* [OE-core][kirkstone 00/11] Patch review
@ 2023-01-12 2:33 Steve Sakoman
0 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2023-01-12 2:33 UTC (permalink / raw)
To: openembedded-core
Please review these patches for kirkstone and have comments back by
end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4779
The following changes since commit 96d9b5ba9bdb394c2a0b67bf0067a01578178e50:
oeqa/concurrencytest: Add number of failures to summary output (2023-01-04 05:08:37 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (2):
libarchive: upgrade 3.6.1 -> 3.6.2
devtool: process local files only for the main branch
Changqing Li (1):
base.bbclass: Fix way to check ccache path
Hitendra Prajapati (1):
systemd: CVE-2022-45873 deadlock in systemd-coredump via a crash with
a long backtrace
Jose Quaresma (2):
Revert "gstreamer1.0: disable flaky gstbin:test_watch_for_state_change
test"
gstreamer1.0: Fix race conditions in gstbin tests
Luis (1):
rm_work.bbclass: use HOSTTOOLS 'rm' binary exclusively
Martin Jansa (1):
systemd: backport another change from v252 to fix build with
CVE-2022-45873.patch
Narpat Mali (1):
ffmpeg: fix for CVE-2022-3109
Pavel Zhukov (1):
oeqa/rpm.py: Increase timeout and add debug output
Wang Mingyu (1):
bind: upgrade 9.18.9 -> 9.18.10
.../devtool/devtool-test-local/file3 | 1 +
.../devtool/devtool-test-local_6.03.bb | 3 +
.../devtool/devtool-test-localonly.bb | 3 +
.../devtool/devtool-test-localonly/file3 | 1 +
meta/classes/base.bbclass | 2 +-
meta/classes/rm_work.bbclass | 15 +-
meta/lib/oeqa/runtime/cases/rpm.py | 23 +-
...1-avoid-start-failure-with-bind-user.patch | 0
...d-V-and-start-log-hide-build-options.patch | 0
...ching-for-json-headers-searches-sysr.patch | 0
.../bind/{bind-9.18.9 => bind-9.18.10}/bind9 | 0
.../{bind-9.18.9 => bind-9.18.10}/conf.patch | 0
.../generate-rndc-key.sh | 0
...t.d-add-support-for-read-only-rootfs.patch | 0
.../make-etc-initd-bind-stop-work.patch | 0
.../named.service | 0
.../bind/{bind_9.18.9.bb => bind_9.18.10.bb} | 2 +-
...w-json_variant_dump-to-return-an-err.patch | 60 ++++
.../systemd/systemd/CVE-2022-45873.patch | 124 ++++++++
meta/recipes-core/systemd/systemd_250.5.bb | 2 +
.../libarchive/CVE-2022-36227.patch | 42 ---
...ibarchive_3.6.1.bb => libarchive_3.6.2.bb} | 8 +-
...-vp3-Add-missing-check-for-av_malloc.patch | 44 +++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 3 +-
...005-bin-Fix-race-conditions-in-tests.patch | 300 ++++++++++++++++++
...bin-test_watch_for_state_change-test.patch | 107 -------
.../gstreamer/gstreamer1.0_1.20.5.bb | 2 +-
scripts/lib/devtool/standard.py | 38 ++-
28 files changed, 590 insertions(+), 190 deletions(-)
create mode 100644 meta-selftest/recipes-test/devtool/devtool-test-local/file3
create mode 100644 meta-selftest/recipes-test/devtool/devtool-test-localonly/file3
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/0001-avoid-start-failure-with-bind-user.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/0001-named-lwresd-V-and-start-log-hide-build-options.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/bind-ensure-searching-for-json-headers-searches-sysr.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/bind9 (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/conf.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/generate-rndc-key.sh (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/init.d-add-support-for-read-only-rootfs.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/make-etc-initd-bind-stop-work.patch (100%)
rename meta/recipes-connectivity/bind/{bind-9.18.9 => bind-9.18.10}/named.service (100%)
rename meta/recipes-connectivity/bind/{bind_9.18.9.bb => bind_9.18.10.bb} (97%)
create mode 100644 meta/recipes-core/systemd/systemd/0001-shared-json-allow-json_variant_dump-to-return-an-err.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2022-45873.patch
delete mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
rename meta/recipes-extended/libarchive/{libarchive_3.6.1.bb => libarchive_3.6.2.bb} (92%)
create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/0001-avcodec-vp3-Add-missing-check-for-av_malloc.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-bin-Fix-race-conditions-in-tests.patch
delete mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0005-tests-remove-gstbin-test_watch_for_state_change-test.patch
--
2.25.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 00/11] Patch review
@ 2023-06-11 16:02 Steve Sakoman
0 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2023-06-11 16:02 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5438
The following changes since commit 717b9f18a51e9c9fd5a471238aa2ea4de439ef17:
kernel-devicetree: recursively search for dtbs (2023-05-30 04:06:12 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
C. Andy Martin (1):
systemd-networkd: backport fix for rm unmanaged wifi
Hitendra Prajapati (1):
sysstat: Fix CVE-2023-33204
Michael Halstead (2):
uninative: Upgrade to 3.10 to support gcc 13
uninative: Upgrade to 4.0 to include latest gcc 13.1.1
Narpat Mali (1):
python3-requests: fix for CVE-2023-32681
Omkar Patil (1):
curl: Correction for CVE-2023-27536
Peter Marko (1):
openssl: Upgrade 3.0.8 -> 3.0.9
Richard Purdie (1):
selftest/reproducible: Allow native/cross reuse in test
Riyaz Khan (1):
openssh: Remove BSD-4-clause contents completely from codebase
Soumya (1):
perl: fix CVE-2023-31484
Vivek Kumbhar (1):
go: fix CVE-2023-24539 html/template improper sanitization of CSS
values
meta/conf/distro/include/yocto-uninative.inc | 8 +-
meta/lib/oeqa/selftest/cases/reproducible.py | 4 +-
...401bdd77ca54be6867a154cc01e0d72612e0.patch | 984 ++++++++++++++++++
.../openssh/openssh_8.9p1.bb | 1 +
...1-Configure-do-not-tweak-mips-cflags.patch | 2 +-
.../openssl/openssl/CVE-2023-0464.patch | 225 ----
.../openssl/openssl/CVE-2023-0465.patch | 56 -
.../openssl/openssl/CVE-2023-0466.patch | 50 -
.../{openssl_3.0.8.bb => openssl_3.0.9.bb} | 5 +-
...nly-managed-configs-on-reconfigure-o.patch | 358 +++++++
meta/recipes-core/systemd/systemd_250.5.bb | 1 +
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2023-24539.patch | 53 +
.../perl/files/CVE-2023-31484.patch | 29 +
meta/recipes-devtools/perl/perl_5.34.1.bb | 1 +
.../python3-requests/CVE-2023-32681.patch | 63 ++
.../python/python3-requests_2.27.1.bb | 2 +
.../sysstat/sysstat/CVE-2023-33204.patch | 80 ++
.../sysstat/sysstat_12.4.5.bb | 5 +-
.../curl/curl/CVE-2023-27536.patch | 3 +-
20 files changed, 1586 insertions(+), 345 deletions(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/7280401bdd77ca54be6867a154cc01e0d72612e0.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
rename meta/recipes-connectivity/openssl/{openssl_3.0.8.bb => openssl_3.0.9.bb} (97%)
create mode 100644 meta/recipes-core/systemd/systemd/0001-network-remove-only-managed-configs-on-reconfigure-o.patch
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24539.patch
create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31484.patch
create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2023-32681.patch
create mode 100644 meta/recipes-extended/sysstat/sysstat/CVE-2023-33204.patch
--
2.34.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 00/11] Patch review
@ 2023-12-21 2:09 Steve Sakoman
0 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2023-12-21 2:09 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, December 22
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6355
The following changes since commit eea685e1caafd8e8121006d3f8b5d0b8a4f2a933:
build-appliance-image: Update to kirkstone head revision (2023-12-15 04:01:10 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Poonam Jadhav (1):
curl: Fix CVE-2023-46218
Richard Purdie (1):
testimage: Exclude wtmp from target-dumper commands
Soumya Sambu (2):
go: Fix CVE-2023-39326
perl: update 5.34.1 -> 5.34.3
Sourav Pramanik (1):
qemu: Fix CVE-2023-5088
Trevor Gamblin (1):
python3-ptest: skip test_storlines
Vijay Anusuri (2):
ghostscript: Backport fix for CVE-2023-46751
openssh: backport Debian patch for CVE-2023-48795
Yoann Congal (1):
externalsrc: Ensure SRCREV is processed before accessing SRC_URI
mark.yang (2):
ffmpeg: fix for CVE-2022-3964
ffmpeg: fix for CVE-2022-3965
meta/classes/externalsrc.bbclass | 4 +
meta/classes/testimage.bbclass | 2 +-
.../openssh/openssh/CVE-2023-48795.patch | 476 ++++++++++++++++++
.../fix-authorized-principals-command.patch | 30 ++
.../openssh/openssh_8.9p1.bb | 2 +
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.20/CVE-2023-39326.patch | 182 +++++++
...ile-check-the-file-if-patched-or-not.patch | 4 +-
...{perlcross_1.3.7.bb => perlcross_1.5.2.bb} | 2 +-
.../perl/{perl_5.34.1.bb => perl_5.34.3.bb} | 2 +-
...orlines-skip-due-to-load-variability.patch | 32 ++
.../python/python3_3.10.13.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-5088.patch | 112 +++++
.../ghostscript/CVE-2023-46751.patch | 41 ++
.../ghostscript/ghostscript_9.55.0.bb | 1 +
...c-stop-accessing-out-of-bounds-frame.patch | 2 +-
...c-stop-accessing-out-of-bounds-frame.patch | 1 +
.../curl/curl/CVE-2023-46218.patch | 52 ++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
20 files changed, 943 insertions(+), 6 deletions(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-48795.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/fix-authorized-principals-command.patch
create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-39326.patch
rename meta/recipes-devtools/perl-cross/{perlcross_1.3.7.bb => perlcross_1.5.2.bb} (92%)
rename meta/recipes-devtools/perl/{perl_5.34.1.bb => perl_5.34.3.bb} (99%)
create mode 100644 meta/recipes-devtools/python/python3/0001-test_storlines-skip-due-to-load-variability.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-5088.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-46751.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46218.patch
--
2.34.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 00/11] Patch review
@ 2024-03-04 15:23 Steve Sakoman
0 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2024-03-04 15:23 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, March 6
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6640
The following changes since commit cca0971a7d92d823cc0c2b16cf14a7b2ed8ecb61:
kernel: make LOCALVERSION consistent between recipes (2024-02-27 03:51:58 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Sverdlin (1):
linux-firmware: upgrade 20231030 -> 20231211
Dhairya Nagodra (1):
dbus: Add missing CVE_PRODUCT
Munehisa Kamata (1):
kernel.bbclass: Set pkg-config variables for building modules
Peter Marko (1):
glibc: ignore CVE-2023-0687
Poonam Jadhav (1):
qemu: Fix CVE-2023-42467
Priyal Doshi (1):
tzdata : Upgrade to 2024a
Ross Burton (1):
cve_check: cleanup logging
Soumya Sambu (1):
bind: Upgrade 9.18.19 -> 9.18.24
Vijay Anusuri (2):
less: Fix for CVE-2022-48624
qemu: Fix for CVE-2024-24474
Vivek Kumbhar (1):
qemu: Backport fix CVE-2023-6693
meta/classes/kernel.bbclass | 7 ++
meta/lib/oe/cve_check.py | 13 ++--
.../bind/{bind_9.18.19.bb => bind_9.18.24.bb} | 2 +-
meta/recipes-core/dbus/dbus_1.14.8.bb | 2 +-
meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
meta/recipes-devtools/qemu/qemu.inc | 5 ++
.../qemu/qemu/CVE-2023-42467.patch | 46 ++++++++++++
.../qemu/qemu/CVE-2023-6693.patch | 74 +++++++++++++++++++
.../qemu/qemu/CVE-2024-24474.patch | 44 +++++++++++
...lock-desriptor-to-set-the-block-size.patch | 54 ++++++++++++++
...ero-and-changes-limited-to-bits-8-15.patch | 67 +++++++++++++++++
.../less/less/CVE-2022-48624.patch | 41 ++++++++++
meta/recipes-extended/less/less_600.bb | 1 +
meta/recipes-extended/timezone/timezone.inc | 6 +-
...20231030.bb => linux-firmware_20231211.bb} | 7 +-
15 files changed, 355 insertions(+), 16 deletions(-)
rename meta/recipes-connectivity/bind/{bind_9.18.19.bb => bind_9.18.24.bb} (97%)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-42467.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6693.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-24474.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/scsi-disk-allow-MODE-SELECT-block-desriptor-to-set-the-block-size.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/scsi-disk-ensure-block-size-is-non-zero-and-changes-limited-to-bits-8-15.patch
create mode 100644 meta/recipes-extended/less/less/CVE-2022-48624.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231030.bb => linux-firmware_20231211.bb} (99%)
--
2.34.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 00/11] Patch review
@ 2024-08-13 12:16 Steve Sakoman
0 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2024-08-13 12:16 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, August 15
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7236
The following changes since commit 2721f84ba755ceea5780e44feb0713ad8c4d0217:
lttng-modules: Upgrade 2.13.9 -> 2.13.14 (2024-08-02 12:10:02 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (4):
ghostscript: fix CVE-2024-29511
ghostscript: fix CVE-2024-29509
ghostscript: fix CVE-2024-29506
go: fix CVE-2024-24791
Hitendra Prajapati (1):
busybox: CVE-2023-42364, CVE-2023-42365, CVE-2023-42366 fixes
Peter Marko (1):
libyaml: Update status of CVE-2024-35328
Richard Purdie (1):
cve_check: Use a local copy of the database during builds
Ross Burton (1):
python3-pycryptodome(x): use python_setuptools_build_meta build class
Soumya Sambu (1):
python3-certifi: Fix CVE-2024-39689
Vijay Anusuri (1):
orc: upgrade 0.4.32 -> 0.4.39
Yogita Urade (1):
ofono: fix CVE-2023-2794
meta/classes/cve-check.bbclass | 7 +-
.../ofono/ofono/CVE-2023-2794-0001.patch | 37 ++
.../ofono/ofono/CVE-2023-2794-0002.patch | 32 ++
.../ofono/ofono/CVE-2023-2794-0003.patch | 44 +++
.../ofono/ofono/CVE-2023-2794-0004.patch | 127 +++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 4 +
.../busybox/CVE-2023-42364_42365-1.patch | 197 ++++++++++
.../busybox/CVE-2023-42364_42365-2.patch | 96 +++++
.../busybox/busybox/CVE-2023-42366.patch | 36 ++
meta/recipes-core/busybox/busybox_1.35.0.bb | 3 +
.../meta/cve-update-nvd2-native.bb | 18 +-
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.21/CVE-2024-24791.patch | 359 ++++++++++++++++++
.../orc/{orc_0.4.32.bb => orc_0.4.39.bb} | 2 +-
.../python3-certifi/CVE-2024-39689.patch | 69 ++++
.../python/python3-certifi_2021.10.8.bb | 1 +
.../python/python3-pycryptodome_3.14.1.bb | 2 +-
.../python/python3-pycryptodomex_3.14.1.bb | 2 +-
.../ghostscript/CVE-2024-29506.patch | 45 +++
.../ghostscript/CVE-2024-29509.patch | 45 +++
.../ghostscript/CVE-2024-29511-0001.patch | 100 +++++
.../ghostscript/CVE-2024-29511-0002.patch | 219 +++++++++++
.../ghostscript/ghostscript_9.55.0.bb | 4 +
meta/recipes-support/libyaml/libyaml_0.2.5.bb | 3 +
24 files changed, 1442 insertions(+), 11 deletions(-)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0001.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0002.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0003.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2023-2794-0004.patch
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-42364_42365-1.patch
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-42364_42365-2.patch
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-42366.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24791.patch
rename meta/recipes-devtools/orc/{orc_0.4.32.bb => orc_0.4.39.bb} (92%)
create mode 100644 meta/recipes-devtools/python/python3-certifi/CVE-2024-39689.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29506.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29509.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29511-0001.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29511-0002.patch
--
2.34.1
^ permalink raw reply [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 00/11] Patch review
@ 2025-01-15 14:37 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 01/11] go: Fix CVE-2024-34155 Steve Sakoman
` (10 more replies)
0 siblings, 11 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, January 17
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/809
The following changes since commit a270d4c957259761bcc7382fcc54642a02f9fc7d:
build-appliance-image: Update to kirkstone head revision (2025-01-09 08:49:38 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (3):
go: Fix CVE-2024-34155
go: Fix CVE-2024-34156
go: Fix CVE-2024-34158
Divya Chellam (1):
ruby: fix CVE-2024-49761
Peter Marko (1):
gstreamer1.0: ignore CVEs fixed in plugins recipes
Yogita Urade (6):
ofono: fix CVE-2024-7539
ofono: fix CVE-2024-7543
ofono: fix CVE-2024-7544
ofono: fix CVE-2024-7545
ofono: fix CVE-2024-7546
ofono: fix CVE-2024-7547
.../ofono/ofono/CVE-2024-7539.patch | 88 +++
.../ofono/ofono/CVE-2024-7543.patch | 30 +
.../ofono/ofono/CVE-2024-7544.patch | 30 +
.../ofono/ofono/CVE-2024-7545.patch | 32 +
.../ofono/ofono/CVE-2024-7546.patch | 30 +
.../ofono/ofono/CVE-2024-7547.patch | 29 +
meta/recipes-connectivity/ofono/ofono_1.34.bb | 6 +
meta/recipes-devtools/go/go-1.17.13.inc | 3 +
.../go/go-1.21/CVE-2024-34155.patch | 71 +++
.../go/go-1.21/CVE-2024-34156.patch | 150 +++++
.../go/go-1.21/CVE-2024-34158.patch | 205 +++++++
.../ruby/ruby/CVE-2024-49761-0001.patch | 391 ++++++++++++
.../ruby/ruby/CVE-2024-49761-0002.patch | 104 ++++
.../ruby/ruby/CVE-2024-49761-0003.patch | 85 +++
.../ruby/ruby/CVE-2024-49761-0004.patch | 71 +++
.../ruby/ruby/CVE-2024-49761-0005.patch | 51 ++
.../ruby/ruby/CVE-2024-49761-0006.patch | 79 +++
.../ruby/ruby/CVE-2024-49761-0007.patch | 561 ++++++++++++++++++
.../ruby/ruby/CVE-2024-49761-0008.patch | 107 ++++
.../ruby/ruby/CVE-2024-49761-0009.patch | 46 ++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 9 +
.../gstreamer/gstreamer1.0_1.20.7.bb | 9 +
22 files changed, 2187 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0008.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch
--
2.43.0
^ permalink raw reply [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 01/11] go: Fix CVE-2024-34155
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 02/11] go: Fix CVE-2024-34156 Steve Sakoman
` (9 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
Calling any of the Parse functions on Go source code which contains
deeply nested literals can cause a panic due to stack exhaustion.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-34155
Upstream-patch:
https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.21/CVE-2024-34155.patch | 71 +++++++++++++++++++
2 files changed, 72 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 349b0be6be..11bd2afde0 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -58,6 +58,7 @@ SRC_URI += "\
file://CVE-2023-45288.patch \
file://CVE-2024-24789.patch \
file://CVE-2024-24791.patch \
+ file://CVE-2024-34155.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch
new file mode 100644
index 0000000000..515d9dcdff
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-34155.patch
@@ -0,0 +1,71 @@
+From b232596139dbe96a62edbe3a2a203e856bf556eb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 10 Jun 2024 15:34:12 -0700
+Subject: [PATCH] go/parser: track depth in nested element lists
+
+Prevents stack exhaustion with extremely deeply nested literal values,
+i.e. field values in structs.
+
+Updates #69138
+Fixes #69142
+Fixes CVE-2024-34155
+
+Change-Id: I2e8e33b44105cc169d7ed1ae83fb56df0c10f1ee
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1520
+Reviewed-by: Robert Griesemer <gri@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+(cherry picked from commit eb1b038c0d01761694e7a735ef87ac9164c6568e)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1561
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611181
+Reviewed-by: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2024-34155
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/go/parser/parser.go | 2 ++
+ src/go/parser/parser_test.go | 9 +++++----
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/parser/parser.go b/src/go/parser/parser.go
+index 2c42b9f..a728d9a 100644
+--- a/src/go/parser/parser.go
++++ b/src/go/parser/parser.go
+@@ -1481,6 +1481,8 @@ func (p *parser) parseElementList() (list []ast.Expr) {
+ }
+
+ func (p *parser) parseLiteralValue(typ ast.Expr) ast.Expr {
++ defer decNestLev(incNestLev(p))
++
+ if p.trace {
+ defer un(trace(p, "LiteralValue"))
+ }
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 993df63..b2cd501 100644
+--- a/src/go/parser/parser_test.go
++++ b/src/go/parser/parser_test.go
+@@ -607,10 +607,11 @@ var parseDepthTests = []struct {
+ {name: "chan2", format: "package main; var x «<-chan »int"},
+ {name: "interface", format: "package main; var x «interface { M() «int» }»", scope: true, scopeMultiplier: 2}, // Scopes: InterfaceType, FuncType
+ {name: "map", format: "package main; var x «map[int]»int"},
+- {name: "slicelit", format: "package main; var x = «[]any{«»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
+- {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
+- {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 2}, // Parser nodes: UnaryExpr, CompositeLit
+- {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 2}, // Parser nodes: CompositeLit, KeyValueExpr
++ {name: "slicelit", format: "package main; var x = []any{«[]any{«»}»}", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
++ {name: "arraylit", format: "package main; var x = «[1]any{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
++ {name: "structlit", format: "package main; var x = «struct{x any}{«nil»}»", parseMultiplier: 3}, // Parser nodes: UnaryExpr, CompositeLit
++ {name: "maplit", format: "package main; var x = «map[int]any{1:«nil»}»", parseMultiplier: 3}, // Parser nodes: CompositeLit, KeyValueExpr
++ {name: "element", format: "package main; var x = struct{x any}{x: «{«»}»}"},
+ {name: "dot", format: "package main; var x = «x.»x"},
+ {name: "index", format: "package main; var x = x«[1]»"},
+ {name: "slice", format: "package main; var x = x«[1:2]»"},
+--
+2.40.0
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 02/11] go: Fix CVE-2024-34156
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 01/11] go: Fix CVE-2024-34155 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 03/11] go: Fix CVE-2024-34158 Steve Sakoman
` (8 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
Calling Decoder.Decode on a message which contains deeply nested structures can
cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-34156
Upstream-patch:
https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.21/CVE-2024-34156.patch | 150 ++++++++++++++++++
2 files changed, 151 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 11bd2afde0..53ca869221 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -59,6 +59,7 @@ SRC_URI += "\
file://CVE-2024-24789.patch \
file://CVE-2024-24791.patch \
file://CVE-2024-34155.patch \
+ file://CVE-2024-34156.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch
new file mode 100644
index 0000000000..d8a915d6e9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-34156.patch
@@ -0,0 +1,150 @@
+From 2092294f2b097c5828f4eace6c98a322c1510b01 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 3 May 2024 09:21:39 -0400
+Subject: [PATCH] encoding/gob: cover missed cases when checking ignore depth
+
+This change makes sure that we are properly checking the ignored field
+recursion depth in decIgnoreOpFor consistently. This prevents stack
+exhaustion when attempting to decode a message that contains an
+extremely deeply nested struct which is ignored.
+
+Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu)
+for reporting this issue.
+
+Updates #69139
+Fixes #69144
+Fixes CVE-2024-34156
+
+Change-Id: Iacce06be95a5892b3064f1c40fcba2e2567862d6
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1440
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit f0a11f9b3aaa362cb1d05e095e3c8d421d4f087f)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1580
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611182
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2024-34156
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/encoding/gob/decode.go | 19 +++++++++++--------
+ src/encoding/gob/decoder.go | 2 ++
+ src/encoding/gob/gobencdec_test.go | 14 ++++++++++++++
+ 3 files changed, 27 insertions(+), 8 deletions(-)
+
+diff --git a/src/encoding/gob/decode.go b/src/encoding/gob/decode.go
+index 0e0ec75..92d64cb 100644
+--- a/src/encoding/gob/decode.go
++++ b/src/encoding/gob/decode.go
+@@ -874,8 +874,11 @@ func (dec *Decoder) decOpFor(wireId typeId, rt reflect.Type, name string, inProg
+ var maxIgnoreNestingDepth = 10000
+
+ // decIgnoreOpFor returns the decoding op for a field that has no destination.
+-func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp, depth int) *decOp {
+- if depth > maxIgnoreNestingDepth {
++func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp) *decOp {
++ // Track how deep we've recursed trying to skip nested ignored fields.
++ dec.ignoreDepth++
++ defer func() { dec.ignoreDepth-- }()
++ if dec.ignoreDepth > maxIgnoreNestingDepth {
+ error_(errors.New("invalid nesting depth"))
+ }
+ // If this type is already in progress, it's a recursive type (e.g. map[string]*T).
+@@ -901,7 +904,7 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp,
+ errorf("bad data: undefined type %s", wireId.string())
+ case wire.ArrayT != nil:
+ elemId := wire.ArrayT.Elem
+- elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
++ elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+ op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ state.dec.ignoreArray(state, *elemOp, wire.ArrayT.Len)
+ }
+@@ -909,15 +912,15 @@ func (dec *Decoder) decIgnoreOpFor(wireId typeId, inProgress map[typeId]*decOp,
+ case wire.MapT != nil:
+ keyId := dec.wireType[wireId].MapT.Key
+ elemId := dec.wireType[wireId].MapT.Elem
+- keyOp := dec.decIgnoreOpFor(keyId, inProgress, depth+1)
+- elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
++ keyOp := dec.decIgnoreOpFor(keyId, inProgress)
++ elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+ op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ state.dec.ignoreMap(state, *keyOp, *elemOp)
+ }
+
+ case wire.SliceT != nil:
+ elemId := wire.SliceT.Elem
+- elemOp := dec.decIgnoreOpFor(elemId, inProgress, depth+1)
++ elemOp := dec.decIgnoreOpFor(elemId, inProgress)
+ op = func(i *decInstr, state *decoderState, value reflect.Value) {
+ state.dec.ignoreSlice(state, *elemOp)
+ }
+@@ -1078,7 +1081,7 @@ func (dec *Decoder) compileSingle(remoteId typeId, ut *userTypeInfo) (engine *de
+ func (dec *Decoder) compileIgnoreSingle(remoteId typeId) *decEngine {
+ engine := new(decEngine)
+ engine.instr = make([]decInstr, 1) // one item
+- op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp), 0)
++ op := dec.decIgnoreOpFor(remoteId, make(map[typeId]*decOp))
+ ovfl := overflow(dec.typeString(remoteId))
+ engine.instr[0] = decInstr{*op, 0, nil, ovfl}
+ engine.numInstr = 1
+@@ -1123,7 +1126,7 @@ func (dec *Decoder) compileDec(remoteId typeId, ut *userTypeInfo) (engine *decEn
+ localField, present := srt.FieldByName(wireField.Name)
+ // TODO(r): anonymous names
+ if !present || !isExported(wireField.Name) {
+- op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp), 0)
++ op := dec.decIgnoreOpFor(wireField.Id, make(map[typeId]*decOp))
+ engine.instr[fieldnum] = decInstr{*op, fieldnum, nil, ovfl}
+ continue
+ }
+diff --git a/src/encoding/gob/decoder.go b/src/encoding/gob/decoder.go
+index b476aaa..8fab2fd 100644
+--- a/src/encoding/gob/decoder.go
++++ b/src/encoding/gob/decoder.go
+@@ -34,6 +34,8 @@ type Decoder struct {
+ freeList *decoderState // list of free decoderStates; avoids reallocation
+ countBuf []byte // used for decoding integers while parsing messages
+ err error
++ // ignoreDepth tracks the depth of recursively parsed ignored fields
++ ignoreDepth int
+ }
+
+ // NewDecoder returns a new decoder that reads from the io.Reader.
+diff --git a/src/encoding/gob/gobencdec_test.go b/src/encoding/gob/gobencdec_test.go
+index 1b52ecc..2b5f2a8 100644
+--- a/src/encoding/gob/gobencdec_test.go
++++ b/src/encoding/gob/gobencdec_test.go
+@@ -806,6 +806,8 @@ func TestIngoreDepthLimit(t *testing.T) {
+ defer func() { maxIgnoreNestingDepth = oldNestingDepth }()
+ b := new(bytes.Buffer)
+ enc := NewEncoder(b)
++
++ // Nested slice
+ typ := reflect.TypeOf(int(0))
+ nested := reflect.ArrayOf(1, typ)
+ for i := 0; i < 100; i++ {
+@@ -819,4 +821,16 @@ func TestIngoreDepthLimit(t *testing.T) {
+ if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
+ t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
+ }
++
++ // Nested struct
++ nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: typ}})
++ for i := 0; i < 100; i++ {
++ nested = reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}})
++ }
++ badStruct = reflect.New(reflect.StructOf([]reflect.StructField{{Name: "F", Type: nested}}))
++ enc.Encode(badStruct.Interface())
++ dec = NewDecoder(b)
++ if err := dec.Decode(&output); err == nil || err.Error() != expectedErr {
++ t.Errorf("Decode didn't fail with depth limit of 100: want %q, got %q", expectedErr, err)
++ }
+ }
+--
+2.40.0
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 03/11] go: Fix CVE-2024-34158
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 01/11] go: Fix CVE-2024-34155 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 02/11] go: Fix CVE-2024-34156 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 04/11] ruby: fix CVE-2024-49761 Steve Sakoman
` (7 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
Calling Parse on a "// +build" build tag line with deeply nested
expressions can cause a panic due to stack exhaustion.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-34158
Upstream-patch:
https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.21/CVE-2024-34158.patch | 205 ++++++++++++++++++
2 files changed, 206 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc
index 53ca869221..c483590931 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -60,6 +60,7 @@ SRC_URI += "\
file://CVE-2024-24791.patch \
file://CVE-2024-34155.patch \
file://CVE-2024-34156.patch \
+ file://CVE-2024-34158.patch \
"
SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch b/meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch
new file mode 100644
index 0000000000..ad4d4f092c
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.21/CVE-2024-34158.patch
@@ -0,0 +1,205 @@
+From d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 20 Jun 2024 10:45:30 -0700
+Subject: [PATCH] go/build/constraint: add parsing limits
+
+Limit the size of build constraints that we will parse. This prevents a
+number of stack exhaustions that can be hit when parsing overly complex
+constraints. The imposed limits are unlikely to ever be hit in real
+world usage.
+
+Updates #69141
+Fixes #69148
+Fixes CVE-2024-34158
+
+Change-Id: I38b614bf04caa36eefc6a4350d848588c4cef3c4
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1540
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@google.com>
+(cherry picked from commit 0c74dc9e0da0cf1e12494b514d822b5bebbc9f04)
+Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/1582
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/611183
+Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Reviewed-by: Michael Pratt <mpratt@google.com>
+TryBot-Bypass: Dmitri Shuralyov <dmitshur@google.com>
+
+CVE: CVE-2024-34158
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/go/build/constraint/expr.go | 28 ++++++++++--
+ src/go/build/constraint/expr_test.go | 65 +++++++++++++++++++++++++++-
+ 2 files changed, 89 insertions(+), 4 deletions(-)
+
+diff --git a/src/go/build/constraint/expr.go b/src/go/build/constraint/expr.go
+index 957eb9b..85897e2 100644
+--- a/src/go/build/constraint/expr.go
++++ b/src/go/build/constraint/expr.go
+@@ -18,6 +18,10 @@ import (
+ "unicode/utf8"
+ )
+
++// maxSize is a limit used to control the complexity of expressions, in order
++// to prevent stack exhaustion issues due to recursion.
++const maxSize = 1000
++
+ // An Expr is a build tag constraint expression.
+ // The underlying concrete type is *AndExpr, *OrExpr, *NotExpr, or *TagExpr.
+ type Expr interface {
+@@ -153,7 +157,7 @@ func Parse(line string) (Expr, error) {
+ return parseExpr(text)
+ }
+ if text, ok := splitPlusBuild(line); ok {
+- return parsePlusBuildExpr(text), nil
++ return parsePlusBuildExpr(text)
+ }
+ return nil, errNotConstraint
+ }
+@@ -203,6 +207,8 @@ type exprParser struct {
+ tok string // last token read
+ isTag bool
+ pos int // position (start) of last token
++
++ size int
+ }
+
+ // parseExpr parses a boolean build tag expression.
+@@ -251,6 +257,10 @@ func (p *exprParser) and() Expr {
+ // On entry, the next input token has not yet been lexed.
+ // On exit, the next input token has been lexed and is in p.tok.
+ func (p *exprParser) not() Expr {
++ p.size++
++ if p.size > maxSize {
++ panic(&SyntaxError{Offset: p.pos, Err: "build expression too large"})
++ }
+ p.lex()
+ if p.tok == "!" {
+ p.lex()
+@@ -391,7 +401,13 @@ func splitPlusBuild(line string) (expr string, ok bool) {
+ }
+
+ // parsePlusBuildExpr parses a legacy build tag expression (as used with “// +build”).
+-func parsePlusBuildExpr(text string) Expr {
++func parsePlusBuildExpr(text string) (Expr, error) {
++ // Only allow up to 100 AND/OR operators for "old" syntax.
++ // This is much less than the limit for "new" syntax,
++ // but uses of old syntax were always very simple.
++ const maxOldSize = 100
++ size := 0
++
+ var x Expr
+ for _, clause := range strings.Fields(text) {
+ var y Expr
+@@ -417,19 +433,25 @@ func parsePlusBuildExpr(text string) Expr {
+ if y == nil {
+ y = z
+ } else {
++ if size++; size > maxOldSize {
++ return nil, errComplex
++ }
+ y = and(y, z)
+ }
+ }
+ if x == nil {
+ x = y
+ } else {
++ if size++; size > maxOldSize {
++ return nil, errComplex
++ }
+ x = or(x, y)
+ }
+ }
+ if x == nil {
+ x = tag("ignore")
+ }
+- return x
++ return x, nil
+ }
+
+ // isValidTag reports whether the word is a valid build tag.
+diff --git a/src/go/build/constraint/expr_test.go b/src/go/build/constraint/expr_test.go
+index 15d1890..ac38ba6 100644
+--- a/src/go/build/constraint/expr_test.go
++++ b/src/go/build/constraint/expr_test.go
+@@ -222,7 +222,7 @@ var parsePlusBuildExprTests = []struct {
+ func TestParsePlusBuildExpr(t *testing.T) {
+ for i, tt := range parsePlusBuildExprTests {
+ t.Run(fmt.Sprint(i), func(t *testing.T) {
+- x := parsePlusBuildExpr(tt.in)
++ x, _ := parsePlusBuildExpr(tt.in)
+ if x.String() != tt.x.String() {
+ t.Errorf("parsePlusBuildExpr(%q):\nhave %v\nwant %v", tt.in, x, tt.x)
+ }
+@@ -319,3 +319,66 @@ func TestPlusBuildLines(t *testing.T) {
+ })
+ }
+ }
++
++func TestSizeLimits(t *testing.T) {
++ for _, tc := range []struct {
++ name string
++ expr string
++ }{
++ {
++ name: "go:build or limit",
++ expr: "//go:build " + strings.Repeat("a || ", maxSize+2),
++ },
++ {
++ name: "go:build and limit",
++ expr: "//go:build " + strings.Repeat("a && ", maxSize+2),
++ },
++ {
++ name: "go:build and depth limit",
++ expr: "//go:build " + strings.Repeat("(a &&", maxSize+2),
++ },
++ {
++ name: "go:build or depth limit",
++ expr: "//go:build " + strings.Repeat("(a ||", maxSize+2),
++ },
++ } {
++ t.Run(tc.name, func(t *testing.T) {
++ _, err := Parse(tc.expr)
++ if err == nil {
++ t.Error("expression did not trigger limit")
++ } else if syntaxErr, ok := err.(*SyntaxError); !ok || syntaxErr.Err != "build expression too large" {
++ if !ok {
++ t.Errorf("unexpected error: %v", err)
++ } else {
++ t.Errorf("unexpected syntax error: %s", syntaxErr.Err)
++ }
++ }
++ })
++ }
++}
++
++func TestPlusSizeLimits(t *testing.T) {
++ maxOldSize := 100
++ for _, tc := range []struct {
++ name string
++ expr string
++ }{
++ {
++ name: "+build or limit",
++ expr: "// +build " + strings.Repeat("a ", maxOldSize+2),
++ },
++ {
++ name: "+build and limit",
++ expr: "// +build " + strings.Repeat("a,", maxOldSize+2),
++ },
++ } {
++ t.Run(tc.name, func(t *testing.T) {
++ _, err := Parse(tc.expr)
++ if err == nil {
++ t.Error("expression did not trigger limit")
++ } else if err != errComplex {
++ t.Errorf("unexpected error: got %q, want %q", err, errComplex)
++ }
++ })
++ }
++}
+--
+2.40.0
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 04/11] ruby: fix CVE-2024-49761
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 03/11] go: Fix CVE-2024-34158 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 05/11] gstreamer1.0: ignore CVEs fixed in plugins recipes Steve Sakoman
` (6 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Divya Chellam <divya.chellam@windriver.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS
vulnerability when it parses an XML that has many digits between &# and x...;
in a hex numeric character reference (&#x.... This does not happen with
Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49761
Upstream-patch:
https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c
https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863
https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc
https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f
https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc
https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320
https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5
https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ruby/ruby/CVE-2024-49761-0001.patch | 391 ++++++++++++
.../ruby/ruby/CVE-2024-49761-0002.patch | 104 ++++
.../ruby/ruby/CVE-2024-49761-0003.patch | 85 +++
.../ruby/ruby/CVE-2024-49761-0004.patch | 71 +++
.../ruby/ruby/CVE-2024-49761-0005.patch | 51 ++
.../ruby/ruby/CVE-2024-49761-0006.patch | 79 +++
.../ruby/ruby/CVE-2024-49761-0007.patch | 561 ++++++++++++++++++
.../ruby/ruby/CVE-2024-49761-0008.patch | 107 ++++
.../ruby/ruby/CVE-2024-49761-0009.patch | 46 ++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 9 +
10 files changed, 1504 insertions(+)
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0008.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch
new file mode 100644
index 0000000000..3caf389923
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0001.patch
@@ -0,0 +1,391 @@
+From 810d2285235d5501a0a124f300832e6e9515da3c Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Wed, 17 Jan 2024 15:32:57 +0900
+Subject: [PATCH] Use string scanner with baseparser (#105)
+
+Using StringScanner reduces the string copying process and speeds up the
+process.
+
+And I removed unnecessary methods.
+
+https://github.com/ruby/rexml/actions/runs/7549990000/job/20554906140?pr=105
+
+```
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [x86_64-linux]
+Calculating -------------------------------------
+ rexml 3.2.6 master 3.2.6(YJIT) master(YJIT)
+ dom 4.868 5.077 8.137 8.303 i/s - 100.000 times in 20.540529s 19.696590s 12.288900s 12.043666s
+ sax 13.597 13.953 19.206 20.948 i/s - 100.000 times in 7.354343s 7.167142s 5.206745s 4.773765s
+ pull 15.641 16.918 22.266 25.378 i/s - 100.000 times in 6.393424s 5.910955s 4.491201s 3.940471s
+ stream 14.339 15.844 19.810 22.206 i/s - 100.000 times in 6.973856s 6.311350s 5.047957s 4.503244s
+
+Comparison:
+ dom
+ master(YJIT): 8.3 i/s
+ 3.2.6(YJIT): 8.1 i/s - 1.02x slower
+ master: 5.1 i/s - 1.64x slower
+ rexml 3.2.6: 4.9 i/s - 1.71x slower
+
+ sax
+ master(YJIT): 20.9 i/s
+ 3.2.6(YJIT): 19.2 i/s - 1.09x slower
+ master: 14.0 i/s - 1.50x slower
+ rexml 3.2.6: 13.6 i/s - 1.54x slower
+
+ pull
+ master(YJIT): 25.4 i/s
+ 3.2.6(YJIT): 22.3 i/s - 1.14x slower
+ master: 16.9 i/s - 1.50x slower
+ rexml 3.2.6: 15.6 i/s - 1.62x slower
+
+ stream
+ master(YJIT): 22.2 i/s
+ 3.2.6(YJIT): 19.8 i/s - 1.12x slower
+ master: 15.8 i/s - 1.40x slower
+ rexml 3.2.6: 14.3 i/s - 1.55x slower
+```
+
+- YJIT=ON : 1.02x - 1.14x faster
+- YJIT=OFF : 1.02x - 1.10x faster
+
+---------
+
+Co-authored-by: Sutou Kouhei <kou@cozmixng.org>
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/810d2285235d5501a0a124f300832e6e9515da3c]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../lib/rexml/parsers/baseparser.rb | 21 ++-
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 149 ++++++------------
+ 2 files changed, 56 insertions(+), 114 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 305b120..65bad26 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -96,7 +96,7 @@ module REXML
+ ENTITYDEF = "(?:#{ENTITYVALUE}|(?:#{EXTERNALID}(#{NDATADECL})?))"
+ PEDECL = "<!ENTITY\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+ GEDECL = "<!ENTITY\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>"
+- ENTITYDECL = /\s*(?:#{GEDECL})|(?:#{PEDECL})/um
++ ENTITYDECL = /\s*(?:#{GEDECL})|\s*(?:#{PEDECL})/um
+
+ NOTATIONDECL_START = /\A\s*<!NOTATION/um
+ EXTERNAL_ID_PUBLIC = /\A\s*PUBLIC\s+#{PUBIDLITERAL}\s+#{SYSTEMLITERAL}\s*/um
+@@ -259,7 +259,7 @@ module REXML
+ else
+ @document_status = :after_doctype
+ if @source.encoding == "UTF-8"
+- @source.buffer.force_encoding(::Encoding::UTF_8)
++ @source.buffer_encoding = ::Encoding::UTF_8
+ end
+ end
+ end
+@@ -274,8 +274,7 @@ module REXML
+ return [ :elementdecl, @source.match( ELEMENTDECL_PATTERN, true )[1] ]
+
+ when ENTITY_START
+- match = @source.match( ENTITYDECL, true ).to_a.compact
+- match[0] = :entitydecl
++ match = [:entitydecl, *@source.match( ENTITYDECL, true ).captures.compact]
+ ref = false
+ if match[1] == '%'
+ ref = true
+@@ -392,6 +391,7 @@ module REXML
+ unless md
+ raise REXML::ParseException.new("malformed XML: missing tag start", @source)
+ end
++ tag = md[1]
+ @document_status = :in_element
+ prefixes = Set.new
+ prefixes << md[2] if md[2]
+@@ -405,23 +405,20 @@ module REXML
+ end
+
+ if closed
+- @closed = md[1]
++ @closed = tag
+ @nsstack.shift
+ else
+- @tags.push( md[1] )
++ @tags.push( tag )
+ end
+- return [ :start_element, md[1], attributes ]
++ return [ :start_element, tag, attributes ]
+ end
+ else
+ md = @source.match( TEXT_PATTERN, true )
++ text = md[1]
+ if md[0].length == 0
+ @source.match( /(\s+)/, true )
+ end
+- #STDERR.puts "GOT #{md[1].inspect}" unless md[0].length == 0
+- #return [ :text, "" ] if md[0].length == 0
+- # unnormalized = Text::unnormalize( md[1], self )
+- # return PullEvent.new( :text, md[1], unnormalized )
+- return [ :text, md[1] ]
++ return [ :text, text ]
+ end
+ rescue REXML::UndefinedNamespaceException
+ raise
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index 90b370b..71b08f9 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -30,8 +30,6 @@ module REXML
+ # objects and provides consumption of text
+ class Source
+ include Encoding
+- # The current buffer (what we're going to read next)
+- attr_reader :buffer
+ # The line number of the last consumed text
+ attr_reader :line
+ attr_reader :encoding
+@@ -41,7 +39,8 @@ module REXML
+ # @param encoding if non-null, sets the encoding of the source to this
+ # value, overriding all encoding detection
+ def initialize(arg, encoding=nil)
+- @orig = @buffer = arg
++ @orig = arg
++ @scanner = StringScanner.new(@orig)
+ if encoding
+ self.encoding = encoding
+ else
+@@ -50,6 +49,14 @@ module REXML
+ @line = 0
+ end
+
++ # The current buffer (what we're going to read next)
++ def buffer
++ @scanner.rest
++ end
++
++ def buffer_encoding=(encoding)
++ @scanner.string.force_encoding(encoding)
++ end
+
+ # Inherited from Encoding
+ # Overridden to support optimized en/decoding
+@@ -58,98 +65,57 @@ module REXML
+ encoding_updated
+ end
+
+- # Scans the source for a given pattern. Note, that this is not your
+- # usual scan() method. For one thing, the pattern argument has some
+- # requirements; for another, the source can be consumed. You can easily
+- # confuse this method. Originally, the patterns were easier
+- # to construct and this method more robust, because this method
+- # generated search regexps on the fly; however, this was
+- # computationally expensive and slowed down the entire REXML package
+- # considerably, since this is by far the most commonly called method.
+- # @param pattern must be a Regexp, and must be in the form of
+- # /^\s*(#{your pattern, with no groups})(.*)/. The first group
+- # will be returned; the second group is used if the consume flag is
+- # set.
+- # @param consume if true, the pattern returned will be consumed, leaving
+- # everything after it in the Source.
+- # @return the pattern, if found, or nil if the Source is empty or the
+- # pattern is not found.
+- def scan(pattern, cons=false)
+- return nil if @buffer.nil?
+- rv = @buffer.scan(pattern)
+- @buffer = $' if cons and rv.size>0
+- rv
+- end
+-
+ def read
+ end
+
+- def consume( pattern )
+- @buffer = $' if pattern.match( @buffer )
+- end
+-
+- def match_to( char, pattern )
+- return pattern.match(@buffer)
+- end
+-
+- def match_to_consume( char, pattern )
+- md = pattern.match(@buffer)
+- @buffer = $'
+- return md
+- end
+-
+ def match(pattern, cons=false)
+- md = pattern.match(@buffer)
+- @buffer = $' if cons and md
+- return md
++ if cons
++ @scanner.scan(pattern).nil? ? nil : @scanner
++ else
++ @scanner.check(pattern).nil? ? nil : @scanner
++ end
+ end
+
+ # @return true if the Source is exhausted
+ def empty?
+- @buffer == ""
+- end
+-
+- def position
+- @orig.index( @buffer )
++ @scanner.eos?
+ end
+
+ # @return the current line in the source
+ def current_line
+ lines = @orig.split
+- res = lines.grep @buffer[0..30]
++ res = lines.grep @scanner.rest[0..30]
+ res = res[-1] if res.kind_of? Array
+ lines.index( res ) if res
+ end
+
+ private
++
+ def detect_encoding
+- buffer_encoding = @buffer.encoding
++ scanner_encoding = @scanner.rest.encoding
+ detected_encoding = "UTF-8"
+ begin
+- @buffer.force_encoding("ASCII-8BIT")
+- if @buffer[0, 2] == "\xfe\xff"
+- @buffer[0, 2] = ""
++ @scanner.string.force_encoding("ASCII-8BIT")
++ if @scanner.scan(/\xfe\xff/n)
+ detected_encoding = "UTF-16BE"
+- elsif @buffer[0, 2] == "\xff\xfe"
+- @buffer[0, 2] = ""
++ elsif @scanner.scan(/\xff\xfe/n)
+ detected_encoding = "UTF-16LE"
+- elsif @buffer[0, 3] == "\xef\xbb\xbf"
+- @buffer[0, 3] = ""
++ elsif @scanner.scan(/\xef\xbb\xbf/n)
+ detected_encoding = "UTF-8"
+ end
+ ensure
+- @buffer.force_encoding(buffer_encoding)
++ @scanner.string.force_encoding(scanner_encoding)
+ end
+ self.encoding = detected_encoding
+ end
+
+ def encoding_updated
+ if @encoding != 'UTF-8'
+- @buffer = decode(@buffer)
++ @scanner.string = decode(@scanner.rest)
+ @to_utf = true
+ else
+ @to_utf = false
+- @buffer.force_encoding ::Encoding::UTF_8
++ @scanner.string.force_encoding(::Encoding::UTF_8)
+ end
+ end
+ end
+@@ -172,7 +138,7 @@ module REXML
+ end
+
+ if !@to_utf and
+- @buffer.respond_to?(:force_encoding) and
++ @orig.respond_to?(:force_encoding) and
+ @source.respond_to?(:external_encoding) and
+ @source.external_encoding != ::Encoding::UTF_8
+ @force_utf8 = true
+@@ -181,65 +147,44 @@ module REXML
+ end
+ end
+
+- def scan(pattern, cons=false)
+- rv = super
+- # You'll notice that this next section is very similar to the same
+- # section in match(), but just a liiittle different. This is
+- # because it is a touch faster to do it this way with scan()
+- # than the way match() does it; enough faster to warrant duplicating
+- # some code
+- if rv.size == 0
+- until @buffer =~ pattern or @source.nil?
+- begin
+- @buffer << readline
+- rescue Iconv::IllegalSequence
+- raise
+- rescue
+- @source = nil
+- end
+- end
+- rv = super
+- end
+- rv.taint if RUBY_VERSION < '2.7'
+- rv
+- end
+-
+ def read
+ begin
+- @buffer << readline
++ # NOTE: `@scanner << readline` does not free memory, so when parsing huge XML in JRuby's DOM,
++ # out-of-memory error `Java::JavaLang::OutOfMemoryError: Java heap space` occurs.
++ # `@scanner.string = @scanner.rest + readline` frees memory that is already consumed
++ # and avoids this problem.
++ @scanner.string = @scanner.rest + readline
+ rescue Exception, NameError
+ @source = nil
+ end
+ end
+
+- def consume( pattern )
+- match( pattern, true )
+- end
+-
+ def match( pattern, cons=false )
+- rv = pattern.match(@buffer)
+- @buffer = $' if cons and rv
+- while !rv and @source
++ if cons
++ md = @scanner.scan(pattern)
++ else
++ md = @scanner.check(pattern)
++ end
++ while md.nil? and @source
+ begin
+- @buffer << readline
+- rv = pattern.match(@buffer)
+- @buffer = $' if cons and rv
++ @scanner << readline
++ if cons
++ md = @scanner.scan(pattern)
++ else
++ md = @scanner.check(pattern)
++ end
+ rescue
+ @source = nil
+ end
+ end
+- rv.taint if RUBY_VERSION < '2.7'
+- rv
++
++ md.nil? ? nil : @scanner
+ end
+
+ def empty?
+ super and ( @source.nil? || @source.eof? )
+ end
+
+- def position
+- @er_source.pos rescue 0
+- end
+-
+ # @return the current line in the source
+ def current_line
+ begin
+@@ -290,7 +235,7 @@ module REXML
+ @source.set_encoding(@encoding, @encoding)
+ end
+ @line_break = encode(">")
+- @pending_buffer, @buffer = @buffer, ""
++ @pending_buffer, @scanner.string = @scanner.rest, ""
+ @pending_buffer.force_encoding(@encoding)
+ super
+ end
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch
new file mode 100644
index 0000000000..35e90b632b
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0002.patch
@@ -0,0 +1,104 @@
+From 83ca5c4b0f76cf7b307dd1be1dc934e1e8199863 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Sun, 21 Jan 2024 06:11:42 +0900
+Subject: [PATCH] Reduce calls to `Source#buffer`(`StringScanner#rest`) (#106)
+
+Reduce calls to `Source#buffer`(`StringScanner#rest`)
+
+## Why
+`Source#buffer` calling `StringScanner#rest`.
+`StringScanner#rest` is slow.
+Reduce calls to `Source#buffer`.
+
+## Benchmark
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+ before after before(YJIT) after(YJIT)
+ dom 10.639 10.985 16.213 16.221 i/s - 100.000 times in 9.399033s 9.103461s 6.167962s 6.164794s
+ sax 28.357 29.440 42.900 44.375 i/s - 100.000 times in 3.526479s 3.396688s 2.331024s 2.253511s
+ pull 32.852 34.210 48.976 51.273 i/s - 100.000 times in 3.043965s 2.923140s 2.041816s 1.950344s
+ stream 30.821 31.908 43.953 44.697 i/s - 100.000 times in 3.244539s 3.134020s 2.275172s 2.237310s
+
+Comparison:
+ dom
+ after(YJIT): 16.2 i/s
+ before(YJIT): 16.2 i/s - 1.00x slower
+ after: 11.0 i/s - 1.48x slower
+ before: 10.6 i/s - 1.52x slower
+
+ sax
+ after(YJIT): 44.4 i/s
+ before(YJIT): 42.9 i/s - 1.03x slower
+ after: 29.4 i/s - 1.51x slower
+ before: 28.4 i/s - 1.56x slower
+
+ pull
+ after(YJIT): 51.3 i/s
+ before(YJIT): 49.0 i/s - 1.05x slower
+ after: 34.2 i/s - 1.50x slower
+ before: 32.9 i/s - 1.56x slower
+
+ stream
+ after(YJIT): 44.7 i/s
+ before(YJIT): 44.0 i/s - 1.02x slower
+ after: 31.9 i/s - 1.40x slower
+ before: 30.8 i/s - 1.45x slower
+
+```
+
+- YJIT=ON : 1.00x - 1.05x faster
+- YJIT=OFF : 1.03x - 1.04x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/83ca5c4b0f76cf7b307dd1be1dc934e1e8199863]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 65bad26..7126a12 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -348,9 +348,13 @@ module REXML
+ @source.match(/\A\s*/um, true)
+ end
+ begin
+- @source.read if @source.buffer.size<2
+- if @source.buffer[0] == ?<
+- if @source.buffer[1] == ?/
++ next_data = @source.buffer
++ if next_data.size < 2
++ @source.read
++ next_data = @source.buffer
++ end
++ if next_data[0] == ?<
++ if next_data[1] == ?/
+ @nsstack.shift
+ last_tag = @tags.pop
+ md = @source.match( CLOSE_MATCH, true )
+@@ -364,7 +368,7 @@ module REXML
+ raise REXML::ParseException.new(message, @source)
+ end
+ return [ :end_element, last_tag ]
+- elsif @source.buffer[1] == ?!
++ elsif next_data[1] == ?!
+ md = @source.match(/\A(\s*[^>]*>)/um)
+ #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}"
+ raise REXML::ParseException.new("Malformed node", @source) unless md
+@@ -383,7 +387,7 @@ module REXML
+ end
+ raise REXML::ParseException.new( "Declarations can only occur "+
+ "in the doctype declaration.", @source)
+- elsif @source.buffer[1] == ??
++ elsif next_data[1] == ??
+ return process_instruction
+ else
+ # Get the next tag
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch
new file mode 100644
index 0000000000..9d3515e7a6
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0003.patch
@@ -0,0 +1,85 @@
+From 51217dbcc64ecc34aa70f126b103bedf07e153fc Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Wed, 31 Jan 2024 16:35:55 +0900
+Subject: [PATCH] Reduce calls to StringScanner.new() (#108)
+
+## Why
+
+`StringScanner.new()` instances can be reused within parse_attributes,
+reducing initialization costs.
+
+## Benchmark
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+ before after before(YJIT) after(YJIT)
+ dom 11.018 11.207 17.059 16.660 i/s - 100.000 times in 9.075992s 8.923280s 5.861969s 6.002555s
+ sax 29.843 30.821 45.518 47.505 i/s - 100.000 times in 3.350909s 3.244524s 2.196940s 2.105037s
+ pull 34.480 35.937 52.816 57.098 i/s - 100.000 times in 2.900205s 2.782632s 1.893370s 1.751378s
+ stream 32.430 33.516 46.247 48.412 i/s - 100.000 times in 3.083536s 2.983607s 2.162288s 2.065584s
+
+Comparison:
+ dom
+ before(YJIT): 17.1 i/s
+ after(YJIT): 16.7 i/s - 1.02x slower
+ after: 11.2 i/s - 1.52x slower
+ before: 11.0 i/s - 1.55x slower
+
+ sax
+ after(YJIT): 47.5 i/s
+ before(YJIT): 45.5 i/s - 1.04x slower
+ after: 30.8 i/s - 1.54x slower
+ before: 29.8 i/s - 1.59x slower
+
+ pull
+ after(YJIT): 57.1 i/s
+ before(YJIT): 52.8 i/s - 1.08x slower
+ after: 35.9 i/s - 1.59x slower
+ before: 34.5 i/s - 1.66x slower
+
+ stream
+ after(YJIT): 48.4 i/s
+ before(YJIT): 46.2 i/s - 1.05x slower
+ after: 33.5 i/s - 1.44x slower
+ before: 32.4 i/s - 1.49x slower
+
+```
+
+- YJIT=ON : 1.02x - 1.08x faster
+- YJIT=OFF : 1.01x - 1.04x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/51217dbcc64ecc34aa70f126b103bedf07e153fc]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 7126a12..b66b0ed 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -115,6 +115,7 @@ module REXML
+ def initialize( source )
+ self.stream = source
+ @listeners = []
++ @attributes_scanner = StringScanner.new('')
+ end
+
+ def add_listener( listener )
+@@ -601,7 +602,8 @@ module REXML
+ return attributes, closed if raw_attributes.nil?
+ return attributes, closed if raw_attributes.empty?
+
+- scanner = StringScanner.new(raw_attributes)
++ @attributes_scanner.string = raw_attributes
++ scanner = @attributes_scanner
+ until scanner.eos?
+ if scanner.scan(/\s+/)
+ break if scanner.eos?
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch
new file mode 100644
index 0000000000..f2bbbd76f7
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0004.patch
@@ -0,0 +1,71 @@
+From 7e4049f6a68c99c4efec2df117057ee080680c9f Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Wed, 31 Jan 2024 17:17:51 +0900
+Subject: [PATCH] Change loop in parse_attributes to `while true`. (#109)
+
+loop is slower than `while true`.
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+ before after before(YJIT) after(YJIT)
+ dom 11.186 11.304 17.395 17.450 i/s - 100.000 times in 8.940144s 8.846590s 5.748718s 5.730793s
+ sax 30.811 31.629 47.352 48.040 i/s - 100.000 times in 3.245601s 3.161619s 2.111854s 2.081594s
+ pull 35.793 36.621 56.924 57.313 i/s - 100.000 times in 2.793829s 2.730693s 1.756732s 1.744812s
+ stream 33.157 34.757 46.792 50.536 i/s - 100.000 times in 3.015940s 2.877088s 2.137106s 1.978787s
+
+Comparison:
+ dom
+ after(YJIT): 17.4 i/s
+ before(YJIT): 17.4 i/s - 1.00x slower
+ after: 11.3 i/s - 1.54x slower
+ before: 11.2 i/s - 1.56x slower
+
+ sax
+ after(YJIT): 48.0 i/s
+ before(YJIT): 47.4 i/s - 1.01x slower
+ after: 31.6 i/s - 1.52x slower
+ before: 30.8 i/s - 1.56x slower
+
+ pull
+ after(YJIT): 57.3 i/s
+ before(YJIT): 56.9 i/s - 1.01x slower
+ after: 36.6 i/s - 1.57x slower
+ before: 35.8 i/s - 1.60x slower
+
+ stream
+ after(YJIT): 50.5 i/s
+ before(YJIT): 46.8 i/s - 1.08x slower
+ after: 34.8 i/s - 1.45x slower
+ before: 33.2 i/s - 1.52x slower
+
+```
+
+- YJIT=ON : 1.00x - 1.08x faster
+- YJIT=OFF : 1.01x - 1.04x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/7e4049f6a68c99c4efec2df117057ee080680c9f]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index b66b0ed..3fe5c29 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -610,7 +610,7 @@ module REXML
+ end
+
+ pos = scanner.pos
+- loop do
++ while true
+ break if scanner.scan(ATTRIBUTE_PATTERN)
+ unless scanner.scan(QNAME)
+ message = "Invalid attribute name: <#{scanner.rest}>"
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch
new file mode 100644
index 0000000000..304270092e
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0005.patch
@@ -0,0 +1,51 @@
+From fc6cad570b849692a28f26a963ceb58edc282bbc Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Fri, 16 Feb 2024 04:51:16 +0900
+Subject: [PATCH] Remove unnecessary checks in baseparser (#112)
+
+https://github.com/ruby/rexml/blob/444c9ce7449d3c5a75ae50087555ec73ae1963a8/lib/rexml/parsers/baseparser.rb#L352-L425
+```
+ next_data = @source.buffer
+ if next_data.size < 2
+ @source.read
+ next_data = @source.buffer
+ end
+ if next_data[0] == ?<
+ :
+ (omit)
+ :
+ else # next_data is a string of one or more characters other than '<'.
+ md = @source.match( TEXT_PATTERN, true ) # TEXT_PATTERN = /\A([^<]*)/um
+ text = md[1]
+ if md[0].length == 0 # md[0].length is greater than or equal to 1.
+ @source.match( /(\s+)/, true )
+ end
+```
+This is an unnecessary check because md[0].length is greater than or
+equal to 1.
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/fc6cad570b849692a28f26a963ceb58edc282bbc]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 3fe5c29..595669c 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -420,9 +420,6 @@ module REXML
+ else
+ md = @source.match( TEXT_PATTERN, true )
+ text = md[1]
+- if md[0].length == 0
+- @source.match( /(\s+)/, true )
+- end
+ return [ :text, text ]
+ end
+ rescue REXML::UndefinedNamespaceException
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch
new file mode 100644
index 0000000000..7d3f547089
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0006.patch
@@ -0,0 +1,79 @@
+From 77128555476cb0db798e2912fb3a07d6411dc320 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Sun, 21 Jan 2024 20:02:00 +0900
+Subject: [PATCH] Use `@scanner << readline` instead of `@scanner.string =
+ @scanner.rest + readline` (#107)
+
+JRuby's `StringScanner#<<` and `StringScanner#scan` OutOfMemoryError has
+been resolved in strscan gem 3.0.9.
+
+https://github.com/ruby/strscan/issues/83
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+ before after before(YJIT) after(YJIT)
+ dom 10.958 11.044 16.615 16.783 i/s - 100.000 times in 9.126104s 9.055023s 6.018799s 5.958437s
+ sax 29.624 29.609 44.390 45.370 i/s - 100.000 times in 3.375641s 3.377372s 2.252774s 2.204080s
+ pull 33.868 34.695 51.173 53.492 i/s - 100.000 times in 2.952679s 2.882229s 1.954138s 1.869422s
+ stream 31.719 32.351 43.604 45.403 i/s - 100.000 times in 3.152713s 3.091052s 2.293356s 2.202514s
+
+Comparison:
+ dom
+ after(YJIT): 16.8 i/s
+ before(YJIT): 16.6 i/s - 1.01x slower
+ after: 11.0 i/s - 1.52x slower
+ before: 11.0 i/s - 1.53x slower
+
+ sax
+ after(YJIT): 45.4 i/s
+ before(YJIT): 44.4 i/s - 1.02x slower
+ before: 29.6 i/s - 1.53x slower
+ after: 29.6 i/s - 1.53x slower
+
+ pull
+ after(YJIT): 53.5 i/s
+ before(YJIT): 51.2 i/s - 1.05x slower
+ after: 34.7 i/s - 1.54x slower
+ before: 33.9 i/s - 1.58x slower
+
+ stream
+ after(YJIT): 45.4 i/s
+ before(YJIT): 43.6 i/s - 1.04x slower
+ after: 32.4 i/s - 1.40x slower
+ before: 31.7 i/s - 1.43x slower
+
+```
+
+- YJIT=ON : 1.01x - 1.05x faster
+- YJIT=OFF : 1.00x - 1.02x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/77128555476cb0db798e2912fb3a07d6411dc320]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index 71b08f9..db78a12 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -149,11 +149,7 @@ module REXML
+
+ def read
+ begin
+- # NOTE: `@scanner << readline` does not free memory, so when parsing huge XML in JRuby's DOM,
+- # out-of-memory error `Java::JavaLang::OutOfMemoryError: Java heap space` occurs.
+- # `@scanner.string = @scanner.rest + readline` frees memory that is already consumed
+- # and avoids this problem.
+- @scanner.string = @scanner.rest + readline
++ @scanner << readline
+ rescue Exception, NameError
+ @source = nil
+ end
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch
new file mode 100644
index 0000000000..4ba60823ab
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0007.patch
@@ -0,0 +1,561 @@
+From 370666e314816b57ecd5878e757224c3b6bc93f5 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Tue, 27 Feb 2024 09:48:35 +0900
+Subject: [PATCH] Use more StringScanner based API to parse XML (#114)
+
+## Why?
+
+Improve maintainability by optimizing the process so that the parsing
+process proceeds using StringScanner#scan.
+
+## Changed
+- Change `REXML::Parsers::BaseParser` from `frozen_string_literal:
+false` to `frozen_string_literal: true`.
+- Added `Source#string=` method for error message output.
+- Added TestParseDocumentTypeDeclaration#test_no_name test case.
+- Of the `intSubset` of DOCTYPE, "<!" added consideration for processing
+`Comments` that begin with "<!".
+
+## [Benchmark]
+
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.0/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [arm64-darwin22]
+Calculating -------------------------------------
+ before after before(YJIT) after(YJIT)
+ dom 11.240 10.569 17.173 18.219 i/s - 100.000 times in 8.896882s 9.461267s 5.823007s 5.488884s
+ sax 31.812 30.716 48.383 52.532 i/s - 100.000 times in 3.143500s 3.255655s 2.066861s 1.903600s
+ pull 36.855 36.354 56.718 61.443 i/s - 100.000 times in 2.713300s 2.750693s 1.763099s 1.627523s
+ stream 34.176 34.758 49.801 54.622 i/s - 100.000 times in 2.925991s 2.877065s 2.008003s 1.830779s
+
+Comparison:
+ dom
+ after(YJIT): 18.2 i/s
+ before(YJIT): 17.2 i/s - 1.06x slower
+ before: 11.2 i/s - 1.62x slower
+ after: 10.6 i/s - 1.72x slower
+
+ sax
+ after(YJIT): 52.5 i/s
+ before(YJIT): 48.4 i/s - 1.09x slower
+ before: 31.8 i/s - 1.65x slower
+ after: 30.7 i/s - 1.71x slower
+
+ pull
+ after(YJIT): 61.4 i/s
+ before(YJIT): 56.7 i/s - 1.08x slower
+ before: 36.9 i/s - 1.67x slower
+ after: 36.4 i/s - 1.69x slower
+
+ stream
+ after(YJIT): 54.6 i/s
+ before(YJIT): 49.8 i/s - 1.10x slower
+ after: 34.8 i/s - 1.57x slower
+ before: 34.2 i/s - 1.60x slower
+
+```
+
+- YJIT=ON : 1.06x - 1.10x faster
+- YJIT=OFF : 0.94x - 1.01x faster
+
+---------
+
+Co-authored-by: Sutou Kouhei <kou@clear-code.com>
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/370666e314816b57ecd5878e757224c3b6bc93f5]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../lib/rexml/parsers/baseparser.rb | 325 +++++++++---------
+ .bundle/gems/rexml-3.2.5/lib/rexml/source.rb | 31 +-
+ 2 files changed, 188 insertions(+), 168 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 595669c..bc59bcd 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -1,4 +1,4 @@
+-# frozen_string_literal: false
++# frozen_string_literal: true
+ require_relative '../parseexception'
+ require_relative '../undefinednamespaceexception'
+ require_relative '../source'
+@@ -112,6 +112,19 @@ module REXML
+ "apos" => [/'/, "'", "'", /'/]
+ }
+
++ module Private
++ INSTRUCTION_END = /#{NAME}(\s+.*?)?\?>/um
++ TAG_PATTERN = /((?>#{QNAME_STR}))/um
++ CLOSE_PATTERN = /(#{QNAME_STR})\s*>/um
++ ATTLISTDECL_END = /\s+#{NAME}(?:#{ATTDEF})*\s*>/um
++ NAME_PATTERN = /\s*#{NAME}/um
++ GEDECL_PATTERN = "\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>"
++ PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
++ ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
++ end
++ private_constant :Private
++ include Private
++
+ def initialize( source )
+ self.stream = source
+ @listeners = []
+@@ -198,183 +211,172 @@ module REXML
+ #STDERR.puts @source.encoding
+ #STDERR.puts "BUFFER = #{@source.buffer.inspect}"
+ if @document_status == nil
+- word = @source.match( /\A((?:\s+)|(?:<[^>]*>))/um )
+- word = word[1] unless word.nil?
+- #STDERR.puts "WORD = #{word.inspect}"
+- case word
+- when COMMENT_START
+- return [ :comment, @source.match( COMMENT_PATTERN, true )[1] ]
+- when XMLDECL_START
+- #STDERR.puts "XMLDECL"
+- results = @source.match( XMLDECL_PATTERN, true )[1]
+- version = VERSION.match( results )
+- version = version[1] unless version.nil?
+- encoding = ENCODING.match(results)
+- encoding = encoding[1] unless encoding.nil?
+- if need_source_encoding_update?(encoding)
+- @source.encoding = encoding
+- end
+- if encoding.nil? and /\AUTF-16(?:BE|LE)\z/i =~ @source.encoding
+- encoding = "UTF-16"
+- end
+- standalone = STANDALONE.match(results)
+- standalone = standalone[1] unless standalone.nil?
+- return [ :xmldecl, version, encoding, standalone ]
+- when INSTRUCTION_START
++ if @source.match("<?", true)
+ return process_instruction
+- when DOCTYPE_START
+- base_error_message = "Malformed DOCTYPE"
+- @source.match(DOCTYPE_START, true)
+- @nsstack.unshift(curr_ns=Set.new)
+- name = parse_name(base_error_message)
+- if @source.match(/\A\s*\[/um, true)
+- id = [nil, nil, nil]
+- @document_status = :in_doctype
+- elsif @source.match(/\A\s*>/um, true)
+- id = [nil, nil, nil]
+- @document_status = :after_doctype
+- else
+- id = parse_id(base_error_message,
+- accept_external_id: true,
+- accept_public_id: false)
+- if id[0] == "SYSTEM"
+- # For backward compatibility
+- id[1], id[2] = id[2], nil
++ elsif @source.match("<!", true)
++ if @source.match("--", true)
++ return [ :comment, @source.match(/(.*?)-->/um, true)[1] ]
++ elsif @source.match("DOCTYPE", true)
++ base_error_message = "Malformed DOCTYPE"
++ unless @source.match(/\s+/um, true)
++ if @source.match(">")
++ message = "#{base_error_message}: name is missing"
++ else
++ message = "#{base_error_message}: invalid name"
++ end
++ @source.string = "<!DOCTYPE" + @source.buffer
++ raise REXML::ParseException.new(message, @source)
+ end
+- if @source.match(/\A\s*\[/um, true)
++ @nsstack.unshift(curr_ns=Set.new)
++ name = parse_name(base_error_message)
++ if @source.match(/\s*\[/um, true)
++ id = [nil, nil, nil]
+ @document_status = :in_doctype
+- elsif @source.match(/\A\s*>/um, true)
++ elsif @source.match(/\s*>/um, true)
++ id = [nil, nil, nil]
+ @document_status = :after_doctype
+ else
+- message = "#{base_error_message}: garbage after external ID"
+- raise REXML::ParseException.new(message, @source)
++ id = parse_id(base_error_message,
++ accept_external_id: true,
++ accept_public_id: false)
++ if id[0] == "SYSTEM"
++ # For backward compatibility
++ id[1], id[2] = id[2], nil
++ end
++ if @source.match(/\s*\[/um, true)
++ @document_status = :in_doctype
++ elsif @source.match(/\s*>/um, true)
++ @document_status = :after_doctype
++ else
++ message = "#{base_error_message}: garbage after external ID"
++ raise REXML::ParseException.new(message, @source)
++ end
+ end
+- end
+- args = [:start_doctype, name, *id]
+- if @document_status == :after_doctype
+- @source.match(/\A\s*/um, true)
+- @stack << [ :end_doctype ]
+- end
+- return args
+- when /\A\s+/
+- else
+- @document_status = :after_doctype
+- if @source.encoding == "UTF-8"
+- @source.buffer_encoding = ::Encoding::UTF_8
++ args = [:start_doctype, name, *id]
++ if @document_status == :after_doctype
++ @source.match(/\s*/um, true)
++ @stack << [ :end_doctype ]
++ end
++ return args
++ else
++ message = "Invalid XML"
++ raise REXML::ParseException.new(message, @source)
+ end
+ end
+ end
+ if @document_status == :in_doctype
+- md = @source.match(/\A\s*(.*?>)/um)
+- case md[1]
+- when SYSTEMENTITY
+- match = @source.match( SYSTEMENTITY, true )[1]
+- return [ :externalentity, match ]
+-
+- when ELEMENTDECL_START
+- return [ :elementdecl, @source.match( ELEMENTDECL_PATTERN, true )[1] ]
+-
+- when ENTITY_START
+- match = [:entitydecl, *@source.match( ENTITYDECL, true ).captures.compact]
+- ref = false
+- if match[1] == '%'
+- ref = true
+- match.delete_at 1
+- end
+- # Now we have to sort out what kind of entity reference this is
+- if match[2] == 'SYSTEM'
+- # External reference
+- match[3] = match[3][1..-2] # PUBID
+- match.delete_at(4) if match.size > 4 # Chop out NDATA decl
+- # match is [ :entity, name, SYSTEM, pubid(, ndata)? ]
+- elsif match[2] == 'PUBLIC'
+- # External reference
+- match[3] = match[3][1..-2] # PUBID
+- match[4] = match[4][1..-2] # HREF
+- match.delete_at(5) if match.size > 5 # Chop out NDATA decl
+- # match is [ :entity, name, PUBLIC, pubid, href(, ndata)? ]
+- else
+- match[2] = match[2][1..-2]
+- match.pop if match.size == 4
+- # match is [ :entity, name, value ]
+- end
+- match << '%' if ref
+- return match
+- when ATTLISTDECL_START
+- md = @source.match( ATTLISTDECL_PATTERN, true )
+- raise REXML::ParseException.new( "Bad ATTLIST declaration!", @source ) if md.nil?
+- element = md[1]
+- contents = md[0]
+-
+- pairs = {}
+- values = md[0].scan( ATTDEF_RE )
+- values.each do |attdef|
+- unless attdef[3] == "#IMPLIED"
+- attdef.compact!
+- val = attdef[3]
+- val = attdef[4] if val == "#FIXED "
+- pairs[attdef[0]] = val
+- if attdef[0] =~ /^xmlns:(.*)/
+- @nsstack[0] << $1
+- end
++ @source.match(/\s*/um, true) # skip spaces
++ if @source.match("<!", true)
++ if @source.match("ELEMENT", true)
++ md = @source.match(/(.*?)>/um, true)
++ raise REXML::ParseException.new( "Bad ELEMENT declaration!", @source ) if md.nil?
++ return [ :elementdecl, "<!ELEMENT" + md[1] ]
++ elsif @source.match("ENTITY", true)
++ match = [:entitydecl, *@source.match(ENTITYDECL_PATTERN, true).captures.compact]
++ ref = false
++ if match[1] == '%'
++ ref = true
++ match.delete_at 1
+ end
+- end
+- return [ :attlistdecl, element, pairs, contents ]
+- when NOTATIONDECL_START
+- base_error_message = "Malformed notation declaration"
+- unless @source.match(/\A\s*<!NOTATION\s+/um, true)
+- if @source.match(/\A\s*<!NOTATION\s*>/um)
+- message = "#{base_error_message}: name is missing"
++ # Now we have to sort out what kind of entity reference this is
++ if match[2] == 'SYSTEM'
++ # External reference
++ match[3] = match[3][1..-2] # PUBID
++ match.delete_at(4) if match.size > 4 # Chop out NDATA decl
++ # match is [ :entity, name, SYSTEM, pubid(, ndata)? ]
++ elsif match[2] == 'PUBLIC'
++ # External reference
++ match[3] = match[3][1..-2] # PUBID
++ match[4] = match[4][1..-2] # HREF
++ match.delete_at(5) if match.size > 5 # Chop out NDATA decl
++ # match is [ :entity, name, PUBLIC, pubid, href(, ndata)? ]
+ else
+- message = "#{base_error_message}: invalid declaration name"
++ match[2] = match[2][1..-2]
++ match.pop if match.size == 4
++ # match is [ :entity, name, value ]
+ end
+- raise REXML::ParseException.new(message, @source)
+- end
+- name = parse_name(base_error_message)
+- id = parse_id(base_error_message,
+- accept_external_id: true,
+- accept_public_id: true)
+- unless @source.match(/\A\s*>/um, true)
+- message = "#{base_error_message}: garbage before end >"
+- raise REXML::ParseException.new(message, @source)
++ match << '%' if ref
++ return match
++ elsif @source.match("ATTLIST", true)
++ md = @source.match(ATTLISTDECL_END, true)
++ raise REXML::ParseException.new( "Bad ATTLIST declaration!", @source ) if md.nil?
++ element = md[1]
++ contents = md[0]
++
++ pairs = {}
++ values = md[0].scan( ATTDEF_RE )
++ values.each do |attdef|
++ unless attdef[3] == "#IMPLIED"
++ attdef.compact!
++ val = attdef[3]
++ val = attdef[4] if val == "#FIXED "
++ pairs[attdef[0]] = val
++ if attdef[0] =~ /^xmlns:(.*)/
++ @nsstack[0] << $1
++ end
++ end
++ end
++ return [ :attlistdecl, element, pairs, contents ]
++ elsif @source.match("NOTATION", true)
++ base_error_message = "Malformed notation declaration"
++ unless @source.match(/\s+/um, true)
++ if @source.match(">")
++ message = "#{base_error_message}: name is missing"
++ else
++ message = "#{base_error_message}: invalid name"
++ end
++ @source.string = " <!NOTATION" + @source.buffer
++ raise REXML::ParseException.new(message, @source)
++ end
++ name = parse_name(base_error_message)
++ id = parse_id(base_error_message,
++ accept_external_id: true,
++ accept_public_id: true)
++ unless @source.match(/\s*>/um, true)
++ message = "#{base_error_message}: garbage before end >"
++ raise REXML::ParseException.new(message, @source)
++ end
++ return [:notationdecl, name, *id]
++ elsif md = @source.match(/--(.*?)-->/um, true)
++ case md[1]
++ when /--/, /-\z/
++ raise REXML::ParseException.new("Malformed comment", @source)
++ end
++ return [ :comment, md[1] ] if md
+ end
+- return [:notationdecl, name, *id]
+- when DOCTYPE_END
++ elsif match = @source.match(/(%.*?;)\s*/um, true)
++ return [ :externalentity, match[1] ]
++ elsif @source.match(/\]\s*>/um, true)
+ @document_status = :after_doctype
+- @source.match( DOCTYPE_END, true )
+ return [ :end_doctype ]
+ end
+ end
+ if @document_status == :after_doctype
+- @source.match(/\A\s*/um, true)
++ @source.match(/\s*/um, true)
+ end
+ begin
+- next_data = @source.buffer
+- if next_data.size < 2
+- @source.read
+- next_data = @source.buffer
+- end
+- if next_data[0] == ?<
+- if next_data[1] == ?/
++ if @source.match("<", true)
++ if @source.match("/", true)
+ @nsstack.shift
+ last_tag = @tags.pop
+- md = @source.match( CLOSE_MATCH, true )
++ md = @source.match(CLOSE_PATTERN, true)
+ if md and !last_tag
+ message = "Unexpected top-level end tag (got '#{md[1]}')"
+ raise REXML::ParseException.new(message, @source)
+ end
+ if md.nil? or last_tag != md[1]
+ message = "Missing end tag for '#{last_tag}'"
+- message << " (got '#{md[1]}')" if md
++ message += " (got '#{md[1]}')" if md
++ @source.string = "</" + @source.buffer if md.nil?
+ raise REXML::ParseException.new(message, @source)
+ end
+ return [ :end_element, last_tag ]
+- elsif next_data[1] == ?!
+- md = @source.match(/\A(\s*[^>]*>)/um)
++ elsif @source.match("!", true)
++ md = @source.match(/([^>]*>)/um)
+ #STDERR.puts "SOURCE BUFFER = #{source.buffer}, #{source.buffer.size}"
+ raise REXML::ParseException.new("Malformed node", @source) unless md
+- if md[0][2] == ?-
+- md = @source.match( COMMENT_PATTERN, true )
++ if md[0][0] == ?-
++ md = @source.match(/--(.*?)-->/um, true)
+
+ case md[1]
+ when /--/, /-\z/
+@@ -383,17 +385,18 @@ module REXML
+
+ return [ :comment, md[1] ] if md
+ else
+- md = @source.match( CDATA_PATTERN, true )
++ md = @source.match(/\[CDATA\[(.*?)\]\]>/um, true)
+ return [ :cdata, md[1] ] if md
+ end
+ raise REXML::ParseException.new( "Declarations can only occur "+
+ "in the doctype declaration.", @source)
+- elsif next_data[1] == ??
++ elsif @source.match("?", true)
+ return process_instruction
+ else
+ # Get the next tag
+- md = @source.match(TAG_MATCH, true)
++ md = @source.match(TAG_PATTERN, true)
+ unless md
++ @source.string = "<" + @source.buffer
+ raise REXML::ParseException.new("malformed XML: missing tag start", @source)
+ end
+ tag = md[1]
+@@ -418,7 +421,7 @@ module REXML
+ return [ :start_element, tag, attributes ]
+ end
+ else
+- md = @source.match( TEXT_PATTERN, true )
++ md = @source.match(/([^<]*)/um, true)
+ text = md[1]
+ return [ :text, text ]
+ end
+@@ -462,8 +465,7 @@ module REXML
+
+ # Unescapes all possible entities
+ def unnormalize( string, entities=nil, filter=nil )
+- rv = string.clone
+- rv.gsub!( /\r\n?/, "\n" )
++ rv = string.gsub( /\r\n?/, "\n" )
+ matches = rv.scan( REFERENCE_RE )
+ return rv if matches.size == 0
+ rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
+@@ -498,9 +500,9 @@ module REXML
+ end
+
+ def parse_name(base_error_message)
+- md = @source.match(/\A\s*#{NAME}/um, true)
++ md = @source.match(NAME_PATTERN, true)
+ unless md
+- if @source.match(/\A\s*\S/um)
++ if @source.match(/\s*\S/um)
+ message = "#{base_error_message}: invalid name"
+ else
+ message = "#{base_error_message}: name is missing"
+@@ -577,11 +579,28 @@ module REXML
+ end
+
+ def process_instruction
+- match_data = @source.match(INSTRUCTION_PATTERN, true)
++ match_data = @source.match(INSTRUCTION_END, true)
+ unless match_data
+ message = "Invalid processing instruction node"
++ @source.string = "<?" + @source.buffer
+ raise REXML::ParseException.new(message, @source)
+ end
++ if @document_status.nil? and match_data[1] == "xml"
++ content = match_data[2]
++ version = VERSION.match(content)
++ version = version[1] unless version.nil?
++ encoding = ENCODING.match(content)
++ encoding = encoding[1] unless encoding.nil?
++ if need_source_encoding_update?(encoding)
++ @source.encoding = encoding
++ end
++ if encoding.nil? and /\AUTF-16(?:BE|LE)\z/i =~ @source.encoding
++ encoding = "UTF-16"
++ end
++ standalone = STANDALONE.match(content)
++ standalone = standalone[1] unless standalone.nil?
++ return [ :xmldecl, version, encoding, standalone ]
++ end
+ [:processing_instruction, match_data[1], match_data[2]]
+ end
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+index db78a12..4111d1d 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/source.rb
+@@ -76,6 +76,10 @@ module REXML
+ end
+ end
+
++ def string=(string)
++ @scanner.string = string
++ end
++
+ # @return true if the Source is exhausted
+ def empty?
+ @scanner.eos?
+@@ -150,28 +154,25 @@ module REXML
+ def read
+ begin
+ @scanner << readline
++ true
+ rescue Exception, NameError
+ @source = nil
++ false
+ end
+ end
+
+ def match( pattern, cons=false )
+- if cons
+- md = @scanner.scan(pattern)
+- else
+- md = @scanner.check(pattern)
+- end
+- while md.nil? and @source
+- begin
+- @scanner << readline
+- if cons
+- md = @scanner.scan(pattern)
+- else
+- md = @scanner.check(pattern)
+- end
+- rescue
+- @source = nil
++ read if @scanner.eos? && @source
++ while true
++ if cons
++ md = @scanner.scan(pattern)
++ else
++ md = @scanner.check(pattern)
+ end
++ break if md
++ return nil if pattern.is_a?(String) && pattern.bytesize <= @scanner.rest_size
++ return nil if @source.nil?
++ return nil unless read
+ end
+
+ md.nil? ? nil : @scanner
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0008.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0008.patch
new file mode 100644
index 0000000000..959f8a0794
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0008.patch
@@ -0,0 +1,107 @@
+From a579730f25ec7443796495541ec57c071b91805d Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Tue, 25 Jun 2024 09:07:11 +0900
+Subject: [PATCH] Optimize BaseParser#unnormalize method (#158)
+
+## Benchmark
+```
+RUBYLIB= BUNDLER_ORIG_RUBYLIB= /Users/naitoh/.rbenv/versions/3.3.3/bin/ruby -v -S benchmark-driver /Users/naitoh/ghq/github.com/naitoh/rexml/benchmark/parse.yaml
+ruby 3.3.3 (2024-06-12 revision f1c7b6f435) [arm64-darwin22]
+Calculating -------------------------------------
+ before after before(YJIT) after(YJIT)
+ dom 17.704 18.106 34.215 33.806 i/s - 100.000 times in 5.648398s 5.523110s 2.922698s 2.958036s
+ sax 25.664 25.302 48.429 48.602 i/s - 100.000 times in 3.896488s 3.952289s 2.064859s 2.057537s
+ pull 28.966 29.215 61.710 62.068 i/s - 100.000 times in 3.452275s 3.422901s 1.620480s 1.611129s
+ stream 28.291 28.426 53.860 55.548 i/s - 100.000 times in 3.534716s 3.517884s 1.856667s 1.800247s
+
+Comparison:
+ dom
+ before(YJIT): 34.2 i/s
+ after(YJIT): 33.8 i/s - 1.01x slower
+ after: 18.1 i/s - 1.89x slower
+ before: 17.7 i/s - 1.93x slower
+
+ sax
+ after(YJIT): 48.6 i/s
+ before(YJIT): 48.4 i/s - 1.00x slower
+ before: 25.7 i/s - 1.89x slower
+ after: 25.3 i/s - 1.92x slower
+
+ pull
+ after(YJIT): 62.1 i/s
+ before(YJIT): 61.7 i/s - 1.01x slower
+ after: 29.2 i/s - 2.12x slower
+ before: 29.0 i/s - 2.14x slower
+
+ stream
+ after(YJIT): 55.5 i/s
+ before(YJIT): 53.9 i/s - 1.03x slower
+ after: 28.4 i/s - 1.95x slower
+ before: 28.3 i/s - 1.96x slower
+
+```
+
+- YJIT=ON : 1.00x - 1.03x faster
+- YJIT=OFF : 0.98x - 1.02x faster
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/a579730f25ec7443796495541ec57c071b91805d]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index bc59bcd..9983d51 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -121,6 +121,13 @@ module REXML
+ GEDECL_PATTERN = "\\s+#{NAME}\\s+#{ENTITYDEF}\\s*>"
+ PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+ ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
++ CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
++ CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/
++ DEFAULT_ENTITIES_PATTERNS = {}
++ default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
++ default_entities.each do |term|
++ DEFAULT_ENTITIES_PATTERNS[term] = /&#{term};/
++ end
+ end
+ private_constant :Private
+ include Private
+@@ -465,10 +472,10 @@ module REXML
+
+ # Unescapes all possible entities
+ def unnormalize( string, entities=nil, filter=nil )
+- rv = string.gsub( /\r\n?/, "\n" )
++ rv = string.gsub( Private::CARRIAGE_RETURN_NEWLINE_PATTERN, "\n" )
+ matches = rv.scan( REFERENCE_RE )
+ return rv if matches.size == 0
+- rv.gsub!( /�*((?:\d+)|(?:x[a-fA-F0-9]+));/ ) {
++ rv.gsub!( Private::CHARACTER_REFERENCES ) {
+ m=$1
+ m = "0#{m}" if m[0] == ?x
+ [Integer(m)].pack('U*')
+@@ -479,7 +486,7 @@ module REXML
+ unless filter and filter.include?(entity_reference)
+ entity_value = entity( entity_reference, entities )
+ if entity_value
+- re = /&#{entity_reference};/
++ re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
+ rv.gsub!( re, entity_value )
+ else
+ er = DEFAULT_ENTITIES[entity_reference]
+@@ -487,7 +494,7 @@ module REXML
+ end
+ end
+ end
+- rv.gsub!( /&/, '&' )
++ rv.gsub!( Private::DEFAULT_ENTITIES_PATTERNS['amp'], '&' )
+ end
+ rv
+ end
+--
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch
new file mode 100644
index 0000000000..58a0894b09
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-49761-0009.patch
@@ -0,0 +1,46 @@
+From ce59f2eb1aeb371fe1643414f06618dbe031979f Mon Sep 17 00:00:00 2001
+From: Sutou Kouhei <kou@clear-code.com>
+Date: Thu, 24 Oct 2024 14:45:31 +0900
+Subject: [PATCH] parser: fix a bug that �x...; is accepted as a character
+ reference
+
+CVE: CVE-2024-49761
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 9983d51..661f0e2 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -122,7 +122,7 @@ module REXML
+ PEDECL_PATTERN = "\\s+(%)\\s+#{NAME}\\s+#{PEDEF}\\s*>"
+ ENTITYDECL_PATTERN = /(?:#{GEDECL_PATTERN})|(?:#{PEDECL_PATTERN})/um
+ CARRIAGE_RETURN_NEWLINE_PATTERN = /\r\n?/
+- CHARACTER_REFERENCES = /�*((?:\d+)|(?:x[a-fA-F0-9]+));/
++ CHARACTER_REFERENCES = /&#((?:\d+)|(?:x[a-fA-F0-9]+));/
+ DEFAULT_ENTITIES_PATTERNS = {}
+ default_entities = ['gt', 'lt', 'quot', 'apos', 'amp']
+ default_entities.each do |term|
+@@ -477,8 +477,12 @@ module REXML
+ return rv if matches.size == 0
+ rv.gsub!( Private::CHARACTER_REFERENCES ) {
+ m=$1
+- m = "0#{m}" if m[0] == ?x
+- [Integer(m)].pack('U*')
++ if m.start_with?("x")
++ code_point = Integer(m[1..-1], 16)
++ else
++ code_point = Integer(m, 10)
++ end
++ [code_point].pack('U*')
+ }
+ matches.collect!{|x|x[0]}.compact!
+ if matches.size > 0
+--
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index a00df5d191..eec7e4684c 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -36,6 +36,15 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://CVE-2024-27281.patch \
file://CVE-2024-27280.patch \
file://CVE-2024-27282.patch \
+ file://CVE-2024-49761-0001.patch \
+ file://CVE-2024-49761-0002.patch \
+ file://CVE-2024-49761-0003.patch \
+ file://CVE-2024-49761-0004.patch \
+ file://CVE-2024-49761-0005.patch \
+ file://CVE-2024-49761-0006.patch \
+ file://CVE-2024-49761-0007.patch \
+ file://CVE-2024-49761-0008.patch \
+ file://CVE-2024-49761-0009.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 05/11] gstreamer1.0: ignore CVEs fixed in plugins recipes
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 04/11] ruby: fix CVE-2024-49761 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 06/11] ofono: fix CVE-2024-7539 Steve Sakoman
` (5 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
These were fixed in previous commits.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb
index b95c67f586..697c6e8b49 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.20.7.bb
@@ -72,5 +72,14 @@ CVE_PRODUCT = "gstreamer"
# these CVEs are patched in gstreamer1.0-plugins-bad
CVE_CHECK_IGNORE += "CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-44429 CVE-2023-44446 CVE-2023-50186 CVE-2024-0444"
+# these CVEs are patched in gstreamer1.0-plugins-base
+CVE_CHECK_IGNORE += "CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835"
+# these CVEs are patched in gstreamer1.0-plugins-good
+CVE_CHECK_IGNORE += " \
+ CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \
+ CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \
+ CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \
+ CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 \
+"
PTEST_BUILD_HOST_FILES = ""
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 06/11] ofono: fix CVE-2024-7539
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 05/11] gstreamer1.0: ignore CVEs fixed in plugins recipes Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 07/11] ofono: fix CVE-2024-7543 Steve Sakoman
` (4 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability.
This vulnerability allows local attackers to execute arbitrary code
on affected installations of oFono. An attacker must first obtain
the ability to execute code on the target modem in order to exploit
this vulnerability.
The specific flaw exists within the parsing of responses from AT+CUSD
commands. The issue results from the lack of proper validation of the
length of user-supplied data prior to copying it to a stack-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of root. Was ZDI-CAN-23195.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7539
Upstream Patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ofono/ofono/CVE-2024-7539.patch | 88 +++++++++++++++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 +
2 files changed, 89 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
new file mode 100644
index 0000000000..46e45580c2
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7539.patch
@@ -0,0 +1,88 @@
+From 389e2344f86319265fb72ae590b470716e038fdc Mon Sep 17 00:00:00 2001
+From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
+Date: Tue, 17 Dec 2024 11:31:29 +0200
+Subject: [PATCH] ussd: ensure ussd content fits in buffers
+
+Fixes: CVE-2024-7539
+
+CVE: CVE-2024-7539
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ drivers/atmodem/ussd.c | 5 ++++-
+ drivers/huaweimodem/ussd.c | 5 ++++-
+ drivers/speedupmodem/ussd.c | 5 ++++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/atmodem/ussd.c b/drivers/atmodem/ussd.c
+index 3be1832..29f86dc 100644
+--- a/drivers/atmodem/ussd.c
++++ b/drivers/atmodem/ussd.c
+@@ -106,7 +106,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ const char *content;
+ int dcs;
+ enum sms_charset charset;
+- unsigned char msg[160];
++ unsigned char msg[160] = {0};
+ const unsigned char *msg_ptr = NULL;
+ long msg_len;
+
+@@ -124,6 +124,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ if (!g_at_result_iter_next_number(&iter, &dcs))
+ dcs = 0;
+
++ if (strlen(content) > sizeof(msg) * 2)
++ goto out;
++
+ if (!cbs_dcs_decode(dcs, NULL, NULL, &charset, NULL, NULL, NULL)) {
+ ofono_error("Unsupported USSD data coding scheme (%02x)", dcs);
+ status = 4; /* Not supported */
+diff --git a/drivers/huaweimodem/ussd.c b/drivers/huaweimodem/ussd.c
+index fbed3cd..4160b7d 100644
+--- a/drivers/huaweimodem/ussd.c
++++ b/drivers/huaweimodem/ussd.c
+@@ -50,7 +50,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ GAtResultIter iter;
+ int status, dcs;
+ const char *content;
+- unsigned char msg[160];
++ unsigned char msg[160] = {0};
+ const unsigned char *msg_ptr = NULL;
+ long msg_len;
+
+@@ -68,6 +68,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ if (!g_at_result_iter_next_number(&iter, &dcs))
+ dcs = 0;
+
++ if (strlen(content) > sizeof(msg) * 2)
++ goto out;
++
+ msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+
+ out:
+diff --git a/drivers/speedupmodem/ussd.c b/drivers/speedupmodem/ussd.c
+index 57b91d7..99af19a 100644
+--- a/drivers/speedupmodem/ussd.c
++++ b/drivers/speedupmodem/ussd.c
+@@ -49,7 +49,7 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ GAtResultIter iter;
+ int status, dcs;
+ const char *content;
+- unsigned char msg[160];
++ unsigned char msg[160] = {0};
+ const unsigned char *msg_ptr = NULL;
+ long msg_len;
+
+@@ -67,6 +67,9 @@ static void cusd_parse(GAtResult *result, struct ofono_ussd *ussd)
+ if (!g_at_result_iter_next_number(&iter, &dcs))
+ dcs = 0;
+
++ if (strlen(content) > sizeof(msg) * 2)
++ goto out;
++
+ msg_ptr = decode_hex_own_buf(content, -1, &msg_len, 0, msg);
+
+ out:
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 3ffb713472..a7c3a9085d 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -18,6 +18,7 @@ SRC_URI = "\
file://CVE-2023-2794-0002.patch \
file://CVE-2023-2794-0003.patch \
file://CVE-2023-2794-0004.patch \
+ file://CVE-2024-7539.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 07/11] ofono: fix CVE-2024-7543
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 06/11] ofono: fix CVE-2024-7539 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 08/11] ofono: fix CVE-2024-7544 Steve Sakoman
` (3 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23456.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7543
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ofono/ofono/CVE-2024-7543.patch | 30 +++++++++++++++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
new file mode 100644
index 0000000000..d71d00b832
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7543.patch
@@ -0,0 +1,30 @@
+From 90e60ada012de42964214d8155260f5749d0dcc7 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:50 +0200
+Subject: [PATCH] stkutil: Fix CVE-2024-7543
+
+CVE: CVE-2024-7543
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60ada012de42964214d8155260f5749d0dcc7]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index 4f31af4..fdd11ad 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1876,6 +1876,10 @@ static bool parse_dataobj_mms_reference(struct comprehension_tlv_iter *iter,
+
+ data = comprehension_tlv_iter_get_data(iter);
+ mr->len = len;
++
++ if (len > sizeof(mr->ref))
++ return false;
++
+ memcpy(mr->ref, data, len);
+
+ return true;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index a7c3a9085d..731b186b12 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -19,6 +19,7 @@ SRC_URI = "\
file://CVE-2023-2794-0003.patch \
file://CVE-2023-2794-0004.patch \
file://CVE-2024-7539.patch \
+ file://CVE-2024-7543.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 08/11] ofono: fix CVE-2024-7544
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 07/11] ofono: fix CVE-2024-7543 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 09/11] ofono: fix CVE-2024-7545 Steve Sakoman
` (2 subsequent siblings)
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23457.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7544
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ofono/ofono/CVE-2024-7544.patch | 30 +++++++++++++++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
new file mode 100644
index 0000000000..ebbf809030
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7544.patch
@@ -0,0 +1,30 @@
+From a240705a0d5d41eca6de4125ab2349ecde4c873a Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:49 +0200
+Subject: [PATCH] stkutil: Fix CVE-2024-7544
+
+CVE: CVE-2024-7544
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a240705a0d5d41eca6de4125ab2349ecde4c873a]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index fdd11ad..475caaa 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1898,6 +1898,10 @@ static bool parse_dataobj_mms_id(struct comprehension_tlv_iter *iter,
+
+ data = comprehension_tlv_iter_get_data(iter);
+ mi->len = len;
++
++ if (len > sizeof(mi->id))
++ return false;
++
+ memcpy(mi->id, data, len);
+
+ return true;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 731b186b12..54710aa9fd 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -20,6 +20,7 @@ SRC_URI = "\
file://CVE-2023-2794-0004.patch \
file://CVE-2024-7539.patch \
file://CVE-2024-7543.patch \
+ file://CVE-2024-7544.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 09/11] ofono: fix CVE-2024-7545
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 08/11] ofono: fix CVE-2024-7544 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 10/11] ofono: fix CVE-2024-7546 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 11/11] ofono: fix CVE-2024-7547 Steve Sakoman
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23458.
Reeference:
https://security-tracker.debian.org/tracker/CVE-2024-7545
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ofono/ofono/CVE-2024-7545.patch | 32 +++++++++++++++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
new file mode 100644
index 0000000000..80dc3c9ab0
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7545.patch
@@ -0,0 +1,32 @@
+From 556e14548c38c2b96d85881542046ee7ed750bb5 Mon Sep 17 00:00:00 2001
+From: Sicelo A. Mhlongo <absicsz@gmail.com>
+Date: Wed, Dec 4 12:07:34 2024 +0200
+Subject: [PATCH] stkutil: ensure data fits in buffer
+
+Fixes CVE-2024-7545
+
+CVE: CVE-2024-7545
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=556e14548c38c2b96d85881542046ee7ed750bb5]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index 475caaa..e1fd75c 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1938,6 +1938,10 @@ static bool parse_dataobj_mms_content_id(
+
+ data = comprehension_tlv_iter_get_data(iter);
+ mci->len = len;
++
++ if (len > sizeof(mci->id))
++ return false;
++
+ memcpy(mci->id, data, len);
+
+ return true;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 54710aa9fd..0597caff3c 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -21,6 +21,7 @@ SRC_URI = "\
file://CVE-2024-7539.patch \
file://CVE-2024-7543.patch \
file://CVE-2024-7544.patch \
+ file://CVE-2024-7545.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 10/11] ofono: fix CVE-2024-7546
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (8 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 09/11] ofono: fix CVE-2024-7545 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 11/11] ofono: fix CVE-2024-7547 Steve Sakoman
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of STK command PDUs.
The issue results from the lack of proper validation of the length
of user-supplied data prior to copying it to a heap-based buffer.
An attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23459.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7546
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ofono/ofono/CVE-2024-7546.patch | 30 +++++++++++++++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 +
2 files changed, 31 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
new file mode 100644
index 0000000000..aac6751625
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7546.patch
@@ -0,0 +1,30 @@
+From 79ea6677669e50b0bb9c231765adb4f81c375f63 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:52 +0200
+Subject: [PATCH] Fix CVE-2024-7546
+
+CVE: CVE-2024-7546
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=79ea6677669e50b0bb9c231765adb4f81c375f63]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/stkutil.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/stkutil.c b/src/stkutil.c
+index e1fd75c..88a715d 100644
+--- a/src/stkutil.c
++++ b/src/stkutil.c
+@@ -1783,6 +1783,10 @@ static bool parse_dataobj_frame_layout(struct comprehension_tlv_iter *iter,
+
+ fl->layout = data[0];
+ fl->len = len - 1;
++
++ if (fl->len > sizeof(fl->size))
++ return false;
++
+ memcpy(fl->size, data + 1, fl->len);
+
+ return true;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 0597caff3c..0c1e0ea6f8 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -22,6 +22,7 @@ SRC_URI = "\
file://CVE-2024-7543.patch \
file://CVE-2024-7544.patch \
file://CVE-2024-7545.patch \
+ file://CVE-2024-7546.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 11/11] ofono: fix CVE-2024-7547
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
` (9 preceding siblings ...)
2025-01-15 14:37 ` [OE-core][kirkstone 10/11] ofono: fix CVE-2024-7546 Steve Sakoman
@ 2025-01-15 14:37 ` Steve Sakoman
10 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-01-15 14:37 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
oFono SMS Decoder Stack-based Buffer Overflow Privilege Escalation
Vulnerability. This vulnerability allows local attackers to execute
arbitrary code on affected installations of oFono. An attacker must
first obtain the ability to execute code on the target modem in
order to exploit this vulnerability.
The specific flaw exists within the parsing of SMS PDUs. The issue
results from the lack of proper validation of the length of user-
supplied data prior to copying it to a stack-based buffer. An
attacker can leverage this vulnerability to execute code in the
context of the service account. Was ZDI-CAN-23460.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-7547
Upstream patch:
https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ofono/ofono/CVE-2024-7547.patch | 29 +++++++++++++++++++
meta/recipes-connectivity/ofono/ofono_1.34.bb | 1 +
2 files changed, 30 insertions(+)
create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
new file mode 100644
index 0000000000..b6b08127a8
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7547.patch
@@ -0,0 +1,29 @@
+From 305df050d02aea8532f7625d6642685aa530f9b0 Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Tue, 3 Dec 2024 21:43:51 +0200
+Subject: [PATCH] Fix CVE-2024-7547
+
+CVE: CVE-2024-7547
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=305df050d02aea8532f7625d6642685aa530f9b0]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/smsutil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/smsutil.c b/src/smsutil.c
+index e073a06..f8ff428 100644
+--- a/src/smsutil.c
++++ b/src/smsutil.c
+@@ -1475,6 +1475,9 @@ static gboolean decode_command(const unsigned char *pdu, int len,
+ if ((len - offset) < out->command.cdl)
+ return FALSE;
+
++ if (out->command.cdl > sizeof(out->command.cd))
++ return FALSE;
++
+ memcpy(out->command.cd, pdu + offset, out->command.cdl);
+
+ return TRUE;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 0c1e0ea6f8..8205ea683d 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -23,6 +23,7 @@ SRC_URI = "\
file://CVE-2024-7544.patch \
file://CVE-2024-7545.patch \
file://CVE-2024-7546.patch \
+ file://CVE-2024-7547.patch \
"
SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
--
2.43.0
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [OE-core][kirkstone 00/11] Patch review
@ 2025-07-09 15:19 Steve Sakoman
0 siblings, 0 replies; 18+ messages in thread
From: Steve Sakoman @ 2025-07-09 15:19 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments bach by
end of day Friday, July 11
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1983
The following changes since commit 78055e8b6a9ea5063658886c5b5d22821d689fc5:
xwayland: fix CVE-2025-49180 (2025-07-05 06:12:53 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bruce Ashfield (1):
linux-yocto/5.15: update to v5.15.186
Changqing Li (3):
libsoup-2.4: refresh CVE-2025-4969.patch
libsoup-2.4: fix CVE-2025-4945
libsoup: fix CVE-2025-4945
Chen Qi (1):
coreutils: fix CVE-2025-5278
Divya Chellam (3):
libarchive: fix CVE-2025-5915
libarchive: fix CVE-2025-5916
libarchive: fix CVE-2025-5917
Hitendra Prajapati (1):
libxml2: fix CVE-2025-6021
Yogita Urade (2):
curl: fix CVE-2024-11053
curl: fix CVE-2025-0167
.../coreutils/coreutils/CVE-2025-5278.patch | 113 +++
meta/recipes-core/coreutils/coreutils_9.0.bb | 1 +
.../libxml/libxml2/CVE-2025-6021.patch | 56 ++
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
.../libarchive/libarchive/CVE-2025-5915.patch | 217 +++++
.../libarchive/libarchive/CVE-2025-5916.patch | 116 +++
.../libarchive/libarchive/CVE-2025-5917.patch | 54 ++
.../libarchive/libarchive_3.6.2.bb | 3 +
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +-
.../curl/curl/CVE-2024-11053-0001.patch | 340 ++++++++
.../curl/curl/CVE-2024-11053-0002.patch | 746 ++++++++++++++++++
.../curl/curl/CVE-2025-0167.patch | 175 ++++
meta/recipes-support/curl/curl_7.82.0.bb | 3 +
.../libsoup/libsoup-2.4/CVE-2025-4945.patch | 117 +++
.../libsoup/libsoup-2.4/CVE-2025-4969.patch | 54 +-
.../libsoup/libsoup-2.4_2.74.2.bb | 1 +
.../libsoup/libsoup/CVE-2025-4945.patch | 118 +++
meta/recipes-support/libsoup/libsoup_3.0.7.bb | 1 +
20 files changed, 2093 insertions(+), 61 deletions(-)
create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2025-5278.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-11053-0001.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-11053-0002.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-0167.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-4945.patch
create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-4945.patch
--
2.43.0
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2025-07-09 15:19 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-15 14:37 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 01/11] go: Fix CVE-2024-34155 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 02/11] go: Fix CVE-2024-34156 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 03/11] go: Fix CVE-2024-34158 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 04/11] ruby: fix CVE-2024-49761 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 05/11] gstreamer1.0: ignore CVEs fixed in plugins recipes Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 06/11] ofono: fix CVE-2024-7539 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 07/11] ofono: fix CVE-2024-7543 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 08/11] ofono: fix CVE-2024-7544 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 09/11] ofono: fix CVE-2024-7545 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 10/11] ofono: fix CVE-2024-7546 Steve Sakoman
2025-01-15 14:37 ` [OE-core][kirkstone 11/11] ofono: fix CVE-2024-7547 Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-07-09 15:19 [OE-core][kirkstone 00/11] Patch review Steve Sakoman
2024-08-13 12:16 Steve Sakoman
2024-03-04 15:23 Steve Sakoman
2023-12-21 2:09 Steve Sakoman
2023-06-11 16:02 Steve Sakoman
2023-01-12 2:33 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox