
+send the device state down the wire. This is split across multiple
+32-byte devices including one deviceStateNotify event and optional
+deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
+deviceValuator events.
+
+The previous behavior would instead compose a sequence
+of [state, buttonstate, state, keystate, valuator...]. This is not
+protocol correct, and on top of that made the code extremely convoluted.
+
+Fix this by streamlining: add both button and key into the deviceStateNotify
+and then append the key state and button state, followed by the
+valuators. Finally, the deviceValuator events contain up to 6 valuators
+per event but we only ever sent through 3 at a time. Let's double that
+troughput.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
+ 1 file changed, 52 insertions(+), 69 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 17964b00a4..7b7ba1098b 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+
+ ev->type = DeviceValuator;
+ ev->deviceid = dev->id;
+- ev->num_valuators = nval < 3 ? nval : 3;
++ ev->num_valuators = nval < 6 ? nval : 6;
+ ev->first_valuator = first;
+ switch (ev->num_valuators) {
++ case 6:
++ ev->valuator2 = v->axisVal[first + 5];
++ case 5:
++ ev->valuator2 = v->axisVal[first + 4];
++ case 4:
++ ev->valuator2 = v->axisVal[first + 3];
+ case 3:
+ ev->valuator2 = v->axisVal[first + 2];
+ case 2:
+@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+ ev->valuator0 = v->axisVal[first];
+ break;
+ }
+- first += ev->num_valuators;
+ }
+
+ static void
+@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+ ev->num_buttons = b->numButtons;
+ memcpy((char *) ev->buttons, (char *) b->down, 4);
+ }
+- else if (k) {
++ if (k) {
+ ev->classes_reported |= (1 << KeyClass);
+ ev->num_keys = k->xkbInfo->desc->max_key_code -
+ k->xkbInfo->desc->min_key_code;
+@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+ }
+ }
+
+-
++/**
++ * The device state notify event is split across multiple 32-byte events.
++ * The first one contains the first 32 button state bits, the first 32
++ * key state bits, and the first 3 valuator values.
++ *
++ * If a device has more than that, the server sends out:
++ * - one deviceButtonStateNotify for buttons 32 and above
++ * - one deviceKeyStateNotify for keys 32 and above
++ * - one deviceValuator event per 6 valuators above valuator 4
++ *
++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
++ */
+ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
++ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
++ * and one deviceValuator for each 6 valuators */
++ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
+ int evcount = 1;
+- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+- deviceStateNotify *ev;
+- deviceKeyStateNotify *kev;
+- deviceButtonStateNotify *bev;
++ deviceStateNotify *ev = sev;
+
+ KeyClassPtr k;
+ ButtonClassPtr b;
+@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+
+ if ((b = dev->button) != NULL) {
+ nbuttons = b->numButtons;
+- if (nbuttons > 32)
++ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
+ evcount++;
+ }
+ if ((k = dev->key) != NULL) {
+ nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
+- if (nkeys > 32)
++ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
+ evcount++;
+- if (nbuttons > 0) {
+- evcount++;
+- }
+ }
+ if ((v = dev->valuator) != NULL) {
+ nval = v->numAxes;
+-
+- if (nval > 3)
+- evcount++;
+- if (nval > 6) {
+- if (!(k && b))
+- evcount++;
+- if (nval > 9)
+- evcount += ((nval - 7) / 3);
+- }
++ /* first three are encoded in deviceStateNotify, then
++ * it's 6 per deviceValuator event */
++ evcount += ((nval - 3) + 6)/6;
+ }
+
+- ev = sev;
+- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+-
+- if (b != NULL) {
+- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
+- first += 3;
+- nval -= 3;
+- if (nbuttons > 32) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- bev = (deviceButtonStateNotify *) ev++;
+- bev->type = DeviceButtonStateNotify;
+- bev->deviceid = dev->id;
+- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+- DOWN_LENGTH - 4);
+- }
+- if (nval > 0) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+- first += 3;
+- nval -= 3;
+- }
++ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
++
++ FixDeviceStateNotify(dev, ev, k, b, v, first);
++
++ if (b != NULL && nbuttons > 32) {
++ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
++ (ev - 1)->deviceid |= MORE_EVENTS;
++ bev->type = DeviceButtonStateNotify;
++ bev->deviceid = dev->id;
++ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
++ DOWN_LENGTH - 4);
+ }
+
+- if (k != NULL) {
+- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
+- first += 3;
+- nval -= 3;
+- if (nkeys > 32) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- kev = (deviceKeyStateNotify *) ev++;
+- kev->type = DeviceKeyStateNotify;
+- kev->deviceid = dev->id;
+- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+- }
+- if (nval > 0) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+- first += 3;
+- nval -= 3;
+- }
++ if (k != NULL && nkeys > 32) {
++ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
++ (ev - 1)->deviceid |= MORE_EVENTS;
++ kev->type = DeviceKeyStateNotify;
++ kev->deviceid = dev->id;
++ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+ }
+
++ first = 3;
++ nval -= 3;
+ while (nval > 0) {
+- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
+- first += 3;
+- nval -= 3;
+- if (nval > 0) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+- first += 3;
+- nval -= 3;
+- }
++ ev->deviceid |= MORE_EVENTS;
++ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
++ first += 6;
++ nval -= 6;
+ }
+
+ DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
new file mode 100644
index 0000000000..915da00c6f
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-3.patch
@@ -0,0 +1,42 @@
+From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 13:48:10 +1000
+Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of
+ buttons
+
+There's a racy sequence where a master device may copy the button class
+from the slave, without ever initializing numButtons. This leads to a
+device with zero buttons but a button class which is invalid.
+
+Let's copy the numButtons value from the source - by definition if we
+don't have a button class yet we do not have any other slave devices
+with more than this number of buttons anyway.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Xi/exevents.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 54ea11a938..e161714682 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+ to->button = calloc(1, sizeof(ButtonClassRec));
+ if (!to->button)
+ FatalError("[Xi] no memory for class shift.\n");
++ to->button->numButtons = from->button->numButtons;
+ }
+ else
+ classes->button = NULL;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
new file mode 100644
index 0000000000..35a853ad6f
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2024-0229-4.patch
@@ -0,0 +1,46 @@
+From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 14:10:11 +1000
+Subject: [PATCH] Xi: require a pointer and keyboard device for
+ XIAttachToMaster
+
+If we remove a master device and specify which other master devices
+attached slaves should be returned to, enforce that those two are
+indeeed a pointer and a keyboard.
+
+Otherwise we can try to attach the keyboards to pointers and vice versa,
+leading to possible crashes later.
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Xi/xichangehierarchy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 504defe566..d2d985848d 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+ if (rc != Success)
+ goto unwind;
+
+- if (!IsMaster(newptr)) {
++ if (!IsMaster(newptr) || !IsPointerDevice(newptr)) {
+ client->errorValue = r->return_pointer;
+ rc = BadDevice;
+ goto unwind;
+@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+ if (rc != Success)
+ goto unwind;
+
+- if (!IsMaster(newkeybd)) {
++ if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) {
+ client->errorValue = r->return_keyboard;
+ rc = BadDevice;
+ goto unwind;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 133c65fbc3..f639088b25 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -16,6 +16,11 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2023-6816.patch \
file://CVE-2024-0408.patch \
file://CVE-2024-0409.patch \
+ file://CVE-2023-5380.patch \
+ file://CVE-2024-0229-1.patch \
+ file://CVE-2024-0229-2.patch \
+ file://CVE-2024-0229-3.patch \
+ file://CVE-2024-0229-4.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 07/13] libarchive: Fix CVE-2024-20696
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 06/13] xwayland: patch CVE-2023-5380 CVE-2024-0229 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 08/13] webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780 Steve Sakoman
` (5 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: aszh07 <mail2szahir@gmail.com>
Add Patch file to fix CVE-2024-20696
CVE: CVE-2024-20696
Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
Signed-off-by: Nikhil R <nikhilr5@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/CVE-2024-20696.patch | 114 ++++++++++++++++++
.../libarchive/libarchive_3.6.2.bb | 1 +
2 files changed, 115 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
new file mode 100644
index 0000000000..f980f60597
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2024-20696.patch
@@ -0,0 +1,114 @@
+From eac15e252010c1189a5c0f461364dbe2cd2a68b1 Mon Sep 17 00:00:00 2001
+From: "Dustin L. Howett" <dustin@howett.net>
+Date: Thu, 9 May 2024 18:59:17 -0500
+Subject: [PATCH] rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)
+
+copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
+both of its callers were holding a `size_t`.
+
+A lzss opcode chain could be constructed that resulted in a negative
+copy length, which when passed into memcpy would result in a very, very
+large positive number.
+
+Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
+properly bounds-check length.
+
+In addition, this patch also ensures that `length` is not itself larger
+than the destination buffer.
+
+CVE: CVE-2024-20696
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/eac15e252010c1189a5c0f461364dbe2cd2a68b1]
+
+Signed-off-by: Nitin Wankhade <nitin.wankhade@kpit.com>
+---
+
+--- a/libarchive/archive_read_support_format_rar.c 2024-12-11 12:33:47.566310000 +0530
++++ a/libarchive/archive_read_support_format_rar.c 2024-12-11 13:09:39.396142151 +0530
+@@ -432,7 +432,7 @@ static int make_table_recurse(struct arc
+ struct huffman_table_entry *, int, int);
+ static int expand(struct archive_read *, int64_t *);
+ static int copy_from_lzss_window_to_unp(struct archive_read *, const void **,
+- int64_t, int);
++ int64_t, size_t);
+ static const void *rar_read_ahead(struct archive_read *, size_t, ssize_t *);
+ static int parse_filter(struct archive_read *, const uint8_t *, uint16_t,
+ uint8_t);
+@@ -2069,7 +2069,7 @@ read_data_compressed(struct archive_read
+ bs = rar->unp_buffer_size - rar->unp_offset;
+ else
+ bs = (size_t)rar->bytes_uncopied;
+- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+ if (ret != ARCHIVE_OK)
+ return (ret);
+ rar->offset += bs;
+@@ -2209,7 +2209,7 @@ read_data_compressed(struct archive_read
+ bs = rar->unp_buffer_size - rar->unp_offset;
+ else
+ bs = (size_t)rar->bytes_uncopied;
+- ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, (int)bs);
++ ret = copy_from_lzss_window_to_unp(a, buff, rar->offset, bs);
+ if (ret != ARCHIVE_OK)
+ return (ret);
+ rar->offset += bs;
+@@ -3090,11 +3090,16 @@ copy_from_lzss_window(struct archive_rea
+
+ static int
+ copy_from_lzss_window_to_unp(struct archive_read *a, const void **buffer,
+- int64_t startpos, int length)
++ int64_t startpos, size_t length)
+ {
+ int windowoffs, firstpart;
+ struct rar *rar = (struct rar *)(a->format->data);
+
++ if (length > rar->unp_buffer_size)
++ {
++ goto fatal;
++ }
++
+ if (!rar->unp_buffer)
+ {
+ if ((rar->unp_buffer = malloc(rar->unp_buffer_size)) == NULL)
+@@ -3106,17 +3111,17 @@ copy_from_lzss_window_to_unp(struct arch
+ }
+
+ windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
+- if(windowoffs + length <= lzss_size(&rar->lzss)) {
++ if(windowoffs + length <= (size_t)lzss_size(&rar->lzss)) {
+ memcpy(&rar->unp_buffer[rar->unp_offset], &rar->lzss.window[windowoffs],
+ length);
+- } else if (length <= lzss_size(&rar->lzss)) {
++ } else if (length <= (size_t)lzss_size(&rar->lzss)) {
+ firstpart = lzss_size(&rar->lzss) - windowoffs;
+ if (firstpart < 0) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Bad RAR file data");
+ return (ARCHIVE_FATAL);
+ }
+- if (firstpart < length) {
++ if ((size_t)firstpart < length) {
+ memcpy(&rar->unp_buffer[rar->unp_offset],
+ &rar->lzss.window[windowoffs], firstpart);
+ memcpy(&rar->unp_buffer[rar->unp_offset + firstpart],
+@@ -3126,9 +3131,7 @@ copy_from_lzss_window_to_unp(struct arch
+ &rar->lzss.window[windowoffs], length);
+ }
+ } else {
+- archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+- "Bad RAR file data");
+- return (ARCHIVE_FATAL);
++ goto fatal;
+ }
+ rar->unp_offset += length;
+ if (rar->unp_offset >= rar->unp_buffer_size)
+@@ -3136,6 +3139,10 @@ copy_from_lzss_window_to_unp(struct arch
+ else
+ *buffer = NULL;
+ return (ARCHIVE_OK);
++fatal:
++ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++ "Bad RAR file data");
++ return (ARCHIVE_FATAL);
+ }
+
+ static const void *
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index e1eca79004..6af01cf408 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -33,6 +33,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2024-26256.patch \
file://CVE-2024-48957.patch \
file://CVE-2024-48958.patch \
+ file://CVE-2024-20696.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 08/13] webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 07/13] libarchive: Fix CVE-2024-20696 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 09/13] ffmpeg: fix CVE-2024-35366 Steve Sakoman
` (4 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Rohini Sangam <rsangam@mvista.com>
CVE fixed:
- CVE-2024-40776 webkitgtk: Use after free may lead to Remote Code Execution
- CVE-2024-40780 webkitgtk: Out-of-bounds read was addressed with improved bounds checking
Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b and https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5
Signed-off-by: Rohini Sangam <rsangam@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../webkit/webkitgtk/CVE-2024-40776.patch | 141 ++++++++++++++++++
.../webkit/webkitgtk/CVE-2024-40780.patch | 94 ++++++++++++
meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 2 +
3 files changed, 237 insertions(+)
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
new file mode 100644
index 0000000000..60f18168fe
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
@@ -0,0 +1,141 @@
+From b951404ea74ae432312a83138f5c8945a0d09e1b Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jya@apple.com>
+Date: Wed, 24 Apr 2024 19:01:06 -0700
+Subject: [PATCH] CVE-2024-40776: Always copy all audio channels to the AudioBus
+to guarantee data lifetime.
+
+Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b
+CVE: CVE-2024-40776
+
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ ...et-concurrent-resampler-crash-expected.txt | 1 +
+ ...dioworklet-concurrent-resampler-crash.html | 44 +++++++++++++++++++
+ .../platform/audio/MultiChannelResampler.cpp | 21 ++-------
+ .../platform/audio/MultiChannelResampler.h | 2 -
+ 4 files changed, 48 insertions(+), 20 deletions(-)
+ create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
+ create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
+
+diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
+new file mode 100644
+index 00000000..654ddf7f
+--- /dev/null
++++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
+@@ -0,0 +1 @@
++This test passes if it does not crash.
+diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
+new file mode 100644
+index 00000000..b3ab181d
+--- /dev/null
++++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
+@@ -0,0 +1,44 @@
++<html>
++<head>
++ <script>
++ let worklet_source = `
++ class Processor extends AudioWorkletProcessor {
++ process(inputs, outputs, parameters) {
++ return true;
++ }
++ }
++ registerProcessor('P2', Processor);
++ `;
++
++ let blob = new Blob([worklet_source], { type: 'application/javascript' });
++ let worklet = URL.createObjectURL(blob);
++
++ var ctx = new AudioContext({ sampleRate: 44100});
++ const dest = ctx.destination;
++ dest.channelCountMode = "max";
++
++ async function main() {
++ await ctx.audioWorklet.addModule(worklet);
++ var script_processor = ctx.createScriptProcessor();
++ script_processor.onaudioprocess = function() {
++ dest.channelCount = 1;
++ audio_worklet.disconnect();
++ if (window.testRunner)
++ testRunner.notifyDone();
++ }
++ var audio_worklet = new AudioWorkletNode(ctx, "P2");
++ script_processor.connect(audio_worklet);
++ audio_worklet.connect(dest);
++ }
++ </script>
++</head>
++<body onload="main()">
++ <p>This test passes if it does not crash.</p>
++ <script>
++ if (window.testRunner) {
++ testRunner.waitUntilDone();
++ testRunner.dumpAsText();
++ }
++ </script>
++</body>
++</html>
+diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.cpp b/Source/WebCore/platform/audio/MultiChannelResampler.cpp
+index 1dadc58c..13db6f26 100644
+--- a/Source/WebCore/platform/audio/MultiChannelResampler.cpp
++++ b/Source/WebCore/platform/audio/MultiChannelResampler.cpp
+@@ -41,18 +41,8 @@ namespace WebCore {
+ MultiChannelResampler::MultiChannelResampler(double scaleFactor, unsigned numberOfChannels, unsigned requestFrames, Function<void(AudioBus*, size_t framesToProcess)>&& provideInput)
+ : m_numberOfChannels(numberOfChannels)
+ , m_provideInput(WTFMove(provideInput))
+- , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames, false))
++ , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames))
+ {
+- // As an optimization, we will use the buffer passed to provideInputForChannel() as channel memory for the first channel so we
+- // only need to allocate memory if there is more than one channel.
+- if (numberOfChannels > 1) {
+- m_channelsMemory.reserveInitialCapacity(numberOfChannels - 1);
+- for (unsigned channelIndex = 1; channelIndex < numberOfChannels; ++channelIndex) {
+- m_channelsMemory.uncheckedAppend(makeUnique<AudioFloatArray>(requestFrames));
+- m_multiChannelBus->setChannelMemory(channelIndex, m_channelsMemory.last()->data(), requestFrames);
+- }
+- }
+-
+ // Create each channel's resampler.
+ for (unsigned channelIndex = 0; channelIndex < numberOfChannels; ++channelIndex)
+ m_kernels.append(makeUnique<SincResampler>(scaleFactor, requestFrames, std::bind(&MultiChannelResampler::provideInputForChannel, this, std::placeholders::_1, std::placeholders::_2, channelIndex)));
+@@ -89,15 +79,10 @@ void MultiChannelResampler::process(AudioBus* destination, size_t framesToProces
+ void MultiChannelResampler::provideInputForChannel(float* buffer, size_t framesToProcess, unsigned channelIndex)
+ {
+ ASSERT(channelIndex < m_multiChannelBus->numberOfChannels());
+- ASSERT(framesToProcess == m_multiChannelBus->length());
++ ASSERT(framesToProcess <= m_multiChannelBus->length());
+
+- if (!channelIndex) {
+- // As an optimization, we use the provided buffer as memory for the first channel in the AudioBus. This avoids
+- // having to memcpy() for the first channel.
+- m_multiChannelBus->setChannelMemory(0, buffer, framesToProcess);
++ if (!channelIndex)
+ m_provideInput(m_multiChannelBus.get(), framesToProcess);
+- return;
+- }
+
+ // Copy the channel data from what we received from m_multiChannelProvider.
+ memcpy(buffer, m_multiChannelBus->channel(channelIndex)->data(), sizeof(float) * framesToProcess);
+diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.h b/Source/WebCore/platform/audio/MultiChannelResampler.h
+index e96cc56b..274fe364 100644
+--- a/Source/WebCore/platform/audio/MultiChannelResampler.h
++++ b/Source/WebCore/platform/audio/MultiChannelResampler.h
+@@ -29,7 +29,6 @@
+ #ifndef MultiChannelResampler_h
+ #define MultiChannelResampler_h
+
+-#include "AudioArray.h"
+ #include <memory>
+ #include <wtf/Function.h>
+ #include <wtf/Vector.h>
+@@ -62,7 +61,6 @@ private:
+ size_t m_outputFramesReady { 0 };
+ Function<void(AudioBus*, size_t framesToProcess)> m_provideInput;
+ RefPtr<AudioBus> m_multiChannelBus;
+- Vector<std::unique_ptr<AudioFloatArray>> m_channelsMemory;
+ };
+
+ } // namespace WebCore
+--
+2.35.7
+
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
new file mode 100644
index 0000000000..ab41213d7d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
@@ -0,0 +1,94 @@
+From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
+From: Jer Noble <jer.noble@apple.com>
+Date: Tue, 11 Jun 2024 11:54:06 -0700
+Subject: [PATCH] CVE-2024-40780: Add check in AudioBufferSourceNode::renderFromBuffer()
+when detune is set to large negative value
+
+Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5
+CVE: CVE-2024-40780
+
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ ...buffersourcenode-detune-crash-expected.txt | 10 +++++++
+ .../audiobuffersourcenode-detune-crash.html | 30 +++++++++++++++++++
+ .../webaudio/AudioBufferSourceNode.cpp | 7 +++++
+ 3 files changed, 47 insertions(+)
+ create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
+ create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
+
+diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
+new file mode 100644
+index 00000000..914ba0b1
+--- /dev/null
++++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
+@@ -0,0 +1,10 @@
++Attempting to create a AudioBufferSourceNode with a large negative detune value should not crash.
++
++On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
++
++
++PASS Test passed because it did not crash.
++PASS successfullyParsed is true
++
++TEST COMPLETE
++
+diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
+new file mode 100644
+index 00000000..e8af579d
+--- /dev/null
++++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
+@@ -0,0 +1,30 @@
++<!DOCTYPE html>
++<html>
++ <head>
++ <script src="../resources/js-test-pre.js"></script>
++ <script src="resources/audio-testing.js"></script>
++ </head>
++ <body>
++ <script>
++ description("Attempting to create a AudioBufferSourceNode with a large negative detune value should not crash.");
++
++ jsTestIsAsync = true;
++
++ var context = new AudioContext();
++ var src = context.createBufferSource();
++ var buffer = context.createBuffer(1, 256, 44100);
++ src.buffer = buffer;
++ src.start(undefined, 1);
++ src.connect(context.listener.positionX, 0);
++ var panner = context.createPanner();
++ src.detune.value = -0xffffff;
++ panner.connect(context.destination);
++ setTimeout(() => {
++ testPassed("Test passed because it did not crash.");
++ finishJSTest();
++ }, 100);
++ </script>
++
++ <script src="../resources/js-test-post.js"></script>
++ </body>
++</html>
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index 689d37a1..f68e7ff5 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -327,9 +327,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+ virtualReadIndex = readIndex;
+ } else if (!pitchRate) {
+ unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
++ int deltaFrames = static_cast<int>(virtualDeltaFrames);
++ maxFrame = static_cast<unsigned>(virtualMaxFrame);
++
++ if (readIndex >= maxFrame)
++ readIndex -= deltaFrames;
+
+ for (unsigned i = 0; i < numberOfChannels; ++i)
+ std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]);
++
++ virtualReadIndex = readIndex;
+ } else if (reverse) {
+ unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
+ unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
+--
+2.35.7
+
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 4849ee50ff..2006d1d55e 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -26,6 +26,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://CVE-2023-32439.patch \
file://CVE-2024-40779.patch \
file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
+ file://CVE-2024-40776.patch \
+ file://CVE-2024-40780.patch \
"
SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 09/13] ffmpeg: fix CVE-2024-35366
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 08/13] webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 10/13] ffmpeg: fix CVE-2024-35367 Steve Sakoman
` (3 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options
function of sbgdec.c within the libavformat module. When parsing certain options,
the software does not adequately validate the input. This allows for negative
duration values to be accepted without proper bounds checking.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2024-35366.patch | 37 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 +
2 files changed, 38 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
new file mode 100644
index 0000000000..f619dd6eac
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
@@ -0,0 +1,37 @@
+From 4db0eb4653efad967ddcf71f564fd2f1169bafcb Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Tue, 26 Mar 2024 00:39:49 +0100
+Subject: [PATCH] avformat/sbgdec: Check for negative duration
+
+Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long'
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 0bed22d597b78999151e3bde0768b7fe763fc2a6)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2024-35366
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/4db0eb4653efad967ddcf71f564fd2f1169bafcb]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/sbgdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
+index 1ef50e1598..fdcee0b452 100644
+--- a/libavformat/sbgdec.c
++++ b/libavformat/sbgdec.c
+@@ -385,7 +385,7 @@ static int parse_options(struct sbg_parser *p)
+ case 'L':
+ FORWARD_ERROR(parse_optarg(p, opt, &oarg));
+ r = str_to_time(oarg.s, &p->scs.opt_duration);
+- if (oarg.e != oarg.s + r) {
++ if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
+ snprintf(p->err_msg, sizeof(p->err_msg),
+ "syntax error for option -L");
+ return AVERROR_INVALIDDATA;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 7b03b7cbc0..39d79c343d 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -40,6 +40,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://CVE-2023-50007.patch \
file://CVE-2023-51796.patch \
file://CVE-2024-7055.patch \
+ file://CVE-2024-35366.patch \
"
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 10/13] ffmpeg: fix CVE-2024-35367
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 09/13] ffmpeg: fix CVE-2024-35366 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 11/13] ffmpeg: fix CVE-2024-35368 Steve Sakoman
` (2 subsequent siblings)
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c,
static const vec_s8 h_subpel_filters_outer
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2024-35367.patch | 47 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
new file mode 100644
index 0000000000..69d42955da
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35367.patch
@@ -0,0 +1,47 @@
+From 09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Wed, 13 Mar 2024 02:10:26 +0100
+Subject: [PATCH] avcodec/ppc/vp8dsp_altivec: Fix out-of-bounds access
+
+h_subpel_filters_inner[i] and h_subpel_filters_outer[i / 2]
+belong together and the former allows the range 0..6,
+so the latter needs to support 0..3. But it has only three
+elements. Add another one.
+The value for the last element has been guesstimated
+from subpel_filters in libavcodec/vp8dsp.c.
+
+This is also intended to fix FATE-failures with UBSan here:
+https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
+
+Tested-by: Sean McGovern <gseanmcg@gmail.com>
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+
+CVE: CVE-2024-35367
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/ppc/vp8dsp_altivec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libavcodec/ppc/vp8dsp_altivec.c b/libavcodec/ppc/vp8dsp_altivec.c
+index 12dac8b0a8..061914fc38 100644
+--- a/libavcodec/ppc/vp8dsp_altivec.c
++++ b/libavcodec/ppc/vp8dsp_altivec.c
+@@ -50,11 +50,12 @@ static const vec_s8 h_subpel_filters_inner[7] =
+ // for 6tap filters, these are the outer two taps
+ // The zeros mask off pixels 4-7 when filtering 0-3
+ // and vice-versa
+-static const vec_s8 h_subpel_filters_outer[3] =
++static const vec_s8 h_subpel_filters_outer[4] =
+ {
+ REPT4(0, 0, 2, 1),
+ REPT4(0, 0, 3, 3),
+ REPT4(0, 0, 1, 2),
++ REPT4(0, 0, 0, 0),
+ };
+
+ #define LOAD_H_SUBPEL_FILTER(i) \
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 39d79c343d..ac4ade276c 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -41,6 +41,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://CVE-2023-51796.patch \
file://CVE-2024-7055.patch \
file://CVE-2024-35366.patch \
+ file://CVE-2024-35367.patch \
"
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 11/13] ffmpeg: fix CVE-2024-35368
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 10/13] ffmpeg: fix CVE-2024-35367 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 12/13] python3: upgrade 3.10.15 -> 3.10.16 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 13/13] ovmf-native: remove .pyc files from install Steve Sakoman
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame
function within libavcodec/rkmppdec.c.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ffmpeg/ffmpeg/CVE-2024-35368.patch | 41 +++++++++++++++++++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
new file mode 100644
index 0000000000..555d569825
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35368.patch
@@ -0,0 +1,41 @@
+From 4513300989502090c4fd6560544dce399a8cd53c Mon Sep 17 00:00:00 2001
+From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+Date: Sun, 24 Sep 2023 13:15:48 +0200
+Subject: [PATCH] avcodec/rkmppdec: Fix double-free on error
+
+After having created the AVBuffer that is put into frame->buf[0],
+ownership of several objects (namely an AVDRMFrameDescriptor,
+an MppFrame and some AVBufferRefs framecontextref and decoder_ref)
+has passed to the AVBuffer and therefore to the frame.
+Yet it has nevertheless been freed manually on error
+afterwards, which would lead to a double-free as soon
+as the AVFrame is unreferenced.
+
+Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
+
+CVE: CVE-2024-35368
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavcodec/rkmppdec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/rkmppdec.c b/libavcodec/rkmppdec.c
+index 7665098c6a..6889545b20 100644
+--- a/libavcodec/rkmppdec.c
++++ b/libavcodec/rkmppdec.c
+@@ -463,8 +463,8 @@ static int rkmpp_retrieve_frame(AVCodecContext *avctx, AVFrame *frame)
+
+ frame->hw_frames_ctx = av_buffer_ref(decoder->frames_ref);
+ if (!frame->hw_frames_ctx) {
+- ret = AVERROR(ENOMEM);
+- goto fail;
++ av_frame_unref(frame);
++ return AVERROR(ENOMEM);
+ }
+
+ return 0;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index ac4ade276c..9aecdf07e0 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -42,6 +42,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
file://CVE-2024-7055.patch \
file://CVE-2024-35366.patch \
file://CVE-2024-35367.patch \
+ file://CVE-2024-35368.patch \
"
SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 12/13] python3: upgrade 3.10.15 -> 3.10.16
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (10 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 11/13] ffmpeg: fix CVE-2024-35368 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 13/13] ovmf-native: remove .pyc files from install Steve Sakoman
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Handles CVE-2024-50602, CVE-2024-11168 and CVE-2024-9287.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
| 2 +-
.../python/{python3_3.10.15.bb => python3_3.10.16.bb} | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/python/{python3_3.10.15.bb => python3_3.10.16.bb} (99%)
--git a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
index 5485020eb4..0086b1a0d6 100644
--- a/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
+++ b/meta/recipes-devtools/python/python3/0001-Don-t-search-system-for-headers-libraries.patch
@@ -14,7 +14,7 @@ diff --git a/setup.py b/setup.py
index c190002..5ef368d 100644
--- a/setup.py
+++ b/setup.py
-@@ -854,8 +854,8 @@ class PyBuildExt(build_ext):
+@@ -856,8 +856,8 @@ class PyBuildExt(build_ext):
add_dir_to_list(self.compiler.include_dirs,
sysconfig.get_config_var("INCLUDEDIR"))
diff --git a/meta/recipes-devtools/python/python3_3.10.15.bb b/meta/recipes-devtools/python/python3_3.10.16.bb
similarity index 99%
rename from meta/recipes-devtools/python/python3_3.10.15.bb
rename to meta/recipes-devtools/python/python3_3.10.16.bb
index 0eb619dfa2..19a85a8770 100644
--- a/meta/recipes-devtools/python/python3_3.10.15.bb
+++ b/meta/recipes-devtools/python/python3_3.10.16.bb
@@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79"
+SRC_URI[sha256sum] = "bfb249609990220491a1b92850a07135ed0831e41738cf681d63cf01b2a8fbd1"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][kirkstone 13/13] ovmf-native: remove .pyc files from install
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
` (11 preceding siblings ...)
2025-01-07 13:31 ` [OE-core][kirkstone 12/13] python3: upgrade 3.10.15 -> 3.10.16 Steve Sakoman
@ 2025-01-07 13:31 ` Steve Sakoman
12 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-01-07 13:31 UTC (permalink / raw)
To: openembedded-core
From: Mikko Rapeli <mikko.rapeli@linaro.org>
They break builds which share sstate files on different
machines and paths:
ERROR: ovmf-edk2-stable202408-r0 do_prepare_recipe_sysroot: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:extend_recipe_sysroot(d)
0003:
File: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/meta/classes-global/staging.bbclass', lineno: 624, function: extend_recipe_sysroot
0620:
0621: # Handle deferred binfiles
0622: for l in binfiles:
0623: (targetdir, dest) = binfiles[l]
*** 0624: staging_copyfile(l, targetdir, dest, postinsts, seendirs)
0625:
0626: bb.note("Installed into sysroot: %s" % str(msg_adding))
0627: bb.note("Skipping as already exists in sysroot: %s" % str(msg_exists))
0628:
File: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/meta/classes-global/staging.bbclass', lineno: 165, function: staging_copyfile
0161: os.symlink(linkto, dest)
0162: #bb.warn(c)
0163: else:
0164: try:
*** 0165: os.link(c, dest)
0166: except OSError as err:
0167: if err.errno == errno.EXDEV:
0168: bb.utils.copyfile(c, dest)
0169: else:
Exception: FileExistsError: [Errno 17] File exists: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-667282/tmp/sysroots-components/x86_64/ovmf-native/usr/bin/edk2_basetools/BaseTools/Source/Python/AutoGen/__pycache__/WorkspaceAutoGen.cpython-312.pyc' -> '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-667282/tmp/work/core2-64-poky-linux/ovmf/edk2-stable202408/recipe-sysroot-native/usr/bin/edk2_basetools/BaseTools/Source/Python/AutoGen/__pycache__/WorkspaceAutoGen.cpython-312.pyc'
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit facd9e17fa53e2fb3a828b3f179cfb659be75d37)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index a067dd017b..d52e3f4971 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -240,6 +240,7 @@ do_compile:class-target() {
do_install:class-native() {
install -d ${D}/${bindir}/edk2_basetools
+ find ${S}/BaseTools -name \*.pyc -exec rm -rf \{\} \;
cp -r ${S}/BaseTools ${D}/${bindir}/${EDK_TOOLS_DIR}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
end of thread, other threads:[~2025-01-07 13:31 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-07 13:31 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 01/13] libsndfile1: Backport fix for CVE-2022-33065 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 02/13] ghostscript: ignore CVE-2024-46954 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 03/13] tiff: ignore CVE-2023-2731 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 04/13] tiff: patch CVE-2023-3164 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 05/13] gstreame1.0: ignore CVEs from gstreamer1.0-plugins-bad Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 06/13] xwayland: patch CVE-2023-5380 CVE-2024-0229 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 07/13] libarchive: Fix CVE-2024-20696 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 08/13] webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 09/13] ffmpeg: fix CVE-2024-35366 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 10/13] ffmpeg: fix CVE-2024-35367 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 11/13] ffmpeg: fix CVE-2024-35368 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 12/13] python3: upgrade 3.10.15 -> 3.10.16 Steve Sakoman
2025-01-07 13:31 ` [OE-core][kirkstone 13/13] ovmf-native: remove .pyc files from install Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2023-10-14 21:44 [OE-core][kirkstone 00/13] Patch review Steve Sakoman
2023-05-31 2:34 Steve Sakoman
2023-04-29 17:20 Steve Sakoman
2023-02-01 22:15 Steve Sakoman
2022-10-17 23:08 Steve Sakoman
2022-06-21 23:27 Steve Sakoman
2022-06-06 14:38 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox