[zeus 0/8] Merge request

[zeus 0/8] Merge request

[Armin Kuster]

Please concider these changes for zeus

The following changes since commit 2bba0052597020ea887c84419440df11f9859283:

  sstatesig: Improve debug output if getpwuid() fails (2020-01-18 14:04:27 -0800)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/zeus-next
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/zeus-next

Armin Kuster (1):
  python2: add ntpath

De Huo (2):
  bash: Fix CVE-2019-18276
  kbd: configure.ac: Fix logic of vlock configure switch

Hongxu Jia (1):
  kbd: avoid vlock conflict with busybox

Joe Slater (1):
  webkitgtk: fix occasional link error

Lee Chee Yang (1):
  libxml2: Fix CVE-2019-19956

Sana Kazi (1):
  bzip2: Fix CVE-2019-12900

Sumit Garg (1):
  core: recipes: fix some native tools dependencies

 ...-Fix-logic-of-vlock-configure-switch.patch |  31 ++
 meta/recipes-core/kbd/kbd_2.0.4.bb            |   4 +-
 .../libxml/libxml2/Fix-CVE-2019-19956.patch   |  40 ++
 meta/recipes-core/libxml/libxml2_2.9.9.bb     |   1 +
 .../python/python/python2-manifest.json       |   1 +
 .../bash/bash/bash-CVE-2019-18276.patch       | 402 ++++++++++++++++++
 meta/recipes-extended/bash/bash_5.0.bb        |   1 +
 .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    |  36 ++
 meta/recipes-extended/man-db/man-db_2.8.7.bb  |   2 +-
 meta/recipes-extended/psmisc/psmisc.inc       |   2 +-
 .../xorg-app/xorg-app-common.inc              |   2 +-
 .../webkit/webkitgtk/fix-link-error.patch     |  45 ++
 meta/recipes-sato/webkit/webkitgtk_2.24.4.bb  |   1 +
 13 files changed, 564 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
 create mode 100644 meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
 create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
 create mode 100755 meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch

-- 
2.17.1

[zeus 1/8] libxml2: Fix CVE-2019-19956

[Armin Kuster]

From: Lee Chee Yang <chee.yang.lee@intel.com>

see:
https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../libxml/libxml2/Fix-CVE-2019-19956.patch   | 40 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.9.bb     |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch

diff --git a/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
new file mode 100644
index 0000000000..1c2dff9d5f
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/Fix-CVE-2019-19956.patch
@@ -0,0 +1,40 @@
+From 5a02583c7e683896d84878bd90641d8d9b0d0549 Mon Sep 17 00:00:00 2001
+From: Zhipeng Xie <xiezhipeng1@huawei.com>
+Date: Wed, 7 Aug 2019 17:39:17 +0800
+Subject: [PATCH] Fix memory leak in xmlParseBalancedChunkMemoryRecover
+
+When doc is NULL, namespace created in xmlTreeEnsureXMLDecl
+is bind to newDoc->oldNs, in this case, set newDoc->oldNs to
+NULL and free newDoc will cause a memory leak.
+
+Found with libFuzzer.
+
+Closes #82.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549]
+CVE: CVE-2019-19956
+
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ parser.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/parser.c b/parser.c
+index 1ce1ccf1..26d9f4e3 100644
+--- a/parser.c
++++ b/parser.c
+@@ -13894,7 +13894,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
+     xmlFreeParserCtxt(ctxt);
+     newDoc->intSubset = NULL;
+     newDoc->extSubset = NULL;
+-    newDoc->oldNs = NULL;
++    if(doc != NULL)
++	newDoc->oldNs = NULL;
+     xmlFreeDoc(newDoc);
+ 
+     return(ret);
+-- 
+2.24.1
+
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.9.bb b/meta/recipes-core/libxml/libxml2_2.9.9.bb
index c38f883e44..c44a90b1c2 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.9.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.9.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://libxml-m4-use-pkgconfig.patch \
            file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
            file://fix-execution-of-ptests.patch \
+           file://Fix-CVE-2019-19956.patch \
            "
 
 SRC_URI[libtar.md5sum] = "c04a5a0a042eaa157e8e8c9eabe76bd6"
-- 
2.17.1

[zeus 2/8] bash: Fix CVE-2019-18276

[Armin Kuster]

From: De Huo <De.Huo@windriver.com>

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.
By default, if Bash is run with its effective UID not equal to its real UID,
it will drop privileges by setting its effective UID to its real UID.
However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,
the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for
runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore
regains privileges. However, binaries running with an effective UID of 0 are unaffected.

Backport the CVE patche from https://github.com/bminor/bash/commit/
951bdaad7a18cc0dc1036bba86b18b90874d39ff to fix CVE-2019-18276

Signed-off-by: Chet Ramey <chet.ramey@case.edu>
Signed-off-by: De Huo <De.Huo@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../bash/bash/bash-CVE-2019-18276.patch       | 402 ++++++++++++++++++
 meta/recipes-extended/bash/bash_5.0.bb        |   1 +
 2 files changed, 403 insertions(+)
 create mode 100644 meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch

diff --git a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch b/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
new file mode 100644
index 0000000000..78dcc1b636
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
@@ -0,0 +1,402 @@
+From 951bdaad7a18cc0dc1036bba86b18b90874d39ff Mon Sep 17 00:00:00 2001
+From: Chet Ramey <chet.ramey@case.edu>
+Date: Mon, 1 Jul 2019 09:03:53 -0400
+Subject: [PATCH] commit bash-20190628 snapshot
+
+An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11.
+By default, if Bash is run with its effective UID not equal to its real UID,
+it will drop privileges by setting its effective UID to its real UID.
+However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality,
+the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for
+runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore
+regains privileges. However, binaries running with an effective UID of 0 are unaffected.
+
+Upstream-Status: Backport [https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff]
+CVE: CVE-2019-18276
+Signed-off-by: Chet Ramey <chet.ramey@case.edu>
+Signed-off-by: De Huo <De.Huo@windriver.com>
+---
+ MANIFEST          |  2 ++
+ bashline.c        | 50 +-------------------------------------------------
+ builtins/help.def |  2 +-
+ config.h.in       | 10 +++++++++-
+ configure         | 11 +++++++++++
+ configure.ac      |  1 +
+ doc/bash.1        |  3 ++-
+ doc/bashref.texi  |  3 ++-
+ lib/glob/glob.c   |  5 ++++-
+ pathexp.c         | 16 ++++++++++++++--
+ shell.c           |  8 ++++++++
+ tests/glob.tests  |  2 ++
+ tests/glob6.sub   | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ tests/glob7.sub   | 11 +++++++++++
+ 14 files changed, 122 insertions(+), 56 deletions(-)
+ create mode 100644 tests/glob6.sub
+ create mode 100644 tests/glob7.sub
+
+diff --git a/MANIFEST b/MANIFEST
+index 03de221..f9ccad7 100644
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -1037,6 +1037,8 @@ tests/extglob3.tests	f
+ tests/extglob3.right	f
+ tests/extglob4.sub	f
+ tests/extglob5.sub	f
++tests/glob6.sub		f
++tests/glob7.sub		f
+ tests/func.tests	f
+ tests/func.right	f
+ tests/func1.sub		f
+diff --git a/bashline.c b/bashline.c
+index 824ea9d..d86b47d 100644
+--- a/bashline.c
++++ b/bashline.c
+@@ -3718,55 +3718,7 @@ static int
+ completion_glob_pattern (string)
+      char *string;
+ {
+-  register int c;
+-  char *send;
+-  int open;
+-
+-  DECLARE_MBSTATE;
+-
+-  open = 0;
+-  send = string + strlen (string);
+-
+-  while (c = *string++)
+-    {
+-      switch (c)
+-	{
+-	case '?':
+-	case '*':
+-	  return (1);
+-
+-	case '[':
+-	  open++;
+-	  continue;
+-
+-	case ']':
+-	  if (open)
+-	    return (1);
+-	  continue;
+-
+-	case '+':
+-	case '@':
+-	case '!':
+-	  if (*string == '(')	/*)*/
+-	    return (1);
+-	  continue;
+-
+-	case '\\':
+-	  if (*string++ == 0)
+-	    return (0);	 	  
+-	}
+-
+-      /* Advance one fewer byte than an entire multibyte character to
+-	 account for the auto-increment in the loop above. */
+-#ifdef HANDLE_MULTIBYTE
+-      string--;
+-      ADVANCE_CHAR_P (string, send - string);
+-      string++;
+-#else
+-      ADVANCE_CHAR_P (string, send - string);
+-#endif
+-    }
+-  return (0);
++  return (glob_pattern_p (string) == 1);
+ }
+ 
+ static char *globtext;
+diff --git a/builtins/help.def b/builtins/help.def
+index 006c4b5..92f9b38 100644
+--- a/builtins/help.def
++++ b/builtins/help.def
+@@ -128,7 +128,7 @@ help_builtin (list)
+ 
+   /* We should consider making `help bash' do something. */
+ 
+-  if (glob_pattern_p (list->word->word))
++  if (glob_pattern_p (list->word->word) == 1)
+     {
+       printf ("%s", ngettext ("Shell commands matching keyword `", "Shell commands matching keywords `", (list->next ? 2 : 1)));
+       print_word_list (list, ", ");
+diff --git a/config.h.in b/config.h.in
+index 8554aec..ad4b1e8 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -1,6 +1,6 @@
+ /* config.h -- Configuration file for bash. */
+ 
+-/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc.
++/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc.
+ 
+    This file is part of GNU Bash, the Bourne Again SHell.
+ 
+@@ -807,6 +807,14 @@
+ #undef HAVE_SETREGID
+ #undef HAVE_DECL_SETREGID
+ 
++/* Define if you have the setregid function.  */
++#undef HAVE_SETRESGID
++#undef HAVE_DECL_SETRESGID
++
++/* Define if you have the setresuid function.  */
++#undef HAVE_SETRESUID
++#undef HAVE_DECL_SETRESUID
++
+ /* Define if you have the setvbuf function.  */
+ #undef HAVE_SETVBUF
+ 
+diff --git a/configure b/configure
+index 2f62662..b3321c9 100755
+--- a/configure
++++ b/configure
+@@ -10281,6 +10281,17 @@ cat >>confdefs.h <<_ACEOF
+ #define HAVE_DECL_SETREGID $ac_have_decl
+ _ACEOF
+ 
++ac_fn_c_check_decl "$LINENO" "" "ac_cv_have_decl_" "$ac_includes_default"
++if test "x$ac_cv_have_decl_" = xyes; then :
++  ac_have_decl=1
++else
++  ac_have_decl=0
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define HAVE_DECL_ $ac_have_decl
++_ACEOF
++(setresuid, setresgid)
+ ac_fn_c_check_decl "$LINENO" "strcpy" "ac_cv_have_decl_strcpy" "$ac_includes_default"
+ if test "x$ac_cv_have_decl_strcpy" = xyes; then :
+   ac_have_decl=1
+diff --git a/configure.ac b/configure.ac
+index 52b4cdb..549adef 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -810,6 +810,7 @@ AC_CHECK_DECLS([confstr])
+ AC_CHECK_DECLS([printf])
+ AC_CHECK_DECLS([sbrk])
+ AC_CHECK_DECLS([setregid])
++AC_CHECK_DECLS[(setresuid, setresgid])
+ AC_CHECK_DECLS([strcpy])
+ AC_CHECK_DECLS([strsignal])
+ 
+diff --git a/doc/bash.1 b/doc/bash.1
+index e6cd08d..9e58a0b 100644
+--- a/doc/bash.1
++++ b/doc/bash.1
+@@ -4681,7 +4681,8 @@ above).
+ .PD
+ .SH "SIMPLE COMMAND EXPANSION"
+ When a simple command is executed, the shell performs the following
+-expansions, assignments, and redirections, from left to right.
++expansions, assignments, and redirections, from left to right, in
++the following order.
+ .IP 1.
+ The words that the parser has marked as variable assignments (those
+ preceding the command name) and redirections are saved for later
+diff --git a/doc/bashref.texi b/doc/bashref.texi
+index d33cd57..3065126 100644
+--- a/doc/bashref.texi
++++ b/doc/bashref.texi
+@@ -2964,7 +2964,8 @@ is not specified.  If the file does not exist, it is created.
+ @cindex command expansion
+ 
+ When a simple command is executed, the shell performs the following
+-expansions, assignments, and redirections, from left to right.
++expansions, assignments, and redirections, from left to right, in
++the following order.
+ 
+ @enumerate
+ @item
+diff --git a/lib/glob/glob.c b/lib/glob/glob.c
+index 398253b..2eaa33e 100644
+--- a/lib/glob/glob.c
++++ b/lib/glob/glob.c
+@@ -607,6 +607,7 @@ glob_vector (pat, dir, flags)
+   register unsigned int i;
+   int mflags;		/* Flags passed to strmatch (). */
+   int pflags;		/* flags passed to sh_makepath () */
++  int hasglob;		/* return value from glob_pattern_p */
+   int nalloca;
+   struct globval *firstmalloc, *tmplink;
+   char *convfn;
+@@ -648,10 +649,12 @@ glob_vector (pat, dir, flags)
+   patlen = (pat && *pat) ? strlen (pat) : 0;
+ 
+   /* If the filename pattern (PAT) does not contain any globbing characters,
++     or contains a pattern with only backslash escapes (hasglob == 2),
+      we can dispense with reading the directory, and just see if there is
+      a filename `DIR/PAT'.  If there is, and we can access it, just make the
+      vector to return and bail immediately. */
+-  if (skip == 0 && glob_pattern_p (pat) == 0)
++  hasglob = 0;
++  if (skip == 0 && (hasglob = glob_pattern_p (pat)) == 0 || hasglob == 2)
+     {
+       int dirlen;
+       struct stat finfo;
+diff --git a/pathexp.c b/pathexp.c
+index c1bf2d8..e6c5392 100644
+--- a/pathexp.c
++++ b/pathexp.c
+@@ -58,7 +58,10 @@ int extended_glob = EXTGLOB_DEFAULT;
+ /* Control enabling special handling of `**' */
+ int glob_star = 0;
+ 
+-/* Return nonzero if STRING has any unquoted special globbing chars in it.  */
++/* Return nonzero if STRING has any unquoted special globbing chars in it.
++   This is supposed to be called when pathname expansion is performed, so
++   it implements the rules in Posix 2.13.3, specifically that an unquoted
++   slash cannot appear in a bracket expression. */
+ int
+ unquoted_glob_pattern_p (string)
+      register char *string;
+@@ -85,10 +88,14 @@ unquoted_glob_pattern_p (string)
+ 	  continue;
+ 
+ 	case ']':
+-	  if (open)
++	  if (open)		/* XXX - if --open == 0? */
+ 	    return (1);
+ 	  continue;
+ 
++	case '/':
++	  if (open)
++	    open = 0;
++
+ 	case '+':
+ 	case '@':
+ 	case '!':
+@@ -106,6 +113,11 @@ unquoted_glob_pattern_p (string)
+ 	      string++;
+ 	      continue;
+ 	    }
++	  else if (open && *string == '/')
++	    {
++	      string++;		/* quoted slashes in bracket expressions are ok */
++	      continue;
++	    }
+ 	  else if (*string == 0)
+ 	    return (0);
+ 	 	  
+diff --git a/shell.c b/shell.c
+index a2b2a55..6adabc8 100644
+--- a/shell.c
++++ b/shell.c
+@@ -1293,7 +1293,11 @@ disable_priv_mode ()
+ {
+   int e;
+ 
++#if HAVE_DECL_SETRESUID
++  if (setresuid (current_user.uid, current_user.uid, current_user.uid) < 0)
++#else
+   if (setuid (current_user.uid) < 0)
++#endif
+     {
+       e = errno;
+       sys_error (_("cannot set uid to %d: effective uid %d"), current_user.uid, current_user.euid);
+@@ -1302,7 +1306,11 @@ disable_priv_mode ()
+ 	exit (e);
+ #endif
+     }
++#if HAVE_DECL_SETRESGID
++  if (setresgid (current_user.gid, current_user.gid, current_user.gid) < 0)
++#else
+   if (setgid (current_user.gid) < 0)
++#endif
+     sys_error (_("cannot set gid to %d: effective gid %d"), current_user.gid, current_user.egid);
+ 
+   current_user.euid = current_user.uid;
+diff --git a/tests/glob.tests b/tests/glob.tests
+index 01913bb..fb012f7 100644
+--- a/tests/glob.tests
++++ b/tests/glob.tests
+@@ -12,6 +12,8 @@ ${THIS_SH} ./glob1.sub
+ ${THIS_SH} ./glob2.sub
+ ${THIS_SH} ./glob3.sub
+ ${THIS_SH} ./glob4.sub
++${THIS_SH} ./glob6.sub
++${THIS_SH} ./glob7.sub
+ 
+ MYDIR=$PWD	# save where we are
+ 
+diff --git a/tests/glob6.sub b/tests/glob6.sub
+new file mode 100644
+index 0000000..b099811
+--- /dev/null
++++ b/tests/glob6.sub
+@@ -0,0 +1,54 @@
++# tests of the backslash-in-glob-patterns discussion on the austin-group ML
++
++: ${TMPDIR:=/var/tmp}
++
++ORIG=$PWD
++GLOBDIR=$TMPDIR/bash-glob-$$
++mkdir $GLOBDIR && cd $GLOBDIR
++
++# does the pattern matcher allow backslashes as escape characters and remove
++# them as part of matching?
++touch abcdefg
++pat='ab\cd*'
++printf '<%s>\n' $pat
++pat='\.'
++printf '<%s>\n' $pat
++rm abcdefg
++
++# how about when escaping pattern characters?
++touch '*abc.c'
++a='\**.c'
++printf '%s\n' $a
++rm -f '*abc.c'
++
++# how about when making the distinction between readable and searchable path
++# components?
++mkdir -m a=x searchable
++mkdir -m a=r readable
++
++p='searchable/\.'
++printf "%s\n" $p
++
++p='searchable/\./.'
++printf "%s\n" $p
++
++p='readable/\.'
++printf "%s\n" $p
++
++p='readable/\./.'
++printf "%s\n" $p
++
++printf "%s\n" 'searchable/\.'
++printf "%s\n" 'readable/\.'
++
++echo */.
++
++p='*/\.'
++echo $p
++
++echo */'.'
++
++rmdir searchable readable
++
++cd $ORIG
++rmdir $GLOBDIR
+diff --git a/tests/glob7.sub b/tests/glob7.sub
+new file mode 100644
+index 0000000..0212b8e
+--- /dev/null
++++ b/tests/glob7.sub
+@@ -0,0 +1,11 @@
++# according to Posix 2.13.3, a slash in a bracket expression renders that
++# bracket expression invalid
++shopt -s nullglob
++
++echo 1: [qwe/qwe]
++echo 2: [qwe/
++echo 3: [qwe/]
++
++echo 4: [qwe\/qwe]
++echo 5: [qwe\/
++echo 6: [qwe\/]
+-- 
+1.9.1
diff --git a/meta/recipes-extended/bash/bash_5.0.bb b/meta/recipes-extended/bash/bash_5.0.bb
index eadc82279d..1b7058746f 100644
--- a/meta/recipes-extended/bash/bash_5.0.bb
+++ b/meta/recipes-extended/bash/bash_5.0.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            file://run-ptest \
            file://run-bash-ptests \
            file://fix-run-builtins.patch \
+           file://bash-CVE-2019-18276.patch \
            "
 
 SRC_URI[tarball.md5sum] = "2b44b47b905be16f45709648f671820b"
-- 
2.17.1

Re: [zeus 2/8] bash: Fix CVE-2019-18276

[Mittal, Anuj]

Was the original patch sent to the oe-core list? This CVE should be applicable to master too.

Also it looks like the patch is doing other things besides fixing just the CVE.

Thanks,

Anuj

> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org <openembedded-core-
> bounces@lists.openembedded.org> On Behalf Of Armin Kuster
> Sent: Tuesday, February 4, 2020 11:06 PM
> To: openembedded-core@openembedded.org
> Subject: [OE-core] [zeus 2/8] bash: Fix CVE-2019-18276
> 
> From: De Huo <De.Huo@windriver.com>
> 
> An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0
> patch 11.
> By default, if Bash is run with its effective UID not equal to its real UID, it will drop
> privileges by setting its effective UID to its real UID.
> However, it does so incorrectly. On Linux and other systems that support "saved UID"
> functionality, the saved UID is not dropped. An attacker with command execution in
> the shell can use "enable -f" for runtime loading of a new builtin, which can be a
> shared object that calls setuid() and therefore regains privileges. However, binaries
> running with an effective UID of 0 are unaffected.
> 
> Backport the CVE patche from https://github.com/bminor/bash/commit/
> 951bdaad7a18cc0dc1036bba86b18b90874d39ff to fix CVE-2019-18276
> 
> Signed-off-by: Chet Ramey <chet.ramey@case.edu>
> Signed-off-by: De Huo <De.Huo@windriver.com>
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  .../bash/bash/bash-CVE-2019-18276.patch       | 402 ++++++++++++++++++
>  meta/recipes-extended/bash/bash_5.0.bb        |   1 +
>  2 files changed, 403 insertions(+)
>  create mode 100644 meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
> 
> diff --git a/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
> b/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
> new file mode 100644
> index 0000000000..78dcc1b636
> --- /dev/null
> +++ b/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch
> @@ -0,0 +1,402 @@
> +From 951bdaad7a18cc0dc1036bba86b18b90874d39ff Mon Sep 17 00:00:00 2001
> +From: Chet Ramey <chet.ramey@case.edu>
> +Date: Mon, 1 Jul 2019 09:03:53 -0400
> +Subject: [PATCH] commit bash-20190628 snapshot
> +
> +An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0
> patch 11.
> +By default, if Bash is run with its effective UID not equal to its real
> +UID, it will drop privileges by setting its effective UID to its real UID.
> +However, it does so incorrectly. On Linux and other systems that
> +support "saved UID" functionality, the saved UID is not dropped. An
> +attacker with command execution in the shell can use "enable -f" for
> +runtime loading of a new builtin, which can be a shared object that calls setuid() and
> therefore regains privileges. However, binaries running with an effective UID of 0 are
> unaffected.
> +
> +Upstream-Status: Backport
> +[https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90
> +874d39ff]
> +CVE: CVE-2019-18276
> +Signed-off-by: Chet Ramey <chet.ramey@case.edu>
> +Signed-off-by: De Huo <De.Huo@windriver.com>
> +---
> + MANIFEST          |  2 ++
> + bashline.c        | 50 +-------------------------------------------------
> + builtins/help.def |  2 +-
> + config.h.in       | 10 +++++++++-
> + configure         | 11 +++++++++++
> + configure.ac      |  1 +
> + doc/bash.1        |  3 ++-
> + doc/bashref.texi  |  3 ++-
> + lib/glob/glob.c   |  5 ++++-
> + pathexp.c         | 16 ++++++++++++++--
> + shell.c           |  8 ++++++++
> + tests/glob.tests  |  2 ++
> + tests/glob6.sub   | 54
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> + tests/glob7.sub   | 11 +++++++++++
> + 14 files changed, 122 insertions(+), 56 deletions(-)  create mode
> +100644 tests/glob6.sub  create mode 100644 tests/glob7.sub
> +
> +diff --git a/MANIFEST b/MANIFEST
> +index 03de221..f9ccad7 100644
> +--- a/MANIFEST
> ++++ b/MANIFEST
> +@@ -1037,6 +1037,8 @@ tests/extglob3.tests	f
> + tests/extglob3.right	f
> + tests/extglob4.sub	f
> + tests/extglob5.sub	f
> ++tests/glob6.sub		f
> ++tests/glob7.sub		f
> + tests/func.tests	f
> + tests/func.right	f
> + tests/func1.sub		f
> +diff --git a/bashline.c b/bashline.c
> +index 824ea9d..d86b47d 100644
> +--- a/bashline.c
> ++++ b/bashline.c
> +@@ -3718,55 +3718,7 @@ static int
> + completion_glob_pattern (string)
> +      char *string;
> + {
> +-  register int c;
> +-  char *send;
> +-  int open;
> +-
> +-  DECLARE_MBSTATE;
> +-
> +-  open = 0;
> +-  send = string + strlen (string);
> +-
> +-  while (c = *string++)
> +-    {
> +-      switch (c)
> +-	{
> +-	case '?':
> +-	case '*':
> +-	  return (1);
> +-
> +-	case '[':
> +-	  open++;
> +-	  continue;
> +-
> +-	case ']':
> +-	  if (open)
> +-	    return (1);
> +-	  continue;
> +-
> +-	case '+':
> +-	case '@':
> +-	case '!':
> +-	  if (*string == '(')	/*)*/
> +-	    return (1);
> +-	  continue;
> +-
> +-	case '\\':
> +-	  if (*string++ == 0)
> +-	    return (0);
> +-	}
> +-
> +-      /* Advance one fewer byte than an entire multibyte character to
> +-	 account for the auto-increment in the loop above. */
> +-#ifdef HANDLE_MULTIBYTE
> +-      string--;
> +-      ADVANCE_CHAR_P (string, send - string);
> +-      string++;
> +-#else
> +-      ADVANCE_CHAR_P (string, send - string);
> +-#endif
> +-    }
> +-  return (0);
> ++  return (glob_pattern_p (string) == 1);
> + }
> +
> + static char *globtext;
> +diff --git a/builtins/help.def b/builtins/help.def index
> +006c4b5..92f9b38 100644
> +--- a/builtins/help.def
> ++++ b/builtins/help.def
> +@@ -128,7 +128,7 @@ help_builtin (list)
> +
> +   /* We should consider making `help bash' do something. */
> +
> +-  if (glob_pattern_p (list->word->word))
> ++  if (glob_pattern_p (list->word->word) == 1)
> +     {
> +       printf ("%s", ngettext ("Shell commands matching keyword `", "Shell commands
> matching keywords `", (list->next ? 2 : 1)));
> +       print_word_list (list, ", ");
> +diff --git a/config.h.in b/config.h.in
> +index 8554aec..ad4b1e8 100644
> +--- a/config.h.in
> ++++ b/config.h.in
> +@@ -1,6 +1,6 @@
> + /* config.h -- Configuration file for bash. */
> +
> +-/* Copyright (C) 1987-2009,2011-2012 Free Software Foundation, Inc.
> ++/* Copyright (C) 1987-2009,2011-2012,2013-2019 Free Software Foundation, Inc.
> +
> +    This file is part of GNU Bash, the Bourne Again SHell.
> +
> +@@ -807,6 +807,14 @@
> + #undef HAVE_SETREGID
> + #undef HAVE_DECL_SETREGID
> +
> ++/* Define if you have the setregid function.  */ #undef HAVE_SETRESGID
> ++#undef HAVE_DECL_SETRESGID
> ++
> ++/* Define if you have the setresuid function.  */ #undef
> ++HAVE_SETRESUID #undef HAVE_DECL_SETRESUID
> ++
> + /* Define if you have the setvbuf function.  */ #undef HAVE_SETVBUF
> +
> +diff --git a/configure b/configure
> +index 2f62662..b3321c9 100755
> +--- a/configure
> ++++ b/configure
> +@@ -10281,6 +10281,17 @@ cat >>confdefs.h <<_ACEOF  #define
> +HAVE_DECL_SETREGID $ac_have_decl  _ACEOF
> +
> ++ac_fn_c_check_decl "$LINENO" "" "ac_cv_have_decl_" "$ac_includes_default"
> ++if test "x$ac_cv_have_decl_" = xyes; then :
> ++  ac_have_decl=1
> ++else
> ++  ac_have_decl=0
> ++fi
> ++
> ++cat >>confdefs.h <<_ACEOF
> ++#define HAVE_DECL_ $ac_have_decl
> ++_ACEOF
> ++(setresuid, setresgid)
> + ac_fn_c_check_decl "$LINENO" "strcpy" "ac_cv_have_decl_strcpy"
> "$ac_includes_default"
> + if test "x$ac_cv_have_decl_strcpy" = xyes; then :
> +   ac_have_decl=1
> +diff --git a/configure.ac b/configure.ac index 52b4cdb..549adef 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -810,6 +810,7 @@ AC_CHECK_DECLS([confstr])
> + AC_CHECK_DECLS([printf])
> + AC_CHECK_DECLS([sbrk])
> + AC_CHECK_DECLS([setregid])
> ++AC_CHECK_DECLS[(setresuid, setresgid])
> + AC_CHECK_DECLS([strcpy])
> + AC_CHECK_DECLS([strsignal])
> +
> +diff --git a/doc/bash.1 b/doc/bash.1
> +index e6cd08d..9e58a0b 100644
> +--- a/doc/bash.1
> ++++ b/doc/bash.1
> +@@ -4681,7 +4681,8 @@ above).
> + .PD
> + .SH "SIMPLE COMMAND EXPANSION"
> + When a simple command is executed, the shell performs the following
> +-expansions, assignments, and redirections, from left to right.
> ++expansions, assignments, and redirections, from left to right, in the
> ++following order.
> + .IP 1.
> + The words that the parser has marked as variable assignments (those
> +preceding the command name) and redirections are saved for later diff
> +--git a/doc/bashref.texi b/doc/bashref.texi index d33cd57..3065126
> +100644
> +--- a/doc/bashref.texi
> ++++ b/doc/bashref.texi
> +@@ -2964,7 +2964,8 @@ is not specified.  If the file does not exist, it is created.
> + @cindex command expansion
> +
> + When a simple command is executed, the shell performs the following
> +-expansions, assignments, and redirections, from left to right.
> ++expansions, assignments, and redirections, from left to right, in the
> ++following order.
> +
> + @enumerate
> + @item
> +diff --git a/lib/glob/glob.c b/lib/glob/glob.c index 398253b..2eaa33e
> +100644
> +--- a/lib/glob/glob.c
> ++++ b/lib/glob/glob.c
> +@@ -607,6 +607,7 @@ glob_vector (pat, dir, flags)
> +   register unsigned int i;
> +   int mflags;		/* Flags passed to strmatch (). */
> +   int pflags;		/* flags passed to sh_makepath () */
> ++  int hasglob;		/* return value from glob_pattern_p */
> +   int nalloca;
> +   struct globval *firstmalloc, *tmplink;
> +   char *convfn;
> +@@ -648,10 +649,12 @@ glob_vector (pat, dir, flags)
> +   patlen = (pat && *pat) ? strlen (pat) : 0;
> +
> +   /* If the filename pattern (PAT) does not contain any globbing
> + characters,
> ++     or contains a pattern with only backslash escapes (hasglob == 2),
> +      we can dispense with reading the directory, and just see if there is
> +      a filename `DIR/PAT'.  If there is, and we can access it, just make the
> +      vector to return and bail immediately. */
> +-  if (skip == 0 && glob_pattern_p (pat) == 0)
> ++  hasglob = 0;
> ++  if (skip == 0 && (hasglob = glob_pattern_p (pat)) == 0 || hasglob ==
> ++ 2)
> +     {
> +       int dirlen;
> +       struct stat finfo;
> +diff --git a/pathexp.c b/pathexp.c
> +index c1bf2d8..e6c5392 100644
> +--- a/pathexp.c
> ++++ b/pathexp.c
> +@@ -58,7 +58,10 @@ int extended_glob = EXTGLOB_DEFAULT;
> + /* Control enabling special handling of `**' */  int glob_star = 0;
> +
> +-/* Return nonzero if STRING has any unquoted special globbing chars in
> +it.  */
> ++/* Return nonzero if STRING has any unquoted special globbing chars in it.
> ++   This is supposed to be called when pathname expansion is performed, so
> ++   it implements the rules in Posix 2.13.3, specifically that an unquoted
> ++   slash cannot appear in a bracket expression. */
> + int
> + unquoted_glob_pattern_p (string)
> +      register char *string;
> +@@ -85,10 +88,14 @@ unquoted_glob_pattern_p (string)
> + 	  continue;
> +
> + 	case ']':
> +-	  if (open)
> ++	  if (open)		/* XXX - if --open == 0? */
> + 	    return (1);
> + 	  continue;
> +
> ++	case '/':
> ++	  if (open)
> ++	    open = 0;
> ++
> + 	case '+':
> + 	case '@':
> + 	case '!':
> +@@ -106,6 +113,11 @@ unquoted_glob_pattern_p (string)
> + 	      string++;
> + 	      continue;
> + 	    }
> ++	  else if (open && *string == '/')
> ++	    {
> ++	      string++;		/* quoted slashes in bracket expressions are ok */
> ++	      continue;
> ++	    }
> + 	  else if (*string == 0)
> + 	    return (0);
> +
> +diff --git a/shell.c b/shell.c
> +index a2b2a55..6adabc8 100644
> +--- a/shell.c
> ++++ b/shell.c
> +@@ -1293,7 +1293,11 @@ disable_priv_mode ()  {
> +   int e;
> +
> ++#if HAVE_DECL_SETRESUID
> ++  if (setresuid (current_user.uid, current_user.uid, current_user.uid)
> ++< 0) #else
> +   if (setuid (current_user.uid) < 0)
> ++#endif
> +     {
> +       e = errno;
> +       sys_error (_("cannot set uid to %d: effective uid %d"),
> +current_user.uid, current_user.euid); @@ -1302,7 +1306,11 @@ disable_priv_mode
> ()
> + 	exit (e);
> + #endif
> +     }
> ++#if HAVE_DECL_SETRESGID
> ++  if (setresgid (current_user.gid, current_user.gid, current_user.gid)
> ++< 0) #else
> +   if (setgid (current_user.gid) < 0)
> ++#endif
> +     sys_error (_("cannot set gid to %d: effective gid %d"),
> + current_user.gid, current_user.egid);
> +
> +   current_user.euid = current_user.uid; diff --git a/tests/glob.tests
> +b/tests/glob.tests index 01913bb..fb012f7 100644
> +--- a/tests/glob.tests
> ++++ b/tests/glob.tests
> +@@ -12,6 +12,8 @@ ${THIS_SH} ./glob1.sub  ${THIS_SH} ./glob2.sub
> +${THIS_SH} ./glob3.sub  ${THIS_SH} ./glob4.sub
> ++${THIS_SH} ./glob6.sub
> ++${THIS_SH} ./glob7.sub
> +
> + MYDIR=$PWD	# save where we are
> +
> +diff --git a/tests/glob6.sub b/tests/glob6.sub new file mode 100644
> +index 0000000..b099811
> +--- /dev/null
> ++++ b/tests/glob6.sub
> +@@ -0,0 +1,54 @@
> ++# tests of the backslash-in-glob-patterns discussion on the
> ++austin-group ML
> ++
> ++: ${TMPDIR:=/var/tmp}
> ++
> ++ORIG=$PWD
> ++GLOBDIR=$TMPDIR/bash-glob-$$
> ++mkdir $GLOBDIR && cd $GLOBDIR
> ++
> ++# does the pattern matcher allow backslashes as escape characters and
> ++remove # them as part of matching?
> ++touch abcdefg
> ++pat='ab\cd*'
> ++printf '<%s>\n' $pat
> ++pat='\.'
> ++printf '<%s>\n' $pat
> ++rm abcdefg
> ++
> ++# how about when escaping pattern characters?
> ++touch '*abc.c'
> ++a='\**.c'
> ++printf '%s\n' $a
> ++rm -f '*abc.c'
> ++
> ++# how about when making the distinction between readable and
> ++searchable path # components?
> ++mkdir -m a=x searchable
> ++mkdir -m a=r readable
> ++
> ++p='searchable/\.'
> ++printf "%s\n" $p
> ++
> ++p='searchable/\./.'
> ++printf "%s\n" $p
> ++
> ++p='readable/\.'
> ++printf "%s\n" $p
> ++
> ++p='readable/\./.'
> ++printf "%s\n" $p
> ++
> ++printf "%s\n" 'searchable/\.'
> ++printf "%s\n" 'readable/\.'
> ++
> ++echo */.
> ++
> ++p='*/\.'
> ++echo $p
> ++
> ++echo */'.'
> ++
> ++rmdir searchable readable
> ++
> ++cd $ORIG
> ++rmdir $GLOBDIR
> +diff --git a/tests/glob7.sub b/tests/glob7.sub new file mode 100644
> +index 0000000..0212b8e
> +--- /dev/null
> ++++ b/tests/glob7.sub
> +@@ -0,0 +1,11 @@
> ++# according to Posix 2.13.3, a slash in a bracket expression renders
> ++that # bracket expression invalid shopt -s nullglob
> ++
> ++echo 1: [qwe/qwe]
> ++echo 2: [qwe/
> ++echo 3: [qwe/]
> ++
> ++echo 4: [qwe\/qwe]
> ++echo 5: [qwe\/
> ++echo 6: [qwe\/]
> +--
> +1.9.1
> diff --git a/meta/recipes-extended/bash/bash_5.0.bb b/meta/recipes-
> extended/bash/bash_5.0.bb
> index eadc82279d..1b7058746f 100644
> --- a/meta/recipes-extended/bash/bash_5.0.bb
> +++ b/meta/recipes-extended/bash/bash_5.0.bb
> @@ -19,6 +19,7 @@ SRC_URI =
> "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
>             file://run-ptest \
>             file://run-bash-ptests \
>             file://fix-run-builtins.patch \
> +           file://bash-CVE-2019-18276.patch \
>             "
> 
>  SRC_URI[tarball.md5sum] = "2b44b47b905be16f45709648f671820b"
> --
> 2.17.1
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

[zeus 3/8] kbd: configure.ac: Fix logic of vlock configure switch

[Armin Kuster]

From: De Huo <De.Huo@windriver.com>

Downstream bug report: https://bugs.gentoo.org/661650

Upstream-Status: Backport [f7f357ef079b6d185f340e716d7c72a98d82bad0]

Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Signed-off-by: De Huo <De.Huo@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...-Fix-logic-of-vlock-configure-switch.patch | 31 +++++++++++++++++++
 meta/recipes-core/kbd/kbd_2.0.4.bb            |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch

diff --git a/meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch b/meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch
new file mode 100644
index 0000000000..c3f068f61b
--- /dev/null
+++ b/meta/recipes-core/kbd/kbd/0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch
@@ -0,0 +1,31 @@
+From f7f357ef079b6d185f340e716d7c72a98d82bad0 Mon Sep 17 00:00:00 2001
+From: Garry Filakhtov <filakhtov@gmail.com>
+Date: Fri, 20 Jul 2018 15:58:56 +0200
+Subject: [PATCH] configure.ac: Fix logic of vlock configure switch
+
+Downstream bug report: https://bugs.gentoo.org/661650
+
+Upstream-Status: Backport [f7f357ef079b6d185f340e716d7c72a98d82bad0]
+
+Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
+Signed-off-by: De Huo <de.huo@windriver.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 87eb63c..07098cf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -119,7 +119,7 @@ AM_CONDITIONAL(BUILD_LIBKEYMAP, test "$BUILD_LIBKEYMAP" = "yes")
+ 
+ AC_ARG_ENABLE(vlock,
+ 	AS_HELP_STRING(--disable-vlock, [do not build vlock]),
+-	[VLOCK_PROG=no],[VLOCK_PROG=yes])
++	[VLOCK_PROG=$enableval],[VLOCK_PROG=yes])
+ AM_CONDITIONAL(VLOCK, test "$VLOCK_PROG" = "yes")
+ 
+ if test "$VLOCK_PROG" = "yes"; then
+-- 
+2.23.0
+
diff --git a/meta/recipes-core/kbd/kbd_2.0.4.bb b/meta/recipes-core/kbd/kbd_2.0.4.bb
index 4af3256fff..17ce6e7a9c 100644
--- a/meta/recipes-core/kbd/kbd_2.0.4.bb
+++ b/meta/recipes-core/kbd/kbd_2.0.4.bb
@@ -13,6 +13,7 @@ RCONFLICTS_${PN} = "console-tools"
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/${BP}.tar.xz \
            file://run-ptest \
            ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'file://set-proper-path-of-resources.patch', '', d)} \
+           file://0001-configure.ac-Fix-logic-of-vlock-configure-switch.patch \
           "
 
 SRC_URI[md5sum] = "c1635a5a83b63aca7f97a3eab39ebaa6"
-- 
2.17.1

[zeus 4/8] kbd: avoid vlock conflict with busybox

[Armin Kuster]

From: Hongxu Jia <hongxu.jia@windriver.com>

busybox as well as vlock utility from meta-oe provides vlock utility
which can conflict when with kbd if pam is a enabled distro_feature

Fixes image build errors

update-alternatives: Error: not linking <rootfs>/usr/bin/vlock to /bin/busybox.suid since <rootfs>/usr/bin/vlock exists and is not a link

ERROR: yoe-qt5-wayland-image-1.0-r0 do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.

Signed-off-by: Khem Raj <raj.khem@gmail.com>

The vlock doesn't exist if PAM isn't enabled.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: De Huo <de.huo@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-core/kbd/kbd_2.0.4.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/kbd/kbd_2.0.4.bb b/meta/recipes-core/kbd/kbd_2.0.4.bb
index 17ce6e7a9c..47e76da2b4 100644
--- a/meta/recipes-core/kbd/kbd_2.0.4.bb
+++ b/meta/recipes-core/kbd/kbd_2.0.4.bb
@@ -59,7 +59,8 @@ RDEPENDS_${PN}-ptest = "make"
 
 inherit update-alternatives
 
-ALTERNATIVE_${PN} = "chvt deallocvt fgconsole openvt showkey"
+ALTERNATIVE_${PN} = "chvt deallocvt fgconsole openvt showkey \
+                     ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'vlock','', d)}"
 ALTERNATIVE_PRIORITY = "100"
 
 BBCLASSEXTEND = "native"
-- 
2.17.1

[zeus 5/8] bzip2: Fix CVE-2019-12900

[Armin Kuster]

From: Sana Kazi <Sana.Kazi@kpit.com>

Added patch for CVE-2019-12900 as backport from upstream.
Fixes out of bound access discovered while fuzzying karchive.

Tested by: Sana.Kazi@kpit.com

Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch

diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
new file mode 100644
index 0000000000..9859d9d1a2
--- /dev/null
+++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
@@ -0,0 +1,36 @@
+From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 May 2019 19:35:18 +0200
+Subject: [PATCH] Make sure nSelectors is not out of range
+
+nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
+which is
+UChar    selectorMtf[BZ_MAX_SELECTORS];
+so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
+access
+Fixes out of bounds access discovered while fuzzying karchive
+
+Link: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc.patch
+
+Upstream-Status: Backport
+CVE: CVE-2019-12900.patch
+Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
+---
+ decompress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/decompress.c b/decompress.c
+index ab6a624..f3db91d 100644
+--- a/decompress.c
++++ b/decompress.c
+@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
+       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
+       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
+       for (i = 0; i < nSelectors; i++) {
+          j = 0;
+          while (True) {
+--
+2.22.0
-- 
2.17.1

Re: [zeus 5/8] bzip2: Fix CVE-2019-12900

[Mittal, Anuj]

I think this should be reverted. Sorry, I had given comments at the time patch was sent but missed this in zeus review.

http://lists.openembedded.org/pipermail/openembedded-core/2020-January/291826.html

This CVE is not applicable to 1.0.7. This is not failing because the CVE patch file is not included in SRC_URI in recipe.

Thanks,

Anuj 

> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org <openembedded-core-
> bounces@lists.openembedded.org> On Behalf Of Armin Kuster
> Sent: Tuesday, February 4, 2020 11:06 PM
> To: openembedded-core@openembedded.org
> Subject: [OE-core] [zeus 5/8] bzip2: Fix CVE-2019-12900
> 
> From: Sana Kazi <Sana.Kazi@kpit.com>
> 
> Added patch for CVE-2019-12900 as backport from upstream.
> Fixes out of bound access discovered while fuzzying karchive.
> 
> Tested by: Sana.Kazi@kpit.com
> 
> Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch    | 36 +++++++++++++++++++
>  1 file changed, 36 insertions(+)
>  create mode 100644 meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-
> 12900.patch
> 
> diff --git a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> new file mode 100644
> index 0000000000..9859d9d1a2
> --- /dev/null
> +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch
> @@ -0,0 +1,36 @@
> +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
> +From: Albert Astals Cid <aacid@kde.org>
> +Date: Tue, 28 May 2019 19:35:18 +0200
> +Subject: [PATCH] Make sure nSelectors is not out of range
> +
> +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
> +which is
> +UChar    selectorMtf[BZ_MAX_SELECTORS];
> +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid
> +memory access Fixes out of bounds access discovered while fuzzying
> +karchive
> +
> +Link:
> +https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef
> +9824db71a8ffee5962cdbc.patch
> +
> +Upstream-Status: Backport
> +CVE: CVE-2019-12900.patch
> +Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
> +---
> + decompress.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d 100644
> +--- a/decompress.c
> ++++ b/decompress.c
> +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS)
> ++ RETURN(BZ_DATA_ERROR);
> +       for (i = 0; i < nSelectors; i++) {
> +          j = 0;
> +          while (True) {
> +--
> +2.22.0
> --
> 2.17.1
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

[zeus 6/8] core: recipes: fix some native tools dependencies

[Armin Kuster]

From: Sumit Garg <sumit.garg@linaro.org>

Some native tools dependency issues were seen while building with
external GCC tool-set rather than source GCC tool-set. While building
with source tool-set these dependencies were implicitly met which is not
the case with external tool-set. So explicitly state these native tools
dependencies.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-extended/man-db/man-db_2.8.7.bb       | 2 +-
 meta/recipes-extended/psmisc/psmisc.inc            | 2 +-
 meta/recipes-graphics/xorg-app/xorg-app-common.inc | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-extended/man-db/man-db_2.8.7.bb b/meta/recipes-extended/man-db/man-db_2.8.7.bb
index 083b2374aa..0d73b03482 100644
--- a/meta/recipes-extended/man-db/man-db_2.8.7.bb
+++ b/meta/recipes-extended/man-db/man-db_2.8.7.bb
@@ -10,7 +10,7 @@ SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/man-db/man-db-${PV}.tar.xz \
 SRC_URI[md5sum] = "ec0b23c8314a1654c4d059b2c18ce43d"
 SRC_URI[sha256sum] = "b9cd5bb996305d08bfe9e1114edc30b4c97be807093b88af8033ed1cf9beb326"
 
-DEPENDS = "libpipeline gdbm groff-native base-passwd"
+DEPENDS = "libpipeline gdbm groff-native base-passwd flex-native"
 RDEPENDS_${PN} += "base-passwd"
 
 # | /usr/src/debug/man-db/2.8.0-r0/man-db-2.8.0/src/whatis.c:939: undefined reference to `_nl_msg_cat_cntr'
diff --git a/meta/recipes-extended/psmisc/psmisc.inc b/meta/recipes-extended/psmisc/psmisc.inc
index 594a10cf22..6de5acb71b 100644
--- a/meta/recipes-extended/psmisc/psmisc.inc
+++ b/meta/recipes-extended/psmisc/psmisc.inc
@@ -7,7 +7,7 @@ command sends a specified signal (SIGTERM if nothing is specified) to \
 processes identified by name.  The fuser command identifies the PIDs \
 of processes that are using specified files or filesystems."
 SECTION = "base"
-DEPENDS = "ncurses virtual/libintl gettext-native"
+DEPENDS = "ncurses virtual/libintl gettext-native xz-native"
 LICENSE = "GPLv2"
 
 SRC_URI = "${SOURCEFORGE_MIRROR}/psmisc/psmisc-${PV}.tar.gz"
diff --git a/meta/recipes-graphics/xorg-app/xorg-app-common.inc b/meta/recipes-graphics/xorg-app/xorg-app-common.inc
index 3529cb26ef..211e399cf0 100644
--- a/meta/recipes-graphics/xorg-app/xorg-app-common.inc
+++ b/meta/recipes-graphics/xorg-app/xorg-app-common.inc
@@ -12,6 +12,6 @@ INC_PR = "r8"
 
 SRC_URI = "${XORG_MIRROR}/individual/app/${BPN}-${PV}.tar.bz2"
 
-inherit autotools pkgconfig distro_features_check
+inherit autotools pkgconfig distro_features_check gettext
 
 FILES_${PN} += " ${libdir}/X11/${BPN} ${datadir}/X11/app-defaults/"
-- 
2.17.1

[zeus 7/8] webkitgtk: fix occasional link error

[Armin Kuster]

From: Joe Slater <joe.slater@windriver.com>

Partial backport from WebKit.git.  See patch for details.

Fixed in webkitgtk 2.26.1.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../webkit/webkitgtk/fix-link-error.patch     | 45 +++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.24.4.bb  |  1 +
 2 files changed, 46 insertions(+)
 create mode 100755 meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch

diff --git a/meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch b/meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch
new file mode 100755
index 0000000000..9696ddd691
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/fix-link-error.patch
@@ -0,0 +1,45 @@
+webkitgtk: fix an occasional link error
+
+Part of ae465a4e...  Changelog is not included in the source tarball.
+
+Upstream-Status:  backport [git://git.webkit.org/WebKit.git]
+
+commit ae465a4e3b1498b6c4038fc7e596e0e3662d116f
+Author: Hironori.Fujii@sony.com <Hironori.Fujii@sony.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date:   Fri Jun 28 07:38:09 2019 +0000
+
+    [Win] unresolved external symbol "JSC::JSObject::didBecomePrototype(void)" referenced in function "JSC::Structure::create(...)"
+    https://bugs.webkit.org/show_bug.cgi?id=199312
+    
+    Reviewed by Keith Miller.
+    
+    WinCairo port, clang-cl Release builds reported a following linkage error:
+    
+    > WebCore.lib(UnifiedSource-4babe430-10.cpp.obj) : error LNK2019: unresolved external symbol "public: void __cdecl JSC::JSObject::didBecomePrototype(void)" (?didBecomePrototype@JSObject@JSC@@QEAAXXZ) referenced in function "public: static class JSC::Structure * __cdecl JSC::Structure::create(class JSC::VM &,class JSC::JSGlobalObject *,class JSC::JSValue,class JSC::TypeInfo const &,struct JSC::ClassInfo const *,unsigned char,unsigned int)" (?create@Structure@JSC@@SAPEAV12@AEAVVM@2@PEAVJSGlobalObject@2@VJSValue@2@AEBVTypeInfo@2@PEBUClassInfo@2@EI@Z)
+    
+    No new tests because there is no behavior change.
+    
+    * Modules/indexeddb/server/SQLiteIDBBackingStore.cpp: Include <JavaScriptCore/JSCInlines.h>,
+    and do not include headers which is included by it.
+    
+    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@246922 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+[ modification of Changelog deleted ]
+
+diff --git a/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp b/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp
+index d1b047c..0899a9a 100644
+--- a/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp
++++ b/Source/WebCore/Modules/indexeddb/server/SQLiteIDBBackingStore.cpp
+@@ -49,11 +49,8 @@
+ #include "SQLiteTransaction.h"
+ #include "ThreadSafeDataBuffer.h"
+ #include <JavaScriptCore/AuxiliaryBarrierInlines.h>
+-#include <JavaScriptCore/HeapInlines.h>
+-#include <JavaScriptCore/JSCJSValueInlines.h>
+-#include <JavaScriptCore/JSGlobalObject.h>
++#include <JavaScriptCore/JSCInlines.h>
+ #include <JavaScriptCore/StrongInlines.h>
+-#include <JavaScriptCore/StructureInlines.h>
+ #include <wtf/FileSystem.h>
+ #include <wtf/NeverDestroyed.h>
+ #include <wtf/text/StringConcatenateNumbers.h>
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb b/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb
index c090782411..1c71762945 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.24.4.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://include_array.patch \
            file://narrowing.patch \
            file://0001-gstreamer-add-a-missing-format-string.patch \
+           file://fix-link-error.patch \
            "
 
 SRC_URI[md5sum] = "c214963d8c0e7d83460da04a0d8dda87"
-- 
2.17.1

[zeus 8/8] python2: add ntpath

[Armin Kuster]

python3 has this but python is missing this.
[Yocto #13740]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/recipes-devtools/python/python/python2-manifest.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/python/python/python2-manifest.json b/meta/recipes-devtools/python/python/python2-manifest.json
index eb52e862ab..fd98774d00 100644
--- a/meta/recipes-devtools/python/python/python2-manifest.json
+++ b/meta/recipes-devtools/python/python/python2-manifest.json
@@ -267,6 +267,7 @@
             "${libdir}/python2.7/lib-dynload/xreadlines.so", 
             "${libdir}/python2.7/linecache.py", 
             "${libdir}/python2.7/new.py", 
+            "${libdir}/python2.7/ntpath.py",
             "${libdir}/python2.7/os.py", 
             "${libdir}/python2.7/platform.py", 
             "${libdir}/python2.7/posixpath.py", 
-- 
2.17.1