* [SUMO][PATCH V2] coreutils: CVE-2017-18018
@ 2018-08-22 11:41 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] python: CVE-2018-1000030 Jagadeesh Krishnanjanappa
` (15 more replies)
0 siblings, 16 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
CVE-2017-18018-1:
doc: clarify chown/chgrp --dereference defaults
* doc/coreutils.texi: the documentation for the --dereference
flag of chown/chgrp states that it is the default mode of
operation. Document that this is only the case when operating
non-recursively.
CVE-2017-18018-2:
doc: warn about following symlinks recursively in chown/chgrp
In both chown and chgrp (which shares its code with chown), operating
on symlinks recursively has a window of vulnerability where the
destination user or group can change the target of the operation.
Warn about combining the --dereference, --recursive, and -L flags.
* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
(node chown invocation): Add it to --dereference and -L.
(node chgrp invocation): Likewise.
Affects coreutils <= 8.29
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
* v2 changes:
Corrected "From:" address.
.../coreutils/coreutils/CVE-2017-18018-1.patch | 40 +++++++++++
.../coreutils/coreutils/CVE-2017-18018-2.patch | 83 ++++++++++++++++++++++
meta/recipes-core/coreutils/coreutils_8.29.bb | 2 +
3 files changed, 125 insertions(+)
create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
create mode 100644 meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
new file mode 100644
index 0000000..6f31eba
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-1.patch
@@ -0,0 +1,40 @@
+From 7597cfa482e42a00a69fb9577ee523762980a9a2 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 28 Dec 2017 15:52:42 -0500
+Subject: doc: clarify chown/chgrp --dereference defaults
+
+* doc/coreutils.texi: the documentation for the --dereference
+ flag of chown/chgrp states that it is the default mode of
+ operation. Document that this is only the case when operating
+ non-recursively.
+
+CVE: CVE-2017-18018
+Upstream-Status: Backport from v8.30
+
+Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ doc/coreutils.texi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff -Naurp coreutils-8.27_org/doc/coreutils.texi coreutils-8.27/doc/coreutils.texi
+--- coreutils-8.27_org/doc/coreutils.texi 2018-07-22 21:09:50.128736692 -0700
++++ coreutils-8.27/doc/coreutils.texi 2018-07-22 21:12:59.972219770 -0700
+@@ -10952,7 +10952,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
++This is the default when not operating recursively.
+
+ @item -h
+ @itemx --no-dereference
+@@ -11082,7 +11082,7 @@ changed.
+ @cindex symbolic links, changing owner
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+-This is the default.
++This is the default when not operating recursively.
+
+ @item -h
+ @itemx --no-dereference
diff --git a/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
new file mode 100644
index 0000000..c8f5f54
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/CVE-2017-18018-2.patch
@@ -0,0 +1,83 @@
+From bc2fd9796403e03bb757b064d44c22fab92e6842 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Thu, 4 Jan 2018 11:38:21 -0500
+Subject: doc: warn about following symlinks recursively in chown/chgrp
+
+In both chown and chgrp (which shares its code with chown), operating
+on symlinks recursively has a window of vulnerability where the
+destination user or group can change the target of the operation.
+Warn about combining the --dereference, --recursive, and -L flags.
+
+* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
+(node chown invocation): Add it to --dereference and -L.
+(node chgrp invocation): Likewise.
+
+See also: CVE-2017-18018
+CVE: CVE-2017-18018
+Upstream-Status: Backport from v8.30
+
+Signed-off-by: Michael Orlitzky <michael@orlitzky.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ doc/coreutils.texi | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/doc/coreutils.texi b/doc/coreutils.texi
+index 6bb9f09..9f5f95b 100644
+--- a/doc/coreutils.texi
++++ b/doc/coreutils.texi
+@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.
+ In a recursive traversal, traverse every symbolic link to a directory
+ that is encountered.
+ @end macro
++
++@c Append the following warning to -L where appropriate (e.g. chown).
++@macro warnOptDerefWithRec
++
++Combining this dereferencing option with the @option{--recursive} option
++may create a security risk:
++During the traversal of the directory tree, an attacker may be able to
++introduce a symlink to an arbitrary target; when the tool reaches that,
++the operation will be performed on the target of that symlink,
++possibly allowing the attacker to escalate privileges.
++
++@end macro
++
+ @choptL
+
+ @macro choptP
+@@ -10995,6 +11008,7 @@ chown -h -R --from=OLDUSER NEWUSER /
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
++@warnOptDerefWithRec
+
+ @item -h
+ @itemx --no-dereference
+@@ -11051,6 +11065,7 @@ Recursively change ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+
+ @choptL
++@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+
+ @choptP
+@@ -11125,6 +11140,7 @@ changed.
+ @findex lchown
+ Do not act on symbolic links themselves but rather on what they point to.
+ This is the default when not operating recursively.
++@warnOptDerefWithRec
+
+ @item -h
+ @itemx --no-dereference
+@@ -11180,6 +11196,7 @@ Recursively change the group ownership of directories and their contents.
+ @xref{Traversing symlinks}.
+
+ @choptL
++@warnOptDerefWithRec
+ @xref{Traversing symlinks}.
+
+ @choptP
+--
+cgit v1.0-41-gc330
+
diff --git a/meta/recipes-core/coreutils/coreutils_8.29.bb b/meta/recipes-core/coreutils/coreutils_8.29.bb
index 4704f32..b0572af 100644
--- a/meta/recipes-core/coreutils/coreutils_8.29.bb
+++ b/meta/recipes-core/coreutils/coreutils_8.29.bb
@@ -19,6 +19,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
file://0001-uname-report-processor-and-hardware-correctly.patch \
file://disable-ls-output-quoting.patch \
file://0001-local.mk-fix-cross-compiling-problem.patch \
+ file://CVE-2017-18018-1.patch \
+ file://CVE-2017-18018-2.patch \
"
SRC_URI[md5sum] = "960cfe75a42c9907c71439f8eb436303"
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] python: CVE-2018-1000030
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6798 Jagadeesh Krishnanjanappa
` (14 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
* CVE-2018-1000030-1
[2.7] bpo-31530: Stop crashes when iterating over a file on multiple threads
* CVE-2018-1000030-2
Multiple threads iterating over a file can corrupt the file's internal readahead
buffer resulting in crashes. To fix this, cache buffer state thread-locally for
the duration of a file_iternext call and only update the file's internal state
after reading completes.
No attempt is made to define or provide "reasonable" semantics for iterating
over a file on multiple threads. (Non-crashing) races are still
present. Duplicated, corrupt, and missing data will happen.
This was originally fixed by 6401e56, which
raised an exception from seek() and next() when concurrent operations were
detected. Alas, this simpler solution breaks legitimate use cases such as
capturing the standard streams when multiple threads are logging.
Affects python <= 2.7.14
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
meta/recipes-devtools/python/python.inc | 4 +-
.../python/python/CVE-2018-1000030-1.patch | 138 ++++++++++
.../python/python/CVE-2018-1000030-2.patch | 306 +++++++++++++++++++++
3 files changed, 447 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
create mode 100644 meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 979b601..69542c9 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -7,7 +7,9 @@ INC_PR = "r1"
LIC_FILES_CHKSUM = "file://LICENSE;md5=f741e51de91d4eeea5930b9c3c7fa69d"
-SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz"
+SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
+ file://CVE-2018-1000030-1.patch \
+ file://CVE-2018-1000030-2.patch"
SRC_URI[md5sum] = "1f6db41ad91d9eb0a6f0c769b8613c5b"
SRC_URI[sha256sum] = "71ffb26e09e78650e424929b2b457b9c912ac216576e6bd9e7d204ed03296a66"
diff --git a/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
new file mode 100644
index 0000000..06ad4c6
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2018-1000030-1.patch
@@ -0,0 +1,138 @@
+From 6401e5671781eb217ee1afb4603cc0d1b0367ae6 Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 10 Nov 2017 12:58:55 +0200
+Subject: [PATCH] [2.7] bpo-31530: Stop crashes when iterating over a file on
+ multiple threads. (#3672)
+
+CVE: CVE-2018-1000030
+Upstream-Status: Backport [https://github.com/python/cpython/commit/6401e5671781eb217ee1afb4603cc0d1b0367ae6]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ Lib/test/test_file2k.py | 32 ++++++++++++++++++++++
+ .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | 4 +++
+ Objects/fileobject.c | 19 +++++++++++--
+ 3 files changed, 52 insertions(+), 3 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+
+diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py
+index e39ef7042e..d8966e034e 100644
+--- a/Lib/test/test_file2k.py
++++ b/Lib/test/test_file2k.py
+@@ -652,6 +652,38 @@ class FileThreadingTests(unittest.TestCase):
+ self.f.writelines('')
+ self._test_close_open_io(io_func)
+
++ def test_iteration_torture(self):
++ # bpo-31530: Crash when concurrently iterate over a file.
++ with open(self.filename, "wb") as fp:
++ for i in xrange(2**20):
++ fp.write(b"0"*50 + b"\n")
++ with open(self.filename, "rb") as f:
++ def iterate():
++ try:
++ for l in f:
++ pass
++ except IOError:
++ pass
++ self._run_workers(iterate, 10)
++
++ def test_iteration_seek(self):
++ # bpo-31530: Crash when concurrently seek and iterate over a file.
++ with open(self.filename, "wb") as fp:
++ for i in xrange(10000):
++ fp.write(b"0"*50 + b"\n")
++ with open(self.filename, "rb") as f:
++ it = iter([1] + [0]*10) # one thread reads, others seek
++ def iterate():
++ try:
++ if next(it):
++ for l in f:
++ pass
++ else:
++ for i in range(100):
++ f.seek(i*100, 0)
++ except IOError:
++ pass
++ self._run_workers(iterate, 10)
+
+ @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.')
+ class TestFileSignalEINTR(unittest.TestCase):
+diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+new file mode 100644
+index 0000000000..a6cb6c9e9b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+@@ -0,0 +1,4 @@
++Fixed crashes when iterating over a file on multiple threads.
++seek() and next() methods of file objects now raise an exception during
++concurrent operation on the same file object.
++A lock can be used to prevent the error.
+diff --git a/Objects/fileobject.c b/Objects/fileobject.c
+index 7e07a5376f..2f63c374d1 100644
+--- a/Objects/fileobject.c
++++ b/Objects/fileobject.c
+@@ -430,7 +430,7 @@ close_the_file(PyFileObject *f)
+ if (f->ob_refcnt > 0) {
+ PyErr_SetString(PyExc_IOError,
+ "close() called during concurrent "
+- "operation on the same file object.");
++ "operation on the same file object");
+ } else {
+ /* This should not happen unless someone is
+ * carelessly playing with the PyFileObject
+@@ -438,7 +438,7 @@ close_the_file(PyFileObject *f)
+ * pointer. */
+ PyErr_SetString(PyExc_SystemError,
+ "PyFileObject locking error in "
+- "destructor (refcnt <= 0 at close).");
++ "destructor (refcnt <= 0 at close)");
+ }
+ return NULL;
+ }
+@@ -762,6 +762,12 @@ file_seek(PyFileObject *f, PyObject *args)
+
+ if (f->f_fp == NULL)
+ return err_closed();
++ if (f->unlocked_count > 0) {
++ PyErr_SetString(PyExc_IOError,
++ "seek() called during concurrent "
++ "operation on the same file object");
++ return NULL;
++ }
+ drop_readahead(f);
+ whence = 0;
+ if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence))
+@@ -2238,6 +2244,7 @@ readahead(PyFileObject *f, Py_ssize_t bufsize)
+ {
+ Py_ssize_t chunksize;
+
++ assert(f->unlocked_count == 0);
+ if (f->f_buf != NULL) {
+ if( (f->f_bufend - f->f_bufptr) >= 1)
+ return 0;
+@@ -2279,6 +2286,12 @@ readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize)
+ char *buf;
+ Py_ssize_t len;
+
++ if (f->unlocked_count > 0) {
++ PyErr_SetString(PyExc_IOError,
++ "next() called during concurrent "
++ "operation on the same file object");
++ return NULL;
++ }
+ if (f->f_buf == NULL)
+ if (readahead(f, bufsize) < 0)
+ return NULL;
+@@ -2692,7 +2705,7 @@ int PyObject_AsFileDescriptor(PyObject *o)
+ }
+ else {
+ PyErr_SetString(PyExc_TypeError,
+- "argument must be an int, or have a fileno() method.");
++ "argument must be an int, or have a fileno() method");
+ return -1;
+ }
+
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch b/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch
new file mode 100644
index 0000000..9b7713b
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2018-1000030-2.patch
@@ -0,0 +1,306 @@
+From dbf52e02f18dac6f5f0a64f78932f3dc6efc056b Mon Sep 17 00:00:00 2001
+From: Benjamin Peterson <benjamin@python.org>
+Date: Tue, 2 Jan 2018 09:25:41 -0800
+Subject: [PATCH] bpo-31530: fix crash when multiple threads iterate over a
+ file, round 2 (#5060)
+
+Multiple threads iterating over a file can corrupt the file's internal readahead
+buffer resulting in crashes. To fix this, cache buffer state thread-locally for
+the duration of a file_iternext call and only update the file's internal state
+after reading completes.
+
+No attempt is made to define or provide "reasonable" semantics for iterating
+over a file on multiple threads. (Non-crashing) races are still
+present. Duplicated, corrupt, and missing data will happen.
+
+This was originally fixed by 6401e5671781eb217ee1afb4603cc0d1b0367ae6, which
+raised an exception from seek() and next() when concurrent operations were
+detected. Alas, this simpler solution breaks legitimate use cases such as
+capturing the standard streams when multiple threads are logging.
+
+CVE: CVE-2018-1000030
+Upstream-Status: Backport [https://github.com/python/cpython/commit/dbf52e02f18dac6f5f0a64f78932f3dc6efc056b]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+
+---
+ Lib/test/test_file2k.py | 27 ++---
+ .../2017-09-20-18-28-09.bpo-31530.CdLOM7.rst | 3 -
+ Objects/fileobject.c | 118 ++++++++++++---------
+ 3 files changed, 78 insertions(+), 70 deletions(-)
+
+diff --git a/Lib/test/test_file2k.py b/Lib/test/test_file2k.py
+index d8966e034e..c73e8d8dc4 100644
+--- a/Lib/test/test_file2k.py
++++ b/Lib/test/test_file2k.py
+@@ -653,18 +653,15 @@ class FileThreadingTests(unittest.TestCase):
+ self._test_close_open_io(io_func)
+
+ def test_iteration_torture(self):
+- # bpo-31530: Crash when concurrently iterate over a file.
++ # bpo-31530
+ with open(self.filename, "wb") as fp:
+ for i in xrange(2**20):
+ fp.write(b"0"*50 + b"\n")
+ with open(self.filename, "rb") as f:
+- def iterate():
+- try:
+- for l in f:
+- pass
+- except IOError:
++ def it():
++ for l in f:
+ pass
+- self._run_workers(iterate, 10)
++ self._run_workers(it, 10)
+
+ def test_iteration_seek(self):
+ # bpo-31530: Crash when concurrently seek and iterate over a file.
+@@ -674,17 +671,15 @@ class FileThreadingTests(unittest.TestCase):
+ with open(self.filename, "rb") as f:
+ it = iter([1] + [0]*10) # one thread reads, others seek
+ def iterate():
+- try:
+- if next(it):
+- for l in f:
+- pass
+- else:
+- for i in range(100):
+- f.seek(i*100, 0)
+- except IOError:
+- pass
++ if next(it):
++ for l in f:
++ pass
++ else:
++ for i in xrange(100):
++ f.seek(i*100, 0)
+ self._run_workers(iterate, 10)
+
++
+ @unittest.skipUnless(os.name == 'posix', 'test requires a posix system.')
+ class TestFileSignalEINTR(unittest.TestCase):
+ def _test_reading(self, data_to_write, read_and_verify_code, method_name,
+diff --git a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+index a6cb6c9e9b..beb09b5ae6 100644
+--- a/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
++++ b/Misc/NEWS.d/next/Core and Builtins/2017-09-20-18-28-09.bpo-31530.CdLOM7.rst
+@@ -1,4 +1 @@
+ Fixed crashes when iterating over a file on multiple threads.
+-seek() and next() methods of file objects now raise an exception during
+-concurrent operation on the same file object.
+-A lock can be used to prevent the error.
+diff --git a/Objects/fileobject.c b/Objects/fileobject.c
+index 8d1c5812f0..270b28264a 100644
+--- a/Objects/fileobject.c
++++ b/Objects/fileobject.c
+@@ -609,7 +609,12 @@ err_iterbuffered(void)
+ return NULL;
+ }
+
+-static void drop_readahead(PyFileObject *);
++static void
++drop_file_readahead(PyFileObject *f)
++{
++ PyMem_FREE(f->f_buf);
++ f->f_buf = NULL;
++}
+
+ /* Methods */
+
+@@ -632,7 +637,7 @@ file_dealloc(PyFileObject *f)
+ Py_XDECREF(f->f_mode);
+ Py_XDECREF(f->f_encoding);
+ Py_XDECREF(f->f_errors);
+- drop_readahead(f);
++ drop_file_readahead(f);
+ Py_TYPE(f)->tp_free((PyObject *)f);
+ }
+
+@@ -767,13 +772,7 @@ file_seek(PyFileObject *f, PyObject *args)
+
+ if (f->f_fp == NULL)
+ return err_closed();
+- if (f->unlocked_count > 0) {
+- PyErr_SetString(PyExc_IOError,
+- "seek() called during concurrent "
+- "operation on the same file object");
+- return NULL;
+- }
+- drop_readahead(f);
++ drop_file_readahead(f);
+ whence = 0;
+ if (!PyArg_ParseTuple(args, "O|i:seek", &offobj, &whence))
+ return NULL;
+@@ -2242,12 +2241,16 @@ static PyGetSetDef file_getsetlist[] = {
+ {0},
+ };
+
++typedef struct {
++ char *buf, *bufptr, *bufend;
++} readaheadbuffer;
++
+ static void
+-drop_readahead(PyFileObject *f)
++drop_readaheadbuffer(readaheadbuffer *rab)
+ {
+- if (f->f_buf != NULL) {
+- PyMem_Free(f->f_buf);
+- f->f_buf = NULL;
++ if (rab->buf != NULL) {
++ PyMem_FREE(rab->buf);
++ rab->buf = NULL;
+ }
+ }
+
+@@ -2255,36 +2258,34 @@ drop_readahead(PyFileObject *f)
+ (unless at EOF) and no more than bufsize. Returns negative value on
+ error, will set MemoryError if bufsize bytes cannot be allocated. */
+ static int
+-readahead(PyFileObject *f, Py_ssize_t bufsize)
++readahead(PyFileObject *f, readaheadbuffer *rab, Py_ssize_t bufsize)
+ {
+ Py_ssize_t chunksize;
+
+- assert(f->unlocked_count == 0);
+- if (f->f_buf != NULL) {
+- if( (f->f_bufend - f->f_bufptr) >= 1)
++ if (rab->buf != NULL) {
++ if ((rab->bufend - rab->bufptr) >= 1)
+ return 0;
+ else
+- drop_readahead(f);
++ drop_readaheadbuffer(rab);
+ }
+- if ((f->f_buf = (char *)PyMem_Malloc(bufsize)) == NULL) {
++ if ((rab->buf = PyMem_MALLOC(bufsize)) == NULL) {
+ PyErr_NoMemory();
+ return -1;
+ }
+ FILE_BEGIN_ALLOW_THREADS(f)
+ errno = 0;
+- chunksize = Py_UniversalNewlineFread(
+- f->f_buf, bufsize, f->f_fp, (PyObject *)f);
++ chunksize = Py_UniversalNewlineFread(rab->buf, bufsize, f->f_fp, (PyObject *)f);
+ FILE_END_ALLOW_THREADS(f)
+ if (chunksize == 0) {
+ if (ferror(f->f_fp)) {
+ PyErr_SetFromErrno(PyExc_IOError);
+ clearerr(f->f_fp);
+- drop_readahead(f);
++ drop_readaheadbuffer(rab);
+ return -1;
+ }
+ }
+- f->f_bufptr = f->f_buf;
+- f->f_bufend = f->f_buf + chunksize;
++ rab->bufptr = rab->buf;
++ rab->bufend = rab->buf + chunksize;
+ return 0;
+ }
+
+@@ -2294,51 +2295,43 @@ readahead(PyFileObject *f, Py_ssize_t bufsize)
+ logarithmic buffer growth to about 50 even when reading a 1gb line. */
+
+ static PyStringObject *
+-readahead_get_line_skip(PyFileObject *f, Py_ssize_t skip, Py_ssize_t bufsize)
++readahead_get_line_skip(PyFileObject *f, readaheadbuffer *rab, Py_ssize_t skip, Py_ssize_t bufsize)
+ {
+ PyStringObject* s;
+ char *bufptr;
+ char *buf;
+ Py_ssize_t len;
+
+- if (f->unlocked_count > 0) {
+- PyErr_SetString(PyExc_IOError,
+- "next() called during concurrent "
+- "operation on the same file object");
+- return NULL;
+- }
+- if (f->f_buf == NULL)
+- if (readahead(f, bufsize) < 0)
++ if (rab->buf == NULL)
++ if (readahead(f, rab, bufsize) < 0)
+ return NULL;
+
+- len = f->f_bufend - f->f_bufptr;
++ len = rab->bufend - rab->bufptr;
+ if (len == 0)
+- return (PyStringObject *)
+- PyString_FromStringAndSize(NULL, skip);
+- bufptr = (char *)memchr(f->f_bufptr, '\n', len);
++ return (PyStringObject *)PyString_FromStringAndSize(NULL, skip);
++ bufptr = (char *)memchr(rab->bufptr, '\n', len);
+ if (bufptr != NULL) {
+ bufptr++; /* Count the '\n' */
+- len = bufptr - f->f_bufptr;
+- s = (PyStringObject *)
+- PyString_FromStringAndSize(NULL, skip + len);
++ len = bufptr - rab->bufptr;
++ s = (PyStringObject *)PyString_FromStringAndSize(NULL, skip + len);
+ if (s == NULL)
+ return NULL;
+- memcpy(PyString_AS_STRING(s) + skip, f->f_bufptr, len);
+- f->f_bufptr = bufptr;
+- if (bufptr == f->f_bufend)
+- drop_readahead(f);
++ memcpy(PyString_AS_STRING(s) + skip, rab->bufptr, len);
++ rab->bufptr = bufptr;
++ if (bufptr == rab->bufend)
++ drop_readaheadbuffer(rab);
+ } else {
+- bufptr = f->f_bufptr;
+- buf = f->f_buf;
+- f->f_buf = NULL; /* Force new readahead buffer */
++ bufptr = rab->bufptr;
++ buf = rab->buf;
++ rab->buf = NULL; /* Force new readahead buffer */
+ assert(len <= PY_SSIZE_T_MAX - skip);
+- s = readahead_get_line_skip(f, skip + len, bufsize + (bufsize>>2));
++ s = readahead_get_line_skip(f, rab, skip + len, bufsize + (bufsize>>2));
+ if (s == NULL) {
+- PyMem_Free(buf);
++ PyMem_FREE(buf);
+ return NULL;
+ }
+ memcpy(PyString_AS_STRING(s) + skip, bufptr, len);
+- PyMem_Free(buf);
++ PyMem_FREE(buf);
+ }
+ return s;
+ }
+@@ -2356,7 +2349,30 @@ file_iternext(PyFileObject *f)
+ if (!f->readable)
+ return err_mode("reading");
+
+- l = readahead_get_line_skip(f, 0, READAHEAD_BUFSIZE);
++ {
++ /*
++ Multiple threads can enter this method while the GIL is released
++ during file read and wreak havoc on the file object's readahead
++ buffer. To avoid dealing with cross-thread coordination issues, we
++ cache the file buffer state locally and only set it back on the file
++ object when we're done.
++ */
++ readaheadbuffer rab = {f->f_buf, f->f_bufptr, f->f_bufend};
++ f->f_buf = NULL;
++ l = readahead_get_line_skip(f, &rab, 0, READAHEAD_BUFSIZE);
++ /*
++ Make sure the file's internal read buffer is cleared out. This will
++ only do anything if some other thread interleaved with us during
++ readahead. We want to drop any changeling buffer, so we don't leak
++ memory. We may lose data, but that's what you get for reading the same
++ file object in multiple threads.
++ */
++ drop_file_readahead(f);
++ f->f_buf = rab.buf;
++ f->f_bufptr = rab.bufptr;
++ f->f_bufend = rab.bufend;
++ }
++
+ if (l == NULL || PyString_GET_SIZE(l) == 0) {
+ Py_XDECREF(l);
+ return NULL;
+--
+2.13.3
+
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] perl: CVE-2018-6798
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] python: CVE-2018-1000030 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] procps: CVE-2018-1124 Jagadeesh Krishnanjanappa
` (13 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
* CVE-2018-6798-1
The proximal cause is several instances in regexec.c of the code
assuming that the input was valid UTF-8, whereas the input was too short
for what the start byte claimed it would be.
I grepped through the core for any other similar uses, and did not find
any.
(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)
* CVE-2018-6798-2
The first patch for 132063 prevented the buffer read overflow when
dumping the warning but didn't fix the underlying problem.
The next change treats the supplied buffer correctly, preventing the
non-UTF-8 SV from being treated as UTF-8, preventing the warning.
(cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f)
Affects perl >= 5.22 && perl <= 5.26
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../perl/perl/CVE-2018-6798-1.patch | 130 +++++++++++++++++++++
.../perl/perl/CVE-2018-6798-2.patch | 37 ++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 2 +
3 files changed, 169 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
new file mode 100644
index 0000000..3477162
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-1.patch
@@ -0,0 +1,130 @@
+From 0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Tue, 6 Feb 2018 14:50:48 -0700
+Subject: [PATCH] [perl #132063]: Heap buffer overflow
+
+The proximal cause is several instances in regexec.c of the code
+assuming that the input was valid UTF-8, whereas the input was too short
+for what the start byte claimed it would be.
+
+I grepped through the core for any other similar uses, and did not find
+any.
+
+(cherry picked from commit fe7d8ba0a1bf567af8fa8fea128e2b9f4c553e84)
+
+CVE: CVE-2018-6798
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/patch/0abf1e8d89aecd32dbdabda5da4d52a2d57a7cff]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ regexec.c | 29 ++++++++++++++++-------------
+ t/lib/warnings/regexec | 7 +++++++
+ 2 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/regexec.c b/regexec.c
+index 5735b997fd..ea432c39d3 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -1466,7 +1466,9 @@ Perl_re_intuit_start(pTHX_
+ ? trie_utf8_fold \
+ : trie_latin_utf8_fold)))
+
+-#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
++/* 'uscan' is set to foldbuf, and incremented, so below the end of uscan is
++ * 'foldbuf+sizeof(foldbuf)' */
++#define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uc_end, uscan, len, uvc, charid, foldlen, foldbuf, uniflags) \
+ STMT_START { \
+ STRLEN skiplen; \
+ U8 flags = FOLD_FLAGS_FULL; \
+@@ -1474,7 +1476,7 @@ STMT_START {
+ case trie_flu8: \
+ _CHECK_AND_WARN_PROBLEMATIC_LOCALE; \
+ if (utf8_target && UTF8_IS_ABOVE_LATIN1(*uc)) { \
+- _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc + UTF8SKIP(uc)); \
++ _CHECK_AND_OUTPUT_WIDE_LOCALE_UTF8_MSG(uc, uc_end - uc); \
+ } \
+ goto do_trie_utf8_fold; \
+ case trie_utf8_exactfa_fold: \
+@@ -1483,7 +1485,7 @@ STMT_START {
+ case trie_utf8_fold: \
+ do_trie_utf8_fold: \
+ if ( foldlen>0 ) { \
+- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
+ foldlen -= len; \
+ uscan += len; \
+ len=0; \
+@@ -1500,7 +1502,7 @@ STMT_START {
+ /* FALLTHROUGH */ \
+ case trie_latin_utf8_fold: \
+ if ( foldlen>0 ) { \
+- uvc = utf8n_to_uvchr( (const U8*) uscan, UTF8_MAXLEN, &len, uniflags ); \
++ uvc = utf8n_to_uvchr( (const U8*) uscan, foldlen, &len, uniflags ); \
+ foldlen -= len; \
+ uscan += len; \
+ len=0; \
+@@ -1519,7 +1521,7 @@ STMT_START {
+ } \
+ /* FALLTHROUGH */ \
+ case trie_utf8: \
+- uvc = utf8n_to_uvchr( (const U8*) uc, UTF8_MAXLEN, &len, uniflags ); \
++ uvc = utf8n_to_uvchr( (const U8*) uc, uc_end - uc, &len, uniflags ); \
+ break; \
+ case trie_plain: \
+ uvc = (UV)*uc; \
+@@ -2599,10 +2601,10 @@ S_find_byclass(pTHX_ regexp * prog, const regnode *c, char *s,
+ }
+ points[pointpos++ % maxlen]= uc;
+ if (foldlen || uc < (U8*)strend) {
+- REXEC_TRIE_READ_CHAR(trie_type, trie,
+- widecharmap, uc,
+- uscan, len, uvc, charid, foldlen,
+- foldbuf, uniflags);
++ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
++ (U8 *) strend, uscan, len, uvc,
++ charid, foldlen, foldbuf,
++ uniflags);
+ DEBUG_TRIE_EXECUTE_r({
+ dump_exec_pos( (char *)uc, c, strend,
+ real_start, s, utf8_target, 0);
+@@ -5511,8 +5513,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
+ if ( base && (foldlen || uc < (U8*)(reginfo->strend))) {
+ I32 offset;
+ REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc,
+- uscan, len, uvc, charid, foldlen,
+- foldbuf, uniflags);
++ (U8 *) reginfo->strend, uscan,
++ len, uvc, charid, foldlen,
++ foldbuf, uniflags);
+ charcount++;
+ if (foldlen>0)
+ ST.longfold = TRUE;
+@@ -5642,8 +5645,8 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
+ while (foldlen) {
+ if (!--chars)
+ break;
+- uvc = utf8n_to_uvchr(uscan, UTF8_MAXLEN, &len,
+- uniflags);
++ uvc = utf8n_to_uvchr(uscan, foldlen, &len,
++ uniflags);
+ uscan += len;
+ foldlen -= len;
+ }
+diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
+index 900dd6ee7f..6635142dea 100644
+--- a/t/lib/warnings/regexec
++++ b/t/lib/warnings/regexec
+@@ -260,3 +260,10 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
+ "k" =~ /(?[ \N{KELVIN SIGN} ])/i;
+ ":" =~ /(?[ \: ])/;
+ EXPECT
++########
++# NAME perl #132063, read beyond buffer end
++# OPTION fatal
++"\xff" =~ /(?il)\x{100}|\x{100}/;
++EXPECT
++Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
++Malformed UTF-8 character (fatal) at - line 2.
+--
+2.15.1-424-g9478a660812
+
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
new file mode 100644
index 0000000..fb9b41a
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6798-2.patch
@@ -0,0 +1,37 @@
+From f65da1ca2eee74696d9c120e9d69af37b4fa1920 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Mon, 19 Feb 2018 15:11:42 +1100
+Subject: [PATCH] (perl #132063) we should no longer warn for this code
+
+The first patch for 132063 prevented the buffer read overflow when
+dumping the warning but didn't fix the underlying problem.
+
+The next change treats the supplied buffer correctly, preventing the
+non-UTF-8 SV from being treated as UTF-8, preventing the warning.
+
+(cherry picked from commit 1e8b61488f195e1396aa801c685340b156104f4f)
+
+CVE: CVE-2018-6798
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f65da1ca2eee74696d9c120e9d69af37b4fa1920]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ t/lib/warnings/regexec | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/t/lib/warnings/regexec b/t/lib/warnings/regexec
+index 6635142dea..c370ddc3c7 100644
+--- a/t/lib/warnings/regexec
++++ b/t/lib/warnings/regexec
+@@ -262,8 +262,5 @@ setlocale(&POSIX::LC_CTYPE, $utf8_locale);
+ EXPECT
+ ########
+ # NAME perl #132063, read beyond buffer end
+-# OPTION fatal
+ "\xff" =~ /(?il)\x{100}|\x{100}/;
+ EXPECT
+-Malformed UTF-8 character: \xff (too short; 1 byte available, need 13) in pattern match (m//) at - line 2.
+-Malformed UTF-8 character (fatal) at - line 2.
+--
+2.15.1-424-g9478a660812
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index 91f310d..311df40 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -66,6 +66,8 @@ SRC_URI += " \
file://perl-5.26.1-guard_old_libcrypt_fix.patch \
file://CVE-2017-12883.patch \
file://CVE-2017-12837.patch \
+ file://CVE-2018-6798-1.patch \
+ file://CVE-2018-6798-2.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] procps: CVE-2018-1124
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] python: CVE-2018-1000030 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6798 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] gnupg: CVE-2018-12020 Jagadeesh Krishnanjanappa
` (12 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
proc/readproc.c: Fix bugs and overflows in file2strvec().
Note: this is by far the most important and complex patch of the whole
series, please review it carefully; thank you very much!
For this patch, we decided to keep the original function's design and
skeleton, to avoid regressions and behavior changes, while fixing the
various bugs and overflows. And like the "Harden file2str()" patch, this
patch does not fail when about to overflow, but truncates instead: there
is information available about this process, so return it to the caller;
also, we used INT_MAX as a limit, but a lower limit could be used.
The easy changes:
- Replace sprintf() with snprintf() (and check for truncation).
- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
do break instead of return: it simplifies the code (only one place to
handle errors), and also guarantees that in the while loop either n or
tot is > 0 (or both), even if n is reset to 0 when about to overflow.
- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
code, since we enter the while loop only if n >= 0.
- Rewrite the missing-null-terminator detection: in the original
function, if the size of the file is a multiple of 2047, a null-
terminator is appended even if the file is already null-terminated.
- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
to handle the first break of the while loop, and to guarantee that in
the rest of the function tot is > 0.
- Double-force ("belt and suspenders") the null-termination of rbuf:
this is (and was) essential to the correctness of the function.
- Replace the final "while" loop with a "for" loop that behaves just
like the preceding "for" loop: in the original function, this would
lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
would return the array {"",NULL} but should return {"","A",NULL}; and
if rbuf is |A|\0|B| (should never happen because rbuf should be null-
terminated), this would make room for two pointers in ret, but would
write three pointers to ret).
The hard changes:
- Prevent the integer overflow of tot in the while loop, but unlike
file2str(), file2strvec() cannot let tot grow until it almost reaches
INT_MAX, because it needs more space for the pointers: this is why we
introduced ARG_LEN, which also guarantees that we can add "align" and
a few sizeof(char*)s to tot without overflowing.
- Prevent the integer overflow of "tot + c + align": when INT_MAX is
(almost) reached, we write the maximal safe amount of pointers to ret
(ARG_LEN guarantees that there is always space for *ret = rbuf and the
NULL terminator).
Affects procps-ng < 3.3.15
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../procps/procps/CVE-2018-1124.patch | 176 +++++++++++++++++++++
meta/recipes-extended/procps/procps_3.3.12.bb | 1 +
2 files changed, 177 insertions(+)
create mode 100644 meta/recipes-extended/procps/procps/CVE-2018-1124.patch
diff --git a/meta/recipes-extended/procps/procps/CVE-2018-1124.patch b/meta/recipes-extended/procps/procps/CVE-2018-1124.patch
new file mode 100644
index 0000000..bc78faf
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/CVE-2018-1124.patch
@@ -0,0 +1,176 @@
+From bdd058a0e676d2f013027fcfb2b344c313112a50 Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Thu, 1 Jan 1970 00:00:00 +0000
+Subject: [PATCH 074/126] proc/readproc.c: Fix bugs and overflows in
+ file2strvec().
+
+Note: this is by far the most important and complex patch of the whole
+series, please review it carefully; thank you very much!
+
+For this patch, we decided to keep the original function's design and
+skeleton, to avoid regressions and behavior changes, while fixing the
+various bugs and overflows. And like the "Harden file2str()" patch, this
+patch does not fail when about to overflow, but truncates instead: there
+is information available about this process, so return it to the caller;
+also, we used INT_MAX as a limit, but a lower limit could be used.
+
+The easy changes:
+
+- Replace sprintf() with snprintf() (and check for truncation).
+
+- Replace "if (n == 0 && rbuf == 0)" with "if (n <= 0 && tot <= 0)" and
+ do break instead of return: it simplifies the code (only one place to
+ handle errors), and also guarantees that in the while loop either n or
+ tot is > 0 (or both), even if n is reset to 0 when about to overflow.
+
+- Remove the "if (n < 0)" block in the while loop: it is (and was) dead
+ code, since we enter the while loop only if n >= 0.
+
+- Rewrite the missing-null-terminator detection: in the original
+ function, if the size of the file is a multiple of 2047, a null-
+ terminator is appended even if the file is already null-terminated.
+
+- Replace "if (n <= 0 && !end_of_file)" with "if (n < 0 || tot <= 0)":
+ originally, it was equivalent to "if (n < 0)", but we added "tot <= 0"
+ to handle the first break of the while loop, and to guarantee that in
+ the rest of the function tot is > 0.
+
+- Double-force ("belt and suspenders") the null-termination of rbuf:
+ this is (and was) essential to the correctness of the function.
+
+- Replace the final "while" loop with a "for" loop that behaves just
+ like the preceding "for" loop: in the original function, this would
+ lead to unexpected results (for example, if rbuf is |\0|A|\0|, this
+ would return the array {"",NULL} but should return {"","A",NULL}; and
+ if rbuf is |A|\0|B| (should never happen because rbuf should be null-
+ terminated), this would make room for two pointers in ret, but would
+ write three pointers to ret).
+
+The hard changes:
+
+- Prevent the integer overflow of tot in the while loop, but unlike
+ file2str(), file2strvec() cannot let tot grow until it almost reaches
+ INT_MAX, because it needs more space for the pointers: this is why we
+ introduced ARG_LEN, which also guarantees that we can add "align" and
+ a few sizeof(char*)s to tot without overflowing.
+
+- Prevent the integer overflow of "tot + c + align": when INT_MAX is
+ (almost) reached, we write the maximal safe amount of pointers to ret
+ (ARG_LEN guarantees that there is always space for *ret = rbuf and the
+ NULL terminator).
+[carnil: backport for 3.3.9: Add include for limits.h and use of MAX_INT]
+
+CVE: CVE-2018-1124
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/commit/36c350f07c75aabf747fb833f52a234ae5781b20]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ proc/readproc.c | 53 ++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 32 insertions(+), 21 deletions(-)
+
+diff -Naurp procps-ng-3.3.12_org/proc/readproc.c procps-ng-3.3.12/proc/readproc.c
+--- procps-ng-3.3.12_org/proc/readproc.c 2016-07-09 14:49:25.825306872 -0700
++++ procps-ng-3.3.12/proc/readproc.c 2018-07-24 00:46:49.366202531 -0700
+@@ -37,6 +37,7 @@
+ #include <dirent.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#include <limits.h>
+ #ifdef WITH_SYSTEMD
+ #include <systemd/sd-login.h>
+ #endif
+--- a/proc/readproc.c
++++ b/proc/readproc.c
+@@ -600,11 +601,12 @@ static int file2str(const char *director
+
+ static char** file2strvec(const char* directory, const char* what) {
+ char buf[2048]; /* read buf bytes at a time */
+- char *p, *rbuf = 0, *endbuf, **q, **ret;
++ char *p, *rbuf = 0, *endbuf, **q, **ret, *strp;
+ int fd, tot = 0, n, c, end_of_file = 0;
+ int align;
+
+- sprintf(buf, "%s/%s", directory, what);
++ const int len = snprintf(buf, sizeof buf, "%s/%s", directory, what);
++ if(len <= 0 || (size_t)len >= sizeof buf) return NULL;
+ fd = open(buf, O_RDONLY, 0);
+ if(fd==-1) return NULL;
+
+@@ -612,18 +614,23 @@ static char** file2strvec(const char* di
+ while ((n = read(fd, buf, sizeof buf - 1)) >= 0) {
+ if (n < (int)(sizeof buf - 1))
+ end_of_file = 1;
+- if (n == 0 && rbuf == 0) {
+- close(fd);
+- return NULL; /* process died between our open and read */
++ if (n <= 0 && tot <= 0) { /* nothing read now, nothing read before */
++ break; /* process died between our open and read */
+ }
+- if (n < 0) {
+- if (rbuf)
+- free(rbuf);
+- close(fd);
+- return NULL; /* read error */
++ /* ARG_LEN is our guesstimated median length of a command-line argument
++ or environment variable (the minimum is 1, the maximum is 131072) */
++ #define ARG_LEN 64
++ if (tot >= INT_MAX / (ARG_LEN + (int)sizeof(char*)) * ARG_LEN - n) {
++ end_of_file = 1; /* integer overflow: null-terminate and break */
++ n = 0; /* but tot > 0 */
+ }
+- if (end_of_file && (n == 0 || buf[n-1]))/* last read char not null */
++ #undef ARG_LEN
++ if (end_of_file &&
++ ((n > 0 && buf[n-1] != '\0') || /* last read char not null */
++ (n <= 0 && rbuf[tot-1] != '\0'))) /* last read char not null */
+ buf[n++] = '\0'; /* so append null-terminator */
++
++ if (n <= 0) break; /* unneeded (end_of_file = 1) but avoid realloc */
+ rbuf = xrealloc(rbuf, tot + n); /* allocate more memory */
+ memcpy(rbuf + tot, buf, n); /* copy buffer into it */
+ tot += n; /* increment total byte ctr */
+@@ -631,29 +638,34 @@ static char** file2strvec(const char* di
+ break;
+ }
+ close(fd);
+- if (n <= 0 && !end_of_file) {
++ if (n < 0 || tot <= 0) { /* error, or nothing read */
+ if (rbuf) free(rbuf);
+ return NULL; /* read error */
+ }
++ rbuf[tot-1] = '\0'; /* belt and suspenders (the while loop did it, too) */
+ endbuf = rbuf + tot; /* count space for pointers */
+ align = (sizeof(char*)-1) - ((tot + sizeof(char*)-1) & (sizeof(char*)-1));
+- for (c = 0, p = rbuf; p < endbuf; p++) {
+- if (!*p || *p == '\n')
++ c = sizeof(char*); /* one extra for NULL term */
++ for (p = rbuf; p < endbuf; p++) {
++ if (!*p || *p == '\n') {
++ if (c >= INT_MAX - (tot + (int)sizeof(char*) + align)) break;
+ c += sizeof(char*);
++ }
+ if (*p == '\n')
+ *p = 0;
+ }
+- c += sizeof(char*); /* one extra for NULL term */
+
+ rbuf = xrealloc(rbuf, tot + c + align); /* make room for ptrs AT END */
+ endbuf = rbuf + tot; /* addr just past data buf */
+ q = ret = (char**) (endbuf+align); /* ==> free(*ret) to dealloc */
+- *q++ = p = rbuf; /* point ptrs to the strings */
+- endbuf--; /* do not traverse final NUL */
+- while (++p < endbuf)
+- if (!*p) /* NUL char implies that */
+- *q++ = p+1; /* next string -> next char */
+-
++ for (strp = p = rbuf; p < endbuf; p++) {
++ if (!*p) { /* NUL char implies that */
++ if (c < 2 * (int)sizeof(char*)) break;
++ c -= sizeof(char*);
++ *q++ = strp; /* point ptrs to the strings */
++ strp = p+1; /* next string -> next char */
++ }
++ }
+ *q = 0; /* null ptr list terminator */
+ return ret;
+ }
diff --git a/meta/recipes-extended/procps/procps_3.3.12.bb b/meta/recipes-extended/procps/procps_3.3.12.bb
index ecf215f..6e15b0a 100644
--- a/meta/recipes-extended/procps/procps_3.3.12.bb
+++ b/meta/recipes-extended/procps/procps_3.3.12.bb
@@ -14,6 +14,7 @@ inherit autotools gettext pkgconfig update-alternatives
SRC_URI = "http://downloads.sourceforge.net/project/procps-ng/Production/procps-ng-${PV}.tar.xz \
file://sysctl.conf \
+ file://CVE-2018-1124.patch \
"
SRC_URI[md5sum] = "957e42e8b193490b2111252e4a2b443c"
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] gnupg: CVE-2018-12020
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (2 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] procps: CVE-2018-1124 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] qemu: CVE-2018-7550 Jagadeesh Krishnanjanappa
` (11 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
gpg: Sanitize diagnostic with the original file name.
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic. The mention CVE is about using this to inject
status-fd lines into the stderr output. Other harm good as well be
done. Note that GPGME based applications are not affected because
GPGME does not fold status output into stderr.
CVE-id: CVE-2018-12020
GnuPG-bug-id: 4012
Affects gnupg < 2.2.8
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../gnupg/gnupg/CVE-2018-12020.patch | 47 ++++++++++++++++++++++
meta/recipes-support/gnupg/gnupg_2.2.4.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch
diff --git a/meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch b/meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch
new file mode 100644
index 0000000..14698db
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/CVE-2018-12020.patch
@@ -0,0 +1,47 @@
+From 13f135c7a252cc46cff96e75968d92b6dc8dce1b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Fri, 8 Jun 2018 10:45:21 +0200
+Subject: [PATCH] gpg: Sanitize diagnostic with the original file name.
+
+* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
+--
+
+This fixes a forgotten sanitation of user supplied data in a verbose
+mode diagnostic. The mention CVE is about using this to inject
+status-fd lines into the stderr output. Other harm good as well be
+done. Note that GPGME based applications are not affected because
+GPGME does not fold status output into stderr.
+
+CVE-id: CVE-2018-12020
+GnuPG-bug-id: 4012
+
+Upstream-Status: Backport [https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=13f135c7a252cc46cff96e75968d92b6dc8dce1b]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ g10/mainproc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/g10/mainproc.c b/g10/mainproc.c
+index d2ceec2fd..a9da08f74 100644
+--- a/g10/mainproc.c
++++ b/g10/mainproc.c
+@@ -851,7 +851,14 @@ proc_plaintext( CTX c, PACKET *pkt )
+ if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
+ log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
+ else if (opt.verbose)
+- log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
++ {
++ /* We don't use print_utf8_buffer because that would require a
++ * string change which we don't want in 2.2. It is also not
++ * clear whether the filename is always utf-8 encoded. */
++ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
++ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
++ xfree (tmp);
++ }
+
+ free_md_filter_context (&c->mfx);
+ if (gcry_md_open (&c->mfx.md, 0, 0))
+--
+2.13.3
+
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.4.bb b/meta/recipes-support/gnupg/gnupg_2.2.4.bb
index d3f1a8f..d6bfaff 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.4.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.4.bb
@@ -14,6 +14,7 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0002-use-pkgconfig-instead-of-npth-config.patch \
file://0003-dirmngr-uses-libgpg-error.patch \
file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
+ file://CVE-2018-12020.patch \
"
SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch"
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] qemu: CVE-2018-7550
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (3 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] gnupg: CVE-2018-12020 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] qemu: CVE-2018-12617 Jagadeesh Krishnanjanappa
` (10 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
multiboot: bss_end_addr can be zero
The multiboot spec
(https://www.gnu.org/software/grub/manual/multiboot/),
section 3.1.3, allows for bss_end_addr to be zero.
A zero bss_end_addr signifies there is no .bss section.
Affects qemu < v2.12.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../recipes-devtools/qemu/qemu/CVE-2018-7550.patch | 62 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.11.1.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch
new file mode 100644
index 0000000..9923d12
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-7550.patch
@@ -0,0 +1,62 @@
+From 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 Mon Sep 17 00:00:00 2001
+From: Jack Schwartz <jack.schwartz@oracle.com>
+Date: Thu, 21 Dec 2017 09:25:15 -0800
+Subject: [PATCH] multiboot: bss_end_addr can be zero
+
+The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/),
+section 3.1.3, allows for bss_end_addr to be zero.
+
+A zero bss_end_addr signifies there is no .bss section.
+
+CVE: CVE-2018-7550
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8]
+
+Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jack Schwartz <jack.schwartz@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ hw/i386/multiboot.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
+index 46d9c68bf5..bb8d8e4629 100644
+--- a/hw/i386/multiboot.c
++++ b/hw/i386/multiboot.c
+@@ -233,12 +233,6 @@ int load_multiboot(FWCfgState *fw_cfg,
+ mh_entry_addr = ldl_p(header+i+28);
+
+ if (mh_load_end_addr) {
+- if (mh_bss_end_addr < mh_load_addr) {
+- fprintf(stderr, "invalid mh_bss_end_addr address\n");
+- exit(1);
+- }
+- mb_kernel_size = mh_bss_end_addr - mh_load_addr;
+-
+ if (mh_load_end_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_load_end_addr address\n");
+ exit(1);
+@@ -249,8 +243,16 @@ int load_multiboot(FWCfgState *fw_cfg,
+ fprintf(stderr, "invalid kernel_file_size\n");
+ exit(1);
+ }
+- mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
+- mb_load_size = mb_kernel_size;
++ mb_load_size = kernel_file_size - mb_kernel_text_offset;
++ }
++ if (mh_bss_end_addr) {
++ if (mh_bss_end_addr < (mh_load_addr + mb_load_size)) {
++ fprintf(stderr, "invalid mh_bss_end_addr address\n");
++ exit(1);
++ }
++ mb_kernel_size = mh_bss_end_addr - mh_load_addr;
++ } else {
++ mb_kernel_size = mb_load_size;
+ }
+
+ /* Valid if mh_flags sets MULTIBOOT_HEADER_HAS_VBE.
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.11.1.bb b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
index 7de21ac..db7ead7 100644
--- a/meta/recipes-devtools/qemu/qemu_2.11.1.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
file://0012-arm-translate-a64-treat-DISAS_UPDATE-as-variant-of-D.patch \
file://0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch \
file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \
+ file://CVE-2018-7550.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] qemu: CVE-2018-12617
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (4 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] qemu: CVE-2018-7550 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] shadow: CVE-2018-7169 Jagadeesh Krishnanjanappa
` (9 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
qga: check bytes count read by guest-file-read
While reading file content via 'guest-file-read' command,
'qmp_guest_file_read' routine allocates buffer of count+1
bytes. It could overflow for large values of 'count'.
Add check to avoid it.
Affects qemu < v3.0.0
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../qemu/qemu/CVE-2018-12617.patch | 53 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.11.1.bb | 1 +
2 files changed, 54 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch
new file mode 100644
index 0000000..c89f189
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-12617.patch
@@ -0,0 +1,53 @@
+From 141b197408ab398c4f474ac1a728ab316e921f2b Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 13 Jun 2018 11:46:57 +0530
+Subject: [PATCH] qga: check bytes count read by guest-file-read
+
+While reading file content via 'guest-file-read' command,
+'qmp_guest_file_read' routine allocates buffer of count+1
+bytes. It could overflow for large values of 'count'.
+Add check to avoid it.
+
+Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+CVE: CVE-2018-12617
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=141b197408ab398c4f474ac1a728ab316e921f2b]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ qga/commands-posix.c | 2 +-
+ qga/commands-win32.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/qga/commands-posix.c b/qga/commands-posix.c
+index 594d21ef3e..9284e71666 100644
+--- a/qga/commands-posix.c
++++ b/qga/commands-posix.c
+@@ -458,7 +458,7 @@ struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+
+ if (!has_count) {
+ count = QGA_READ_COUNT_DEFAULT;
+- } else if (count < 0) {
++ } else if (count < 0 || count >= UINT32_MAX) {
+ error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
+ count);
+ return NULL;
+diff --git a/qga/commands-win32.c b/qga/commands-win32.c
+index 70ee5379f6..73f31fa8c2 100644
+--- a/qga/commands-win32.c
++++ b/qga/commands-win32.c
+@@ -318,7 +318,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+ }
+ if (!has_count) {
+ count = QGA_READ_COUNT_DEFAULT;
+- } else if (count < 0) {
++ } else if (count < 0 || count >= UINT32_MAX) {
+ error_setg(errp, "value '%" PRId64
+ "' is invalid for argument count", count);
+ return NULL;
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.11.1.bb b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
index db7ead7..a447dc7 100644
--- a/meta/recipes-devtools/qemu/qemu_2.11.1.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.11.1.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://wiki.qemu-project.org/download/${BP}.tar.bz2 \
file://0013-ps2-check-PS2Queue-pointers-in-post_load-routine.patch \
file://0001-CVE-2018-11806-QEMU-slirp-heap-buffer-overflow.patch \
file://CVE-2018-7550.patch \
+ file://CVE-2018-12617.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+\..*)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] shadow: CVE-2018-7169
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (5 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] qemu: CVE-2018-12617 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6797 Jagadeesh Krishnanjanappa
` (8 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
newgidmap: enforce setgroups=deny if self-mapping a group
This is necessary to match the kernel-side policy of "self-mapping in a
user namespace is fine, but you cannot drop groups" -- a policy that was
created in order to stop user namespaces from allowing trivial privilege
escalation by dropping supplementary groups that were "blacklisted" from
certain paths.
This is the simplest fix for the underlying issue, and effectively makes
it so that unless a user has a valid mapping set in /etc/subgid (which
only administrators can modify) -- and they are currently trying to use
that mapping -- then /proc/$pid/setgroups will be set to deny. This
workaround is only partial, because ideally it should be possible to set
an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
administrators to further restrict newgidmap(1).
We also don't write anything in the "allow" case because "allow" is the
default, and users may have already written "deny" even if they
technically are allowed to use setgroups. And we don't write anything if
the setgroups policy is already "deny".
Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
Fixes: CVE-2018-7169
Affects shadow <= 4.5
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../shadow/files/CVE-2018-7169.patch | 186 +++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 187 insertions(+)
create mode 100644 meta/recipes-extended/shadow/files/CVE-2018-7169.patch
diff --git a/meta/recipes-extended/shadow/files/CVE-2018-7169.patch b/meta/recipes-extended/shadow/files/CVE-2018-7169.patch
new file mode 100644
index 0000000..36887d4
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2018-7169.patch
@@ -0,0 +1,186 @@
+From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 15 Feb 2018 23:49:40 +1100
+Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group
+
+This is necessary to match the kernel-side policy of "self-mapping in a
+user namespace is fine, but you cannot drop groups" -- a policy that was
+created in order to stop user namespaces from allowing trivial privilege
+escalation by dropping supplementary groups that were "blacklisted" from
+certain paths.
+
+This is the simplest fix for the underlying issue, and effectively makes
+it so that unless a user has a valid mapping set in /etc/subgid (which
+only administrators can modify) -- and they are currently trying to use
+that mapping -- then /proc/$pid/setgroups will be set to deny. This
+workaround is only partial, because ideally it should be possible to set
+an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow
+administrators to further restrict newgidmap(1).
+
+We also don't write anything in the "allow" case because "allow" is the
+default, and users may have already written "deny" even if they
+technically are allowed to use setgroups. And we don't write anything if
+the setgroups policy is already "deny".
+
+Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357
+Fixes: CVE-2018-7169
+
+Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0]
+Reported-by: Craig Furman <craig.furman89@gmail.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 80 insertions(+), 9 deletions(-)
+
+diff --git a/src/newgidmap.c b/src/newgidmap.c
+index b1e33513..59a2e75c 100644
+--- a/src/newgidmap.c
++++ b/src/newgidmap.c
+@@ -46,32 +46,37 @@
+ */
+ const char *Prog;
+
+-static bool verify_range(struct passwd *pw, struct map_range *range)
++
++static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups)
+ {
+ /* An empty range is invalid */
+ if (range->count == 0)
+ return false;
+
+- /* Test /etc/subgid */
+- if (have_sub_gids(pw->pw_name, range->lower, range->count))
++ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */
++ if (have_sub_gids(pw->pw_name, range->lower, range->count)) {
++ *allow_setgroups = true;
+ return true;
++ }
+
+- /* Allow a process to map it's own gid */
+- if ((range->count == 1) && (pw->pw_gid == range->lower))
++ /* Allow a process to map its own gid. */
++ if ((range->count == 1) && (pw->pw_gid == range->lower)) {
++ /* noop -- if setgroups is enabled already we won't disable it. */
+ return true;
++ }
+
+ return false;
+ }
+
+ static void verify_ranges(struct passwd *pw, int ranges,
+- struct map_range *mappings)
++ struct map_range *mappings, bool *allow_setgroups)
+ {
+ struct map_range *mapping;
+ int idx;
+
+ mapping = mappings;
+ for (idx = 0; idx < ranges; idx++, mapping++) {
+- if (!verify_range(pw, mapping)) {
++ if (!verify_range(pw, mapping, allow_setgroups)) {
+ fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"),
+ Prog,
+ mapping->upper,
+@@ -89,6 +94,70 @@ static void usage(void)
+ exit(EXIT_FAILURE);
+ }
+
++void write_setgroups(int proc_dir_fd, bool allow_setgroups)
++{
++ int setgroups_fd;
++ char *policy, policy_buffer[4096];
++
++ /*
++ * Default is "deny", and any "allow" will out-rank a "deny". We don't
++ * forcefully write an "allow" here because the process we are writing
++ * mappings for may have already set themselves to "deny" (and "allow"
++ * is the default anyway). So allow_setgroups == true is a noop.
++ */
++ policy = "deny\n";
++ if (allow_setgroups)
++ return;
++
++ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC);
++ if (setgroups_fd < 0) {
++ /*
++ * If it's an ENOENT then we are on too old a kernel for the setgroups
++ * code to exist. Emit a warning and bail on this.
++ */
++ if (ENOENT == errno) {
++ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog);
++ goto out;
++ }
++ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++
++ /*
++ * Check whether the policy is already what we want. /proc/self/setgroups
++ * is write-once, so attempting to write after it's already written to will
++ * fail.
++ */
++ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) {
++ fprintf(stderr, _("%s: failed to read setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ if (!strncmp(policy_buffer, policy, strlen(policy)))
++ goto out;
++
++ /* Write the policy. */
++ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) {
++ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"),
++ Prog,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ if (dprintf(setgroups_fd, "%s", policy) < 0) {
++ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"),
++ Prog,
++ policy,
++ strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++
++out:
++ close(setgroups_fd);
++}
++
+ /*
+ * newgidmap - Set the gid_map for the specified process
+ */
+@@ -103,6 +172,7 @@ int main(int argc, char **argv)
+ struct stat st;
+ struct passwd *pw;
+ int written;
++ bool allow_setgroups = false;
+
+ Prog = Basename (argv[0]);
+
+@@ -145,7 +215,7 @@ int main(int argc, char **argv)
+ (unsigned long) getuid ()));
+ return EXIT_FAILURE;
+ }
+-
++
+ /* Get the effective uid and effective gid of the target process */
+ if (fstat(proc_dir_fd, &st) < 0) {
+ fprintf(stderr, _("%s: Could not stat directory for target %u\n"),
+@@ -177,8 +247,9 @@ int main(int argc, char **argv)
+ if (!mappings)
+ usage();
+
+- verify_ranges(pw, ranges, mappings);
++ verify_ranges(pw, ranges, mappings, &allow_setgroups);
+
++ write_setgroups(proc_dir_fd, allow_setgroups);
+ write_mapping(proc_dir_fd, ranges, mappings, "gid_map");
+ sub_gid_close();
+
+--
+2.13.3
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 6efe4a9..9691c38 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -20,6 +20,7 @@ SRC_URI = "https://downloads.yoctoproject.org/mirror/sources/${BP}.tar.xz \
file://0001-shadow-CVE-2017-12424 \
file://CVE-2017-2616.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
+ file://CVE-2018-7169.patch \
"
SRC_URI_append_class-target = " \
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] perl: CVE-2018-6797
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (6 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] shadow: CVE-2018-7169 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6913 Jagadeesh Krishnanjanappa
` (7 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
(perl #132227) restart a node if we change to uni rules within the node and encounter...
This could lead to a buffer overflow.
(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d)
Affects perl >= 5.18 && perl <= 5.26
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../recipes-devtools/perl/perl/CVE-2018-6797.patch | 45 ++++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6797.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch
new file mode 100644
index 0000000..b56ebd3
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6797.patch
@@ -0,0 +1,45 @@
+From abe1e6c568b96bcb382dfa4f61c56d1ab001ea51 Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Fri, 2 Feb 2018 15:14:27 -0700
+Subject: [PATCH] (perl #132227) restart a node if we change to uni rules
+ within the node and encounter a sharp S
+
+This could lead to a buffer overflow.
+
+(cherry picked from commit a02c70e35d1313a5f4e245e8f863c810e991172d)
+
+CVE: CVE-2018-6797
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/abe1e6c568b96bcb382dfa4f61c56d1ab001ea51]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ regcomp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/regcomp.c b/regcomp.c
+index 3b9550b10d..a7dee9a09e 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -13543,6 +13543,18 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+ * /u. This includes the multi-char fold SHARP S to
+ * 'ss' */
+ if (UNLIKELY(ender == LATIN_SMALL_LETTER_SHARP_S)) {
++
++ /* If the node started out having uni rules, we
++ * wouldn't have gotten here. So this means
++ * something in the middle has changed it, but
++ * didn't think it needed to reparse. But this
++ * sharp s now does indicate the need for
++ * reparsing. */
++ if (RExC_uni_semantics) {
++ p = oldp;
++ goto loopdone;
++ }
++
+ RExC_seen_unfolded_sharp_s = 1;
+ maybe_exactfu = FALSE;
+ }
+--
+2.15.1-424-g9478a660812
+
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index 311df40..882c1cf 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -68,6 +68,7 @@ SRC_URI += " \
file://CVE-2017-12837.patch \
file://CVE-2018-6798-1.patch \
file://CVE-2018-6798-2.patch \
+ file://CVE-2018-6797.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] perl: CVE-2018-6913
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (7 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6797 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] git: CVE-2018-11235 Jagadeesh Krishnanjanappa
` (6 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
(perl #131844) fix various space calculation issues in
pp_pack.c
- for the originally reported case, if the start/cur pointer is in the
top 75% of the address space the add (cur) + glen addition would
overflow, resulting in the condition failing incorrectly.
- the addition of the existing space used to the space needed could
overflow, resulting in too small an allocation and a buffer overflow.
- the scaling for UTF8 could overflow.
- the multiply to calculate the space needed for many items could
overflow.
For the first case, do a space calculation without making new pointers.
For the other cases, detect the overflow and croak if there's an
overflow.
Originally this used Size_t_MAX as the maximum size of a memory
allocation, but for -DDEBUGGING builds realloc() throws a panic for
allocations over half the address space in size, changing the error
reported for the allocation.
For non-DEBUGGING builds the Size_t_MAX limit has the small chance
of finding a system that has 3GB of contiguous space available, and
allocating that space, which could be a denial of servce in some cases.
Unfortunately changing the limit to half the address space means that
the exact case with the original issue can no longer occur, so the
test is no longer testing against the address + length issue that
caused the original problem, since the allocation is failing earlier.
One option would be to change the test so the size request by pack is
just under 2GB, but this has a higher (but still low) probability that
the system has the address space available, and will actually try to
allocate the memory, so let's not do that.
Note: changed
plan tests => 14713;
to
plan tests => 14712;
in a/t/op/pack.t
to apply this patch on perl 5.24.1.
Affects perl < 5.26.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../recipes-devtools/perl/perl/CVE-2018-6913.patch | 153 +++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 154 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
new file mode 100644
index 0000000..157af7b
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-6913.patch
@@ -0,0 +1,153 @@
+From f17fed5006177dce8ac48229c424a2da0d6ba492 Mon Sep 17 00:00:00 2001
+From: Tony Cook <tony@develop-help.com>
+Date: Tue, 8 Aug 2017 09:32:58 +1000
+Subject: [PATCH] (perl #131844) fix various space calculation issues in
+ pp_pack.c
+
+- for the originally reported case, if the start/cur pointer is in the
+ top 75% of the address space the add (cur) + glen addition would
+ overflow, resulting in the condition failing incorrectly.
+
+- the addition of the existing space used to the space needed could
+ overflow, resulting in too small an allocation and a buffer overflow.
+
+- the scaling for UTF8 could overflow.
+
+- the multiply to calculate the space needed for many items could
+ overflow.
+
+For the first case, do a space calculation without making new pointers.
+
+For the other cases, detect the overflow and croak if there's an
+overflow.
+
+Originally this used Size_t_MAX as the maximum size of a memory
+allocation, but for -DDEBUGGING builds realloc() throws a panic for
+allocations over half the address space in size, changing the error
+reported for the allocation.
+
+For non-DEBUGGING builds the Size_t_MAX limit has the small chance
+of finding a system that has 3GB of contiguous space available, and
+allocating that space, which could be a denial of servce in some cases.
+
+Unfortunately changing the limit to half the address space means that
+the exact case with the original issue can no longer occur, so the
+test is no longer testing against the address + length issue that
+caused the original problem, since the allocation is failing earlier.
+
+One option would be to change the test so the size request by pack is
+just under 2GB, but this has a higher (but still low) probability that
+the system has the address space available, and will actually try to
+allocate the memory, so let's not do that.
+
+Note: changed
+plan tests => 14713;
+to
+plan tests => 14712;
+in a/t/op/pack.t
+to apply this patch on perl 5.24.1.
+
+CVE: CVE-2018-6913
+Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commitdiff/f17fed5006177dce8ac48229c424a2da0d6ba492]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ pp_pack.c | 25 +++++++++++++++++++++----
+ t/op/pack.t | 24 +++++++++++++++++++++++-
+ 2 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/pp_pack.c b/pp_pack.c
+index 8937d6d715..5e9cc64301 100644
+--- a/pp_pack.c
++++ b/pp_pack.c
+@@ -357,11 +357,28 @@ STMT_START { \
+ } \
+ } STMT_END
+
++#define SAFE_UTF8_EXPAND(var) \
++STMT_START { \
++ if ((var) > SSize_t_MAX / UTF8_EXPAND) \
++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++ (var) = (var) * UTF8_EXPAND; \
++} STMT_END
++
++#define GROWING2(utf8, cat, start, cur, item_size, item_count) \
++STMT_START { \
++ if (SSize_t_MAX / (item_size) < (item_count)) \
++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++ GROWING((utf8), (cat), (start), (cur), (item_size) * (item_count)); \
++} STMT_END
++
+ #define GROWING(utf8, cat, start, cur, in_len) \
+ STMT_START { \
+ STRLEN glen = (in_len); \
+- if (utf8) glen *= UTF8_EXPAND; \
+- if ((cur) + glen >= (start) + SvLEN(cat)) { \
++ STRLEN catcur = (STRLEN)((cur) - (start)); \
++ if (utf8) SAFE_UTF8_EXPAND(glen); \
++ if (SSize_t_MAX - glen < catcur) \
++ Perl_croak(aTHX_ "%s", "Out of memory during pack()"); \
++ if (catcur + glen >= SvLEN(cat)) { \
+ (start) = sv_exp_grow(cat, glen); \
+ (cur) = (start) + SvCUR(cat); \
+ } \
+@@ -372,7 +389,7 @@ STMT_START { \
+ STMT_START { \
+ const STRLEN glen = (in_len); \
+ STRLEN gl = glen; \
+- if (utf8) gl *= UTF8_EXPAND; \
++ if (utf8) SAFE_UTF8_EXPAND(gl); \
+ if ((cur) + gl >= (start) + SvLEN(cat)) { \
+ *cur = '\0'; \
+ SvCUR_set((cat), (cur) - (start)); \
+@@ -2126,7 +2143,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* sym
+ if (props && !(props & PACK_SIZE_UNPREDICTABLE)) {
+ /* We can process this letter. */
+ STRLEN size = props & PACK_SIZE_MASK;
+- GROWING(utf8, cat, start, cur, (STRLEN) len * size);
++ GROWING2(utf8, cat, start, cur, size, (STRLEN)len);
+ }
+ }
+
+diff --git a/t/op/pack.t b/t/op/pack.t
+index 664aaaf1b0..cf0e286509 100644
+--- a/t/op/pack.t
++++ b/t/op/pack.t
+@@ -12,7 +12,7 @@ my $no_endianness = $] > 5.009 ? '' :
+ my $no_signedness = $] > 5.009 ? '' :
+ "Signed/unsigned pack modifiers not available on this perl";
+
+-plan tests => 14712;
++plan tests => 14717;
+
+ use strict;
+ use warnings qw(FATAL all);
+@@ -2044,3 +2044,25 @@ ok(1, "argument underflow did not crash"
+ is(pack("H40", $up_nul), $twenty_nuls,
+ "check pack H zero fills (utf8 source)");
+ }
++
++SKIP:
++{
++ # [perl #131844] pointer addition overflow
++ $Config{ptrsize} == 4
++ or skip "[perl #131844] need 32-bit build for this test", 4;
++ # prevent ASAN just crashing on the allocation failure
++ local $ENV{ASAN_OPTIONS} = $ENV{ASAN_OPTIONS};
++ $ENV{ASAN_OPTIONS} .= ",allocator_may_return_null=1";
++ fresh_perl_like('pack "f999999999"', qr/Out of memory during pack/, { stderr => 1 },
++ "pointer addition overflow");
++
++ # integer (STRLEN) overflow from addition of glen to current length
++ fresh_perl_like('pack "c10f1073741823"', qr/Out of memory during pack/, { stderr => 1 },
++ "integer overflow calculating allocation (addition)");
++
++ fresh_perl_like('pack "W10f536870913", 256', qr/Out of memory during pack/, { stderr => 1 },
++ "integer overflow calculating allocation (utf8)");
++
++ fresh_perl_like('pack "c10f1073741824"', qr/Out of memory during pack/, { stderr => 1 },
++ "integer overflow calculating allocation (multiply)");
++}
+--
+2.15.1-424-g9478a660812
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index 882c1cf..bb18c6a 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -69,6 +69,7 @@ SRC_URI += " \
file://CVE-2018-6798-1.patch \
file://CVE-2018-6798-2.patch \
file://CVE-2018-6797.patch \
+ file://CVE-2018-6913.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] git: CVE-2018-11235
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (8 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6913 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-12015 Jagadeesh Krishnanjanappa
` (5 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
submodule-config: verify submodule names as paths
Submodule "names" come from the untrusted .gitmodules file,
but we blindly append them to $GIT_DIR/modules to create our
on-disk repo paths. This means you can do bad things by
putting "../" into the name (among other things).
Let's sanity-check these names to avoid building a path that
can be exploited. There are two main decisions:
1. What should the allowed syntax be?
It's tempting to reuse verify_path(), since submodule
names typically come from in-repo paths. But there are
two reasons not to:
a. It's technically more strict than what we need, as
we really care only about breaking out of the
$GIT_DIR/modules/ hierarchy. E.g., having a
submodule named "foo/.git" isn't actually
dangerous, and it's possible that somebody has
manually given such a funny name.
b. Since we'll eventually use this checking logic in
fsck to prevent downstream repositories, it should
be consistent across platforms. Because
verify_path() relies on is_dir_sep(), it wouldn't
block "foo\..\bar" on a non-Windows machine.
2. Where should we enforce it? These days most of the
.gitmodules reads go through submodule-config.c, so
I've put it there in the reading step. That should
cover all of the C code.
We also construct the name for "git submodule add"
inside the git-submodule.sh script. This is probably
not a big deal for security since the name is coming
from the user anyway, but it would be polite to remind
them if the name they pick is invalid (and we need to
expose the name-checker to the shell anyway for our
test scripts).
This patch issues a warning when reading .gitmodules
and just ignores the related config entry completely.
This will generally end up producing a sensible error,
as it works the same as a .gitmodules file which is
missing a submodule entry (so "submodule update" will
barf, but "git clone --recurse-submodules" will print
an error but not abort the clone.
There is one minor oddity, which is that we print the
warning once per malformed config key (since that's how
the config subsystem gives us the entries). So in the
new test, for example, the user would see three
warnings. That's OK, since the intent is that this case
should never come up outside of malicious repositories
(and then it might even benefit the user to see the
message multiple times).
Credit for finding this vulnerability and the proof of
concept from which the test script was adapted goes to
Etienne Stalmans.
Affects: git < 2.13.7 and git < 2.14.4 and git < 2.15.2 and git < 2.16.4 and
git < 2.17.1
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../git/files/CVE-2018-11235.patch | 288 +++++++++++++++++++++
meta/recipes-devtools/git/git.inc | 3 +-
2 files changed, 290 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/git/files/CVE-2018-11235.patch
diff --git a/meta/recipes-devtools/git/files/CVE-2018-11235.patch b/meta/recipes-devtools/git/files/CVE-2018-11235.patch
new file mode 100644
index 0000000..c272eac
--- /dev/null
+++ b/meta/recipes-devtools/git/files/CVE-2018-11235.patch
@@ -0,0 +1,288 @@
+From 0383bbb9015898cbc79abd7b64316484d7713b44 Mon Sep 17 00:00:00 2001
+From: Jeff King <peff@peff.net>
+Date: Mon, 30 Apr 2018 03:25:25 -0400
+Subject: [PATCH] submodule-config: verify submodule names as paths
+
+Submodule "names" come from the untrusted .gitmodules file,
+but we blindly append them to $GIT_DIR/modules to create our
+on-disk repo paths. This means you can do bad things by
+putting "../" into the name (among other things).
+
+Let's sanity-check these names to avoid building a path that
+can be exploited. There are two main decisions:
+
+ 1. What should the allowed syntax be?
+
+ It's tempting to reuse verify_path(), since submodule
+ names typically come from in-repo paths. But there are
+ two reasons not to:
+
+ a. It's technically more strict than what we need, as
+ we really care only about breaking out of the
+ $GIT_DIR/modules/ hierarchy. E.g., having a
+ submodule named "foo/.git" isn't actually
+ dangerous, and it's possible that somebody has
+ manually given such a funny name.
+
+ b. Since we'll eventually use this checking logic in
+ fsck to prevent downstream repositories, it should
+ be consistent across platforms. Because
+ verify_path() relies on is_dir_sep(), it wouldn't
+ block "foo\..\bar" on a non-Windows machine.
+
+ 2. Where should we enforce it? These days most of the
+ .gitmodules reads go through submodule-config.c, so
+ I've put it there in the reading step. That should
+ cover all of the C code.
+
+ We also construct the name for "git submodule add"
+ inside the git-submodule.sh script. This is probably
+ not a big deal for security since the name is coming
+ from the user anyway, but it would be polite to remind
+ them if the name they pick is invalid (and we need to
+ expose the name-checker to the shell anyway for our
+ test scripts).
+
+ This patch issues a warning when reading .gitmodules
+ and just ignores the related config entry completely.
+ This will generally end up producing a sensible error,
+ as it works the same as a .gitmodules file which is
+ missing a submodule entry (so "submodule update" will
+ barf, but "git clone --recurse-submodules" will print
+ an error but not abort the clone.
+
+ There is one minor oddity, which is that we print the
+ warning once per malformed config key (since that's how
+ the config subsystem gives us the entries). So in the
+ new test, for example, the user would see three
+ warnings. That's OK, since the intent is that this case
+ should never come up outside of malicious repositories
+ (and then it might even benefit the user to see the
+ message multiple times).
+
+Credit for finding this vulnerability and the proof of
+concept from which the test script was adapted goes to
+Etienne Stalmans.
+
+CVE: CVE-2018-11235
+Upstream-Status: Backport [https://github.com/gitster/git/commit/0383bbb9015898cbc79abd7b64316484d7713b44#diff-1772b951776d1647ca31a2256f7fe88f]
+
+Signed-off-by: Jeff King <peff@peff.net>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ builtin/submodule--helper.c | 24 ++++++++++++++
+ git-submodule.sh | 5 +++
+ submodule-config.c | 31 ++++++++++++++++++
+ submodule-config.h | 7 +++++
+ t/t7415-submodule-names.sh | 76 +++++++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 143 insertions(+)
+ create mode 100755 t/t7415-submodule-names.sh
+
+diff --git a/builtin/submodule--helper.c b/builtin/submodule--helper.c
+index cbb17a902..b4b4d29d8 100644
+--- a/builtin/submodule--helper.c
++++ b/builtin/submodule--helper.c
+@@ -1480,6 +1480,29 @@ static int is_active(int argc, const cha
+ return !is_submodule_active(the_repository, argv[1]);
+ }
+
++/*
++ * Exit non-zero if any of the submodule names given on the command line is
++ * invalid. If no names are given, filter stdin to print only valid names
++ * (which is primarily intended for testing).
++ */
++static int check_name(int argc, const char **argv, const char *prefix)
++{
++ if (argc > 1) {
++ while (*++argv) {
++ if (check_submodule_name(*argv) < 0)
++ return 1;
++ }
++ } else {
++ struct strbuf buf = STRBUF_INIT;
++ while (strbuf_getline(&buf, stdin) != EOF) {
++ if (!check_submodule_name(buf.buf))
++ printf("%s\n", buf.buf);
++ }
++ strbuf_release(&buf);
++ }
++ return 0;
++}
++
+ #define SUPPORT_SUPER_PREFIX (1<<0)
+
+ struct cmd_struct {
+@@ -1502,6 +1525,7 @@ static struct cmd_struct commands[] = {
+ {"push-check", push_check, 0},
+ {"absorb-git-dirs", absorb_git_dirs, SUPPORT_SUPER_PREFIX},
+ {"is-active", is_active, 0},
++ {"check-name", check_name, 0},
+ };
+
+ int cmd_submodule__helper(int argc, const char **argv, const char *prefix)
+diff --git a/git-submodule.sh b/git-submodule.sh
+index c0d0e9a4c..92750b9e2 100755
+--- a/git-submodule.sh
++++ b/git-submodule.sh
+@@ -229,6 +229,11 @@ Use -f if you really want to add it." >&
+ sm_name="$sm_path"
+ fi
+
++ if ! git submodule--helper check-name "$sm_name"
++ then
++ die "$(eval_gettext "'$sm_name' is not a valid submodule name")"
++ fi
++
+ # perhaps the path exists and is already a git repo, else clone it
+ if test -e "$sm_path"
+ then
+diff --git a/submodule-config.c b/submodule-config.c
+index 4f58491dd..de54351c6 100644
+--- a/submodule-config.c
++++ b/submodule-config.c
+@@ -190,6 +190,31 @@ static struct submodule *cache_lookup_na
+ return NULL;
+ }
+
++int check_submodule_name(const char *name)
++{
++ /* Disallow empty names */
++ if (!*name)
++ return -1;
++
++ /*
++ * Look for '..' as a path component. Check both '/' and '\\' as
++ * separators rather than is_dir_sep(), because we want the name rules
++ * to be consistent across platforms.
++ */
++ goto in_component; /* always start inside component */
++ while (*name) {
++ char c = *name++;
++ if (c == '/' || c == '\\') {
++in_component:
++ if (name[0] == '.' && name[1] == '.' &&
++ (!name[2] || name[2] == '/' || name[2] == '\\'))
++ return -1;
++ }
++ }
++
++ return 0;
++}
++
+ static int name_and_item_from_var(const char *var, struct strbuf *name,
+ struct strbuf *item)
+ {
+@@ -201,6 +226,12 @@ static int name_and_item_from_var(const
+ return 0;
+
+ strbuf_add(name, subsection, subsection_len);
++ if (check_submodule_name(name->buf) < 0) {
++ warning(_("ignoring suspicious submodule name: %s"), name->buf);
++ strbuf_release(name);
++ return 0;
++ }
++
+ strbuf_addstr(item, key);
+
+ return 1;
+diff --git a/submodule-config.h b/submodule-config.h
+index d434ecdb4..103cc79dd 100644
+--- a/submodule-config.h
++++ b/submodule-config.h
+@@ -48,4 +48,11 @@ extern const struct submodule *submodule
+ const char *key);
+ extern void submodule_free(void);
+
++/*
++ * Returns 0 if the name is syntactically acceptable as a submodule "name"
++ * (e.g., that may be found in the subsection of a .gitmodules file) and -1
++ * otherwise.
++ */
++int check_submodule_name(const char *name);
++
+ #endif /* SUBMODULE_CONFIG_H */
+diff --git a/t/t7415-submodule-names.sh b/t/t7415-submodule-names.sh
+new file mode 100755
+index 000000000..75fa071c6
+--- /dev/null
++++ b/t/t7415-submodule-names.sh
+@@ -0,0 +1,76 @@
++#!/bin/sh
++
++test_description='check handling of .. in submodule names
++
++Exercise the name-checking function on a variety of names, and then give a
++real-world setup that confirms we catch this in practice.
++'
++. ./test-lib.sh
++
++test_expect_success 'check names' '
++ cat >expect <<-\EOF &&
++ valid
++ valid/with/paths
++ EOF
++
++ git submodule--helper check-name >actual <<-\EOF &&
++ valid
++ valid/with/paths
++
++ ../foo
++ /../foo
++ ..\foo
++ \..\foo
++ foo/..
++ foo/../
++ foo\..
++ foo\..\
++ foo/../bar
++ EOF
++
++ test_cmp expect actual
++'
++
++test_expect_success 'create innocent subrepo' '
++ git init innocent &&
++ git -C innocent commit --allow-empty -m foo
++'
++
++test_expect_success 'submodule add refuses invalid names' '
++ test_must_fail \
++ git submodule add --name ../../modules/evil "$PWD/innocent" evil
++'
++
++test_expect_success 'add evil submodule' '
++ git submodule add "$PWD/innocent" evil &&
++
++ mkdir modules &&
++ cp -r .git/modules/evil modules &&
++ write_script modules/evil/hooks/post-checkout <<-\EOF &&
++ echo >&2 "RUNNING POST CHECKOUT"
++ EOF
++
++ git config -f .gitmodules submodule.evil.update checkout &&
++ git config -f .gitmodules --rename-section \
++ submodule.evil submodule.../../modules/evil &&
++ git add modules &&
++ git commit -am evil
++'
++
++# This step seems like it shouldn't be necessary, since the payload is
++# contained entirely in the evil submodule. But due to the vagaries of the
++# submodule code, checking out the evil module will fail unless ".git/modules"
++# exists. Adding another submodule (with a name that sorts before "evil") is an
++# easy way to make sure this is the case in the victim clone.
++test_expect_success 'add other submodule' '
++ git submodule add "$PWD/innocent" another-module &&
++ git add another-module &&
++ git commit -am another
++'
++
++test_expect_success 'clone evil superproject' '
++ git clone --recurse-submodules . victim >output 2>&1 &&
++ ! grep "RUNNING POST CHECKOUT" output
++'
++
++test_done
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index dd9d792..bea23ec 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -7,7 +7,8 @@ DEPENDS = "openssl curl zlib expat"
PROVIDES_append_class-native = " git-replacement-native"
SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
- ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages"
+ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \
+ file://CVE-2018-11235.patch"
S = "${WORKDIR}/git-${PV}"
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] perl: CVE-2018-12015
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (9 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] git: CVE-2018-11235 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] libgcrypt: CVE-2018-0495 Jagadeesh Krishnanjanappa
` (4 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
Remove existing files before overwriting them
Archive should extract only the latest same-named entry.
Extracted regular file should not be writtent into existing block
device (or any other one).
https://rt.cpan.org/Ticket/Display.html?id=125523
Affects perl <= 5.26.2
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../perl/perl/CVE-2018-12015.patch | 48 ++++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.1.bb | 1 +
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-12015.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch b/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch
new file mode 100644
index 0000000..a33deaf
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-12015.patch
@@ -0,0 +1,48 @@
+From ae65651eab053fc6dc4590dbb863a268215c1fc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 8 Jun 2018 11:45:40 +0100
+Subject: [PATCH] [PATCH] Remove existing files before overwriting them
+
+Archive should extract only the latest same-named entry.
+Extracted regular file should not be writtent into existing block
+device (or any other one).
+
+https://rt.cpan.org/Ticket/Display.html?id=125523
+
+CVE: CVE-2018-12015
+Upstream-Status: Backport [https://github.com/jib/archive-tar-new/commit/ae65651eab053fc6dc4590dbb863a268215c1fc5]
+
+Signed-off-by: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ lib/Archive/Tar.pm | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/cpan/Archive-Tar/lib/Archive/Tar.pm b/cpan/Archive-Tar/lib/Archive/Tar.pm
+index 6244369..a83975f 100644
+--- a/cpan/Archive-Tar/lib/Archive/Tar.pm
++++ b/cpan/Archive-Tar/lib/Archive/Tar.pm
+@@ -845,6 +845,20 @@ sub _extract_file {
+ return;
+ }
+
++ ### If a file system already contains a block device with the same name as
++ ### the being extracted regular file, we would write the file's content
++ ### to the block device. So remove the existing file (block device) now.
++ ### If an archive contains multiple same-named entries, the last one
++ ### should replace the previous ones. So remove the old file now.
++ ### If the old entry is a symlink to a file outside of the CWD, the new
++ ### entry would create a file there. This is CVE-2018-12015
++ ### <https://rt.cpan.org/Ticket/Display.html?id=125523>.
++ if (-l $full || -e _) {
++ if (!unlink $full) {
++ $self->_error( qq[Could not remove old file '$full': $!] );
++ return;
++ }
++ }
+ if( length $entry->type && $entry->is_file ) {
+ my $fh = IO::File->new;
+ $fh->open( '>' . $full ) or (
+--
+2.13.3
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.1.bb b/meta/recipes-devtools/perl/perl_5.24.1.bb
index bb18c6a..5fed896 100644
--- a/meta/recipes-devtools/perl/perl_5.24.1.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.1.bb
@@ -70,6 +70,7 @@ SRC_URI += " \
file://CVE-2018-6798-2.patch \
file://CVE-2018-6797.patch \
file://CVE-2018-6913.patch \
+ file://CVE-2018-12015.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [SUMO][PATCH V2] libgcrypt: CVE-2018-0495
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (10 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-12015 Jagadeesh Krishnanjanappa
@ 2018-08-22 11:41 ` Jagadeesh Krishnanjanappa
2018-08-22 12:31 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10) Patchwork
` (3 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Jagadeesh Krishnanjanappa @ 2018-08-22 11:41 UTC (permalink / raw)
To: openembedded-core
ecc: Add blinding for ECDSA.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
randomized nonce B.
--
CVE-id: CVE-2018-0495
Affects libgcrypt < 1.7.10 and libgcrypt < 1.8.3
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
v2:
Corrected "From:" address
.../libgcrypt/files/CVE-2018-0495.patch | 76 ++++++++++++++++++++++
meta/recipes-support/libgcrypt/libgcrypt_1.8.2.bb | 1 +
2 files changed, 77 insertions(+)
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch b/meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch
new file mode 100644
index 0000000..c16bd3a
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2018-0495.patch
@@ -0,0 +1,76 @@
+From 9010d1576e278a4274ad3f4aa15776c28f6ba965 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 13 Jun 2018 15:28:58 +0900
+Subject: [PATCH] ecc: Add blinding for ECDSA.
+
+* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Blind secret D with
+randomized nonce B.
+
+--
+
+Reported-by: Keegan Ryan <Keegan.Ryan@nccgroup.trust>
+CVE-id: CVE-2018-0495
+
+Upstream-Status: Backport [http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965]
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ cipher/ecc-ecdsa.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
+index 1484830b..140e8c09 100644
+--- a/cipher/ecc-ecdsa.c
++++ b/cipher/ecc-ecdsa.c
+@@ -50,6 +50,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ const void *abuf;
+ unsigned int abits, qbits;
+ mpi_ec_t ctx;
++ gcry_mpi_t b; /* Random number needed for blinding. */
++ gcry_mpi_t bi; /* multiplicative inverse of B. */
+
+ if (DBG_CIPHER)
+ log_mpidump ("ecdsa sign hash ", input );
+@@ -61,6 +63,15 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ if (rc)
+ return rc;
+
++ b = mpi_snew (qbits);
++ bi = mpi_snew (qbits);
++ do
++ {
++ _gcry_mpi_randomize (b, qbits, GCRY_WEAK_RANDOM);
++ mpi_mod (b, b, skey->E.n);
++ }
++ while (!mpi_invm (bi, b, skey->E.n));
++
+ k = NULL;
+ dr = mpi_alloc (0);
+ sum = mpi_alloc (0);
+@@ -115,8 +126,11 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ }
+ while (!mpi_cmp_ui (r, 0));
+
+- mpi_mulm (dr, skey->d, r, skey->E.n); /* dr = d*r mod n */
+- mpi_addm (sum, hash, dr, skey->E.n); /* sum = hash + (d*r) mod n */
++ mpi_mulm (dr, b, skey->d, skey->E.n);
++ mpi_mulm (dr, dr, r, skey->E.n); /* dr = d*r mod n (blinded with b) */
++ mpi_mulm (sum, b, hash, skey->E.n);
++ mpi_addm (sum, sum, dr, skey->E.n); /* sum = hash + (d*r) mod n (blinded with b) */
++ mpi_mulm (sum, bi, sum, skey->E.n); /* undo blinding by b^-1 */
+ mpi_invm (k_1, k, skey->E.n); /* k_1 = k^(-1) mod n */
+ mpi_mulm (s, k_1, sum, skey->E.n); /* s = k^(-1)*(hash+(d*r)) mod n */
+ }
+@@ -129,6 +143,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
+ }
+
+ leave:
++ mpi_free (b);
++ mpi_free (bi);
+ _gcry_mpi_ec_free (ctx);
+ point_free (&I);
+ mpi_free (x);
+--
+2.13.3
+
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.2.bb
index b36e653..9d036c8 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.2.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0003-tests-bench-slope.c-workaround-ICE-failure-on-mips-w.patch \
file://0002-libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch \
file://0004-tests-Makefile.am-fix-undefined-reference-to-pthread.patch \
+ file://CVE-2018-0495.patch \
"
SRC_URI[md5sum] = "cfb0b5c79eab07686b6898160a407139"
SRC_URI[sha256sum] = "c8064cae7558144b13ef0eb87093412380efa16c4ee30ad12ecb54886a524c07"
--
2.7.4
^ permalink raw reply related [flat|nested] 17+ messages in thread
* ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10)
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (11 preceding siblings ...)
2018-08-22 11:41 ` [SUMO][PATCH V2] libgcrypt: CVE-2018-0495 Jagadeesh Krishnanjanappa
@ 2018-08-22 12:31 ` Patchwork
2018-08-22 12:31 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12) Patchwork
` (2 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: Patchwork @ 2018-08-22 12:31 UTC (permalink / raw)
To: Jagadeesh Krishnanjanappa; +Cc: openembedded-core
== Series Details ==
Series: coreutils: CVE-2017-18018 (rev10)
Revision: 10
URL : https://patchwork.openembedded.org/series/13660/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch sumo (currently at b4738c5cf6)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 17+ messages in thread
* ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12)
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (12 preceding siblings ...)
2018-08-22 12:31 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10) Patchwork
@ 2018-08-22 12:31 ` Patchwork
2018-08-22 12:35 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10) Patchwork
2018-08-22 12:35 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12) Patchwork
15 siblings, 0 replies; 17+ messages in thread
From: Patchwork @ 2018-08-22 12:31 UTC (permalink / raw)
To: Jagadeesh Krishnanjanappa; +Cc: openembedded-core
== Series Details ==
Series: coreutils: CVE-2017-18018 (rev12)
Revision: 12
URL : https://patchwork.openembedded.org/series/13660/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch sumo (currently at b4738c5cf6)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 17+ messages in thread
* ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10)
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (13 preceding siblings ...)
2018-08-22 12:31 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12) Patchwork
@ 2018-08-22 12:35 ` Patchwork
2018-08-22 12:35 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12) Patchwork
15 siblings, 0 replies; 17+ messages in thread
From: Patchwork @ 2018-08-22 12:35 UTC (permalink / raw)
To: Jagadeesh Krishnanjanappa; +Cc: openembedded-core
== Series Details ==
Series: coreutils: CVE-2017-18018 (rev10)
Revision: 10
URL : https://patchwork.openembedded.org/series/13660/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch sumo (currently at b4738c5cf6)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 17+ messages in thread
* ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12)
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
` (14 preceding siblings ...)
2018-08-22 12:35 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10) Patchwork
@ 2018-08-22 12:35 ` Patchwork
15 siblings, 0 replies; 17+ messages in thread
From: Patchwork @ 2018-08-22 12:35 UTC (permalink / raw)
To: Jagadeesh Krishnanjanappa; +Cc: openembedded-core
== Series Details ==
Series: coreutils: CVE-2017-18018 (rev12)
Revision: 12
URL : https://patchwork.openembedded.org/series/13660/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch sumo (currently at b4738c5cf6)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2018-08-22 12:35 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-22 11:41 [SUMO][PATCH V2] coreutils: CVE-2017-18018 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] python: CVE-2018-1000030 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6798 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] procps: CVE-2018-1124 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] gnupg: CVE-2018-12020 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] qemu: CVE-2018-7550 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] qemu: CVE-2018-12617 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] shadow: CVE-2018-7169 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6797 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-6913 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] git: CVE-2018-11235 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] perl: CVE-2018-12015 Jagadeesh Krishnanjanappa
2018-08-22 11:41 ` [SUMO][PATCH V2] libgcrypt: CVE-2018-0495 Jagadeesh Krishnanjanappa
2018-08-22 12:31 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10) Patchwork
2018-08-22 12:31 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12) Patchwork
2018-08-22 12:35 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev10) Patchwork
2018-08-22 12:35 ` ✗ patchtest: failure for coreutils: CVE-2017-18018 (rev12) Patchwork
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.