[meta-webserver][ROCKO][PATCH] apache2: CVE-2018-1333

[meta-webserver][ROCKO][PATCH] apache2: CVE-2018-1333

[Jagadeesh Krishnanjanappa]

* fixes a race condition where aborting streams triggers an
 unnecessary timeout.

Affects apache2 2.4.18 to 2.4.30 and apache2 2.4.33

Fixed in apache2 2.4.34

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
 .../recipes-httpd/apache2/apache2-native_2.4.27.bb |  1 +
 .../recipes-httpd/apache2/apache2_2.4.27.bb        |  1 +
 .../apache2/files/CVE-2018-1333.patch              | 44 ++++++++++++++++++++++
 3 files changed, 46 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch

diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
index 4e893db..dcd3976 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.27.bb
@@ -10,6 +10,7 @@ inherit autotools pkgconfig native
 
 SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
            file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
+           file://CVE-2018-1333.patch \
           "
 
 S = "${WORKDIR}/httpd-${PV}"
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
index 1880867..2803500 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.27.bb
@@ -21,6 +21,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
            file://apache2-volatile.conf \
            file://apache2.service \
            file://volatiles.04_apache2 \
+           file://CVE-2018-1333.patch \
           "
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83"
diff --git a/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch
new file mode 100644
index 0000000..9cd207c
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/files/CVE-2018-1333.patch
@@ -0,0 +1,44 @@
+From 83a2e3866918ce6567a683eb4c660688d047ee81 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan.eissing@greenbytes.de>
+Date: Wed, 18 Apr 2018 11:55:17 +0200
+Subject: [PATCH]  * fixes a race condition where aborting streams triggers an
+ unnecessary timeout.
+
+Note: Re-factored upstream fix
+https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81,
+so that it applies to httpd v2.4.27 code. Similarly done at
+http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_bucket_beam.c?r1=1828879&r2=1828878&pathrev=1828879
+
+CVE: CVE-2018-1333
+Upstream-Status: Backport [https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+
+diff -Naurp httpd-2.4.27_org/modules/http2/h2_bucket_beam.c httpd-2.4.27/modules/http2/h2_bucket_beam.c
+--- httpd-2.4.27_org/modules/http2/h2_bucket_beam.c	2017-04-21 06:52:05.000000000 -0700
++++ httpd-2.4.27/modules/http2/h2_bucket_beam.c	2018-07-24 23:44:40.888330955 -0700
+@@ -512,6 +512,7 @@ static void recv_buffer_cleanup(h2_bucke
+         apr_brigade_destroy(bb);
+         if (bl) enter_yellow(beam, bl);
+         
++        apr_thread_cond_broadcast(beam->change);
+         if (beam->cons_ev_cb) { 
+             beam->cons_ev_cb(beam->cons_ctx, beam);
+         }
+@@ -685,12 +686,10 @@ void h2_beam_abort(h2_bucket_beam *beam)
+     h2_beam_lock bl;
+     
+     if (enter_yellow(beam, &bl) == APR_SUCCESS) {
+-        if (!beam->aborted) {
+-            beam->aborted = 1;
+-            r_purge_sent(beam);
+-            h2_blist_cleanup(&beam->send_list);
+-            report_consumption(beam, &bl);
+-        }
++        beam->aborted = 1;
++        r_purge_sent(beam);
++        h2_blist_cleanup(&beam->send_list);
++        report_consumption(beam, &bl);
+         if (beam->cond) {
+             apr_thread_cond_broadcast(beam->cond);
+         }
-- 
2.7.4

[meta-filesystems][ROCKO][SUMO][PATCH] fuse: CVE-2018-10906

[Jagadeesh Krishnanjanappa]

* CVE-2018-10906-1:

fusermount: don't feed "escaped commas" into mount options

The old code permits the following behavior:

$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)

However, backslashes do not have any special meaning for the kernel here.

As it happens, you can't abuse this because there is no FUSE mount option
that takes a string value that can contain backslashes; but this is very
brittle. Don't interpret "escape characters" in places where they don't
work.

* CVE-2018-10906-2:

fusermount: refuse unknown options

Blacklists are notoriously fragile; especially if the kernel wishes to add
some security-critical mount option at a later date, all existing systems
with older versions of fusermount installed will suddenly have a security
problem.
Additionally, if the kernel's option parsing became a tiny bit laxer, the
blacklist could probably be bypassed.

Whitelist known-harmless flags instead, even if it's slightly more
inconvenient.

Affects fuse < 2.9.8 and fuse < 3.2.5

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
 .../fuse/files/CVE-2018-10906-1.patch              | 52 ++++++++++++++++++++++
 .../fuse/files/CVE-2018-10906-2.patch              | 48 ++++++++++++++++++++
 .../recipes-support/fuse/fuse_2.9.7.bb             |  2 +
 3 files changed, 102 insertions(+)
 create mode 100644 meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
 create mode 100644 meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch

diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
new file mode 100644
index 0000000..83bef30
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-1.patch
@@ -0,0 +1,52 @@
+From 28bdae3d113ef479c1660a581ef720cdc33bf466 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 13 Jul 2018 15:15:36 -0700
+Subject: [PATCH] fusermount: don't feed "escaped commas" into mount options
+
+The old code permits the following behavior:
+
+$ _FUSE_COMMFD=10000 priv_strace -etrace=mount -s200 fusermount -o 'foobar=\,allow_other' mount
+mount("/dev/fuse", ".", "fuse", MS_NOSUID|MS_NODEV, "foobar=\\,allow_other,fd=3,rootmode=40000,user_id=1000,group_id=1000") = -1 EINVAL (Invalid argument)
+
+However, backslashes do not have any special meaning for the kernel here.
+
+As it happens, you can't abuse this because there is no FUSE mount option
+that takes a string value that can contain backslashes; but this is very
+brittle. Don't interpret "escape characters" in places where they don't
+work.
+
+CVE: CVE-2018-10906
+Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/28bdae3d113ef479c1660a581ef720cdc33bf466]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ util/fusermount.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 0e1d34d..143bd4a 100644
+--- a/util/fusermount.c
++++ b/util/fusermount.c
+@@ -29,6 +29,7 @@
+ #include <sys/socket.h>
+ #include <sys/utsname.h>
+ #include <sched.h>
++#include <stdbool.h>
+ 
+ #define FUSE_COMMFD_ENV		"_FUSE_COMMFD"
+ 
+@@ -754,8 +755,10 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+ 		unsigned len;
+ 		const char *fsname_str = "fsname=";
+ 		const char *subtype_str = "subtype=";
++		bool escape_ok = begins_with(s, fsname_str) ||
++				 begins_with(s, subtype_str);
+ 		for (len = 0; s[len]; len++) {
+-			if (s[len] == '\\' && s[len + 1])
++			if (escape_ok && s[len] == '\\' && s[len + 1])
+ 				len++;
+ 			else if (s[len] == ',')
+ 				break;
+-- 
+2.13.3
+
diff --git a/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch
new file mode 100644
index 0000000..597e12b
--- /dev/null
+++ b/meta-filesystems/recipes-support/fuse/files/CVE-2018-10906-2.patch
@@ -0,0 +1,48 @@
+From 5018a0c016495155ee598b7e0167b43d5d902414 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Sat, 14 Jul 2018 03:47:50 -0700
+Subject: [PATCH] fusermount: refuse unknown options
+
+Blacklists are notoriously fragile; especially if the kernel wishes to add
+some security-critical mount option at a later date, all existing systems
+with older versions of fusermount installed will suddenly have a security
+problem.
+Additionally, if the kernel's option parsing became a tiny bit laxer, the
+blacklist could probably be bypassed.
+
+Whitelist known-harmless flags instead, even if it's slightly more
+inconvenient.
+
+CVE: CVE-2018-10906
+Upstream-Status: Backport [https://github.com/libfuse/libfuse/commit/5018a0c016495155ee598b7e0167b43d5d902414]
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ util/fusermount.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/util/fusermount.c b/util/fusermount.c
+index 4e0f51a..2792407 100644
+--- a/util/fusermount.c
++++ b/util/fusermount.c
+@@ -819,10 +819,16 @@ static int do_mount(const char *mnt, char **typep, mode_t rootmode,
+ 						flags |= flag;
+ 					else
+ 						flags  &= ~flag;
+-				} else {
++				} else if (opt_eq(s, len, "default_permissions") ||
++					   opt_eq(s, len, "allow_other") ||
++					   begins_with(s, "max_read=") ||
++					   begins_with(s, "blksize=")) {
+ 					memcpy(d, s, len);
+ 					d += len;
+ 					*d++ = ',';
++				} else {
++					fprintf(stderr, "%s: unknown option '%.*s'\n", progname, len, s);
++					exit(1);
+ 				}
+ 			}
+ 		}
+-- 
+2.13.3
+
diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
index 202d4c3..1eb9b70 100644
--- a/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
+++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.7.bb
@@ -15,6 +15,8 @@ SRC_URI = "https://github.com/libfuse/libfuse/releases/download/${BP}/${BP}.tar.
            file://aarch64.patch \
            file://0001-fuse-fix-the-return-value-of-help-option.patch \
            file://fuse.conf \
+           file://CVE-2018-10906-1.patch \
+           file://CVE-2018-10906-2.patch \
 "
 SRC_URI[md5sum] = "9bd4ce8184745fd3d000ca2692adacdb"
 SRC_URI[sha256sum] = "832432d1ad4f833c20e13b57cf40ce5277a9d33e483205fc63c78111b3358874"
-- 
2.7.4

[meta-networking][ROCKO][PATCH] lftp: CVE-2018-10916

[Jagadeesh Krishnanjanappa]

Affects lftp <= 4.8.3

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
 .../lftp/files/CVE-2018-10916.patch                | 82 ++++++++++++++++++++++
 .../recipes-connectivity/lftp/lftp_4.7.7.bb        |  1 +
 2 files changed, 83 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch

diff --git a/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch b/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch
new file mode 100644
index 0000000..213403e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/lftp/files/CVE-2018-10916.patch
@@ -0,0 +1,82 @@
+From a27e07d90a4608ceaf928b1babb27d4d803e1992 Mon Sep 17 00:00:00 2001
+From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
+Date: Tue, 31 Jul 2018 10:57:35 +0300
+Subject: [PATCH] mirror: prepend ./ to rm and chmod arguments to avoid URL
+ recognition (fix #452)
+
+CVE: CVE-2018-10916
+Upstream-Status: Backport from v4.8.4
+
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/MirrorJob.cc | 24 +++++++++---------------
+ 1 file changed, 9 insertions(+), 15 deletions(-)
+
+diff --git a/src/MirrorJob.cc b/src/MirrorJob.cc
+index cf106c40..0be45431 100644
+--- a/src/MirrorJob.cc
++++ b/src/MirrorJob.cc
+@@ -1164,24 +1164,21 @@ int   MirrorJob::Do()
+ 	    }
+ 	    continue;
+ 	 }
++	 bool use_rmdir = (file->TypeIs(file->DIRECTORY)
++			   && recursion_mode==RECURSION_NEVER);
+ 	 if(script)
+ 	 {
+-	    ArgV args("rm");
+-	    if(file->TypeIs(file->DIRECTORY))
+-	    {
+-	       if(recursion_mode==RECURSION_NEVER)
+-		  args.setarg(0,"rmdir");
+-	       else
+-		  args.Append("-r");
+-	    }
++	    ArgV args(use_rmdir?"rmdir":"rm");
++	    if(file->TypeIs(file->DIRECTORY) && !use_rmdir)
++	       args.Append("-r");
+ 	    args.Append(target_session->GetFileURL(file->name));
+ 	    xstring_ca cmd(args.CombineQuoted());
+ 	    fprintf(script,"%s\n",cmd.get());
+ 	 }
+ 	 if(!script_only)
+ 	 {
+-	    ArgV *args=new ArgV("rm");
+-	    args->Append(file->name);
++	    ArgV *args=new ArgV(use_rmdir?"rmdir":"rm");
++	    args->Append(dir_file(".",file->name));
+ 	    args->seek(1);
+ 	    rmJob *j=new rmJob(target_session->Clone(),args);
+ 	    j->cmdline.set_allocated(args->Combine());
+@@ -1185,10 +1182,7 @@ int   MirrorJob::Do()
+ 	    if(file->TypeIs(file->DIRECTORY))
+ 	    {
+ 	       if(recursion_mode==RECURSION_NEVER)
+-	       {
+-		  args->setarg(0,"rmdir");
+ 		  j->Rmdir();
+-	       }
+ 	       else
+ 		  j->Recurse();
+ 	    }
+@@ -1252,7 +1246,7 @@ int   MirrorJob::Do()
+ 	 if(!script_only)
+ 	 {
+ 	    ArgV *a=new ArgV("chmod");
+-	    a->Append(file->name);
++	    a->Append(dir_file(".",file->name));
+ 	    a->seek(1);
+ 	    ChmodJob *cj=new ChmodJob(target_session->Clone(),
+ 				 file->mode&~mode_mask,a);
+@@ -1372,7 +1366,7 @@ int   MirrorJob::Do()
+ 	 if(!script_only)
+ 	 {
+ 	    ArgV *args=new ArgV("rm");
+-	    args->Append(file->name);
++	    args->Append(dir_file(".",file->name));
+ 	    args->seek(1);
+ 	    rmJob *j=new rmJob(source_session->Clone(),args);
+ 	    j->cmdline.set_allocated(args->Combine());
+-- 
+2.13.3
+
diff --git a/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb b/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb
index b6b65da..042b0aa 100644
--- a/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb
+++ b/meta-networking/recipes-connectivity/lftp/lftp_4.7.7.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
 SRC_URI = "http://lftp.yar.ru/ftp/lftp-${PV}.tar.bz2 \
            file://fix-gcc-6-conflicts-signbit.patch \
+           file://CVE-2018-10916.patch \
           "
 SRC_URI[md5sum] = "3701e7675baa5619c92622eb141c8301"
 SRC_URI[sha256sum] = "fe441f20a9a317cfb99a8b8e628ba0457df472b6d93964d17374d5b5ebdf9280"
-- 
2.7.4