* [PATCH 1/4] gcc: fix CVE-2018-18484
@ 2019-04-29 6:26 Anuj Mittal
2019-04-29 6:26 ` [PATCH 2/4] gdb: fix CVE-2017-9778 Anuj Mittal
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Anuj Mittal @ 2019-04-29 6:26 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/gcc/gcc-8.3.inc | 1 +
...limit-to-libiberty-s-demangling-code.patch | 325 ++++++++++++++++++
2 files changed, 326 insertions(+)
create mode 100644 meta/recipes-devtools/gcc/gcc-8.3/0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch
diff --git a/meta/recipes-devtools/gcc/gcc-8.3.inc b/meta/recipes-devtools/gcc/gcc-8.3.inc
index 88a9df2049..fe9c7c3602 100644
--- a/meta/recipes-devtools/gcc/gcc-8.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-8.3.inc
@@ -71,6 +71,7 @@ SRC_URI = "\
file://0038-Re-introduce-spe-commandline-options.patch \
file://0039-riscv-Disable-multilib-for-OE.patch \
file://0040-powerpc-powerpc64-Add-support-for-musl-ldso.patch \
+ file://0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch \
"
SRC_URI[md5sum] = "65b210b4bfe7e060051f799e0f994896"
SRC_URI[sha256sum] = "64baadfe6cc0f4947a84cb12d7f0dfaf45bb58b7e92461639596c21e02d97d2c"
diff --git a/meta/recipes-devtools/gcc/gcc-8.3/0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch b/meta/recipes-devtools/gcc/gcc-8.3/0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch
new file mode 100644
index 0000000000..f3303b6858
--- /dev/null
+++ b/meta/recipes-devtools/gcc/gcc-8.3/0041-Add-a-recursion-limit-to-libiberty-s-demangling-code.patch
@@ -0,0 +1,325 @@
+From e1744e11b1c2b36f91a8847b61bafb8c5e7407ae Mon Sep 17 00:00:00 2001
+From: nickc <nickc@138bc75d-0d04-0410-961f-82ee72b054a4>
+Date: Fri, 7 Dec 2018 10:33:30 +0000
+Subject: [PATCH] Add a recursion limit to libiberty's demangling code. The
+ limit is enabled by default, but can be disabled via a new demangling option.
+
+include * demangle.h (DMGL_NO_RECURSE_LIMIT): Define.
+ (DEMANGLE_RECURSION_LIMIT): Define
+
+ PR 87681
+ PR 87675
+ PR 87636
+ PR 87350
+ PR 87335
+libiberty * cp-demangle.h (struct d_info): Add recursion_level field.
+ * cp-demangle.c (d_function_type): Add recursion counter.
+ If the recursion limit is reached and the check is not disabled,
+ then return with a failure result.
+ (cplus_demangle_init_info): Initialise the recursion_level field.
+ (d_demangle_callback): If the recursion limit is enabled, check
+ for a mangled string that is so long that there is not enough
+ stack space for the local arrays.
+ * cplus-dem.c (struct work): Add recursion_level field.
+ (squangle_mop_up): Set the numb and numk fields to zero.
+ (work_stuff_copy_to_from): Handle the case where a btypevec or
+ ktypevec field is NULL.
+ (demangle_nested_args): Add recursion counter. If
+ the recursion limit is not disabled and reached, return with a
+ failure result.
+
+git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@266886 138bc75d-0d04-0410-961f-82ee72b054a4
+
+CVE: CVE-2018-18484
+Upstream-Status: Backport [https://github.com/gcc-mirror/gcc/commit/03e51746ed98d9106803f6009ebd71ea670ad3b9]
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ include/ChangeLog | 5 +++++
+ include/demangle.h | 11 +++++++++++
+ libiberty/ChangeLog | 23 ++++++++++++++++++++++
+ libiberty/cp-demangle.c | 51 ++++++++++++++++++++++++++++++++++++++-----------
+ libiberty/cp-demangle.h | 3 +++
+ libiberty/cplus-dem.c | 37 +++++++++++++++++++++++++++++++++--
+ 6 files changed, 117 insertions(+), 13 deletions(-)
+
+diff --git a/include/ChangeLog b/include/ChangeLog
+index 02ab336..88b0648 100644
+--- a/include/ChangeLog
++++ b/include/ChangeLog
+@@ -2,6 +2,11 @@
+
+ * GCC 8.3.0 released.
+
++2018-12-07 Nick Clifton <nickc@redhat.com>
++
++ * demangle.h (DMGL_NO_RECURSE_LIMIT): Define.
++ (DEMANGLE_RECURSION_LIMIT): Define
++
+ 2018-07-26 Release Manager
+
+ * GCC 8.2.0 released.
+diff --git a/include/demangle.h b/include/demangle.h
+index b8d57cf..9bb8a19 100644
+--- a/include/demangle.h
++++ b/include/demangle.h
+@@ -68,6 +68,17 @@ extern "C" {
+ /* If none of these are set, use 'current_demangling_style' as the default. */
+ #define DMGL_STYLE_MASK (DMGL_AUTO|DMGL_GNU|DMGL_LUCID|DMGL_ARM|DMGL_HP|DMGL_EDG|DMGL_GNU_V3|DMGL_JAVA|DMGL_GNAT|DMGL_DLANG|DMGL_RUST)
+
++/* Disable a limit on the depth of recursion in mangled strings.
++ Note if this limit is disabled then stack exhaustion is possible when
++ demangling pathologically complicated strings. Bug reports about stack
++ exhaustion when the option is enabled will be rejected. */
++#define DMGL_NO_RECURSE_LIMIT (1 << 18)
++
++/* If DMGL_NO_RECURSE_LIMIT is not enabled, then this is the value used as
++ the maximum depth of recursion allowed. It should be enough for any
++ real-world mangled name. */
++#define DEMANGLE_RECURSION_LIMIT 1024
++
+ /* Enumeration of possible demangling styles.
+
+ Lucid and ARM styles are still kept logically distinct, even though
+diff --git a/libiberty/ChangeLog b/libiberty/ChangeLog
+index 1dd05da..2f77038 100644
+--- a/libiberty/ChangeLog
++++ b/libiberty/ChangeLog
+@@ -9,6 +9,29 @@
+ (simple_object_copy_lto_debug_sections): Create file in binary
+ mode.
+
++2018-12-07 Nick Clifton <nickc@redhat.com>
++
++ PR 87681
++ PR 87675
++ PR 87636
++ PR 87350
++ PR 87335
++ * cp-demangle.h (struct d_info): Add recursion_level field.
++ * cp-demangle.c (d_function_type): Add recursion counter.
++ If the recursion limit is reached and the check is not disabled,
++ then return with a failure result.
++ (cplus_demangle_init_info): Initialise the recursion_level field.
++ (d_demangle_callback): If the recursion limit is enabled, check
++ for a mangled string that is so long that there is not enough
++ stack space for the local arrays.
++ * cplus-dem.c (struct work): Add recursion_level field.
++ (squangle_mop_up): Set the numb and numk fields to zero.
++ (work_stuff_copy_to_from): Handle the case where a btypevec or
++ ktypevec field is NULL.
++ (demangle_nested_args): Add recursion counter. If
++ the recursion limit is not disabled and reached, return with a
++ failure result.
++
+ 2018-07-26 Release Manager
+
+ * GCC 8.2.0 released.
+diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
+index 3f2a097..c374e46 100644
+--- a/libiberty/cp-demangle.c
++++ b/libiberty/cp-demangle.c
+@@ -2843,21 +2843,35 @@ d_ref_qualifier (struct d_info *di, struct demangle_component *sub)
+ static struct demangle_component *
+ d_function_type (struct d_info *di)
+ {
+- struct demangle_component *ret;
++ struct demangle_component *ret = NULL;
+
+- if (! d_check_char (di, 'F'))
+- return NULL;
+- if (d_peek_char (di) == 'Y')
++ if ((di->options & DMGL_NO_RECURSE_LIMIT) == 0)
+ {
+- /* Function has C linkage. We don't print this information.
+- FIXME: We should print it in verbose mode. */
+- d_advance (di, 1);
++ if (di->recursion_level > DEMANGLE_RECURSION_LIMIT)
++ /* FIXME: There ought to be a way to report
++ that the recursion limit has been reached. */
++ return NULL;
++
++ di->recursion_level ++;
+ }
+- ret = d_bare_function_type (di, 1);
+- ret = d_ref_qualifier (di, ret);
+
+- if (! d_check_char (di, 'E'))
+- return NULL;
++ if (d_check_char (di, 'F'))
++ {
++ if (d_peek_char (di) == 'Y')
++ {
++ /* Function has C linkage. We don't print this information.
++ FIXME: We should print it in verbose mode. */
++ d_advance (di, 1);
++ }
++ ret = d_bare_function_type (di, 1);
++ ret = d_ref_qualifier (di, ret);
++
++ if (! d_check_char (di, 'E'))
++ ret = NULL;
++ }
++
++ if ((di->options & DMGL_NO_RECURSE_LIMIT) == 0)
++ di->recursion_level --;
+ return ret;
+ }
+
+@@ -6188,6 +6202,7 @@ cplus_demangle_init_info (const char *mangled, int options, size_t len,
+ di->expansion = 0;
+ di->is_expression = 0;
+ di->is_conversion = 0;
++ di->recursion_level = 0;
+ }
+
+ /* Internal implementation for the demangler. If MANGLED is a g++ v3 ABI
+@@ -6227,6 +6242,20 @@ d_demangle_callback (const char *mangled, int options,
+
+ cplus_demangle_init_info (mangled, options, strlen (mangled), &di);
+
++ /* PR 87675 - Check for a mangled string that is so long
++ that we do not have enough stack space to demangle it. */
++ if (((options & DMGL_NO_RECURSE_LIMIT) == 0)
++ /* This check is a bit arbitrary, since what we really want to do is to
++ compare the sizes of the di.comps and di.subs arrays against the
++ amount of stack space remaining. But there is no portable way to do
++ this, so instead we use the recursion limit as a guide to the maximum
++ size of the arrays. */
++ && (unsigned long) di.num_comps > DEMANGLE_RECURSION_LIMIT)
++ {
++ /* FIXME: We need a way to indicate that a stack limit has been reached. */
++ return 0;
++ }
++
+ {
+ #ifdef CP_DYNAMIC_ARRAYS
+ __extension__ struct demangle_component comps[di.num_comps];
+diff --git a/libiberty/cp-demangle.h b/libiberty/cp-demangle.h
+index 51b8a24..d87a830 100644
+--- a/libiberty/cp-demangle.h
++++ b/libiberty/cp-demangle.h
+@@ -122,6 +122,9 @@ struct d_info
+ /* Non-zero if we are parsing the type operand of a conversion
+ operator, but not when in an expression. */
+ int is_conversion;
++ /* If DMGL_NO_RECURSE_LIMIT is not active then this is set to
++ the current recursion level. */
++ unsigned int recursion_level;
+ };
+
+ /* To avoid running past the ending '\0', don't:
+diff --git a/libiberty/cplus-dem.c b/libiberty/cplus-dem.c
+index 6d58bd8..8b9646f 100644
+--- a/libiberty/cplus-dem.c
++++ b/libiberty/cplus-dem.c
+@@ -146,6 +146,7 @@ struct work_stuff
+ int *proctypevec; /* Indices of currently processed remembered typevecs. */
+ int proctypevec_size;
+ int nproctypes;
++ unsigned int recursion_level;
+ };
+
+ #define PRINT_ANSI_QUALIFIERS (work -> options & DMGL_ANSI)
+@@ -1292,12 +1293,14 @@ squangle_mop_up (struct work_stuff *work)
+ free ((char *) work -> btypevec);
+ work->btypevec = NULL;
+ work->bsize = 0;
++ work->numb = 0;
+ }
+ if (work -> ktypevec != NULL)
+ {
+ free ((char *) work -> ktypevec);
+ work->ktypevec = NULL;
+ work->ksize = 0;
++ work->numk = 0;
+ }
+ }
+
+@@ -1331,8 +1334,15 @@ work_stuff_copy_to_from (struct work_stuff *to, struct work_stuff *from)
+
+ for (i = 0; i < from->numk; i++)
+ {
+- int len = strlen (from->ktypevec[i]) + 1;
++ int len;
++
++ if (from->ktypevec[i] == NULL)
++ {
++ to->ktypevec[i] = NULL;
++ continue;
++ }
+
++ len = strlen (from->ktypevec[i]) + 1;
+ to->ktypevec[i] = XNEWVEC (char, len);
+ memcpy (to->ktypevec[i], from->ktypevec[i], len);
+ }
+@@ -1342,8 +1352,15 @@ work_stuff_copy_to_from (struct work_stuff *to, struct work_stuff *from)
+
+ for (i = 0; i < from->numb; i++)
+ {
+- int len = strlen (from->btypevec[i]) + 1;
++ int len;
++
++ if (from->btypevec[i] == NULL)
++ {
++ to->btypevec[i] = NULL;
++ continue;
++ }
+
++ len = strlen (from->btypevec[i]) + 1;
+ to->btypevec[i] = XNEWVEC (char , len);
+ memcpy (to->btypevec[i], from->btypevec[i], len);
+ }
+@@ -1401,6 +1418,7 @@ delete_non_B_K_work_stuff (struct work_stuff *work)
+
+ free ((char*) work->tmpl_argvec);
+ work->tmpl_argvec = NULL;
++ work->ntmpl_args = 0;
+ }
+ if (work->previous_argument)
+ {
+@@ -4477,6 +4495,7 @@ remember_Btype (struct work_stuff *work, const char *start,
+ }
+
+ /* Lose all the info related to B and K type codes. */
++
+ static void
+ forget_B_and_K_types (struct work_stuff *work)
+ {
+@@ -4502,6 +4521,7 @@ forget_B_and_K_types (struct work_stuff *work)
+ }
+ }
+ }
++
+ /* Forget the remembered types, but not the type vector itself. */
+
+ static void
+@@ -4696,6 +4716,16 @@ demangle_nested_args (struct work_stuff *work, const char **mangled,
+ int result;
+ int saved_nrepeats;
+
++ if ((work->options & DMGL_NO_RECURSE_LIMIT) == 0)
++ {
++ if (work->recursion_level > DEMANGLE_RECURSION_LIMIT)
++ /* FIXME: There ought to be a way to report
++ that the recursion limit has been reached. */
++ return 0;
++
++ work->recursion_level ++;
++ }
++
+ /* The G++ name-mangling algorithm does not remember types on nested
+ argument lists, unless -fsquangling is used, and in that case the
+ type vector updated by remember_type is not used. So, we turn
+@@ -4722,6 +4752,9 @@ demangle_nested_args (struct work_stuff *work, const char **mangled,
+ --work->forgetting_types;
+ work->nrepeats = saved_nrepeats;
+
++ if ((work->options & DMGL_NO_RECURSE_LIMIT) == 0)
++ --work->recursion_level;
++
+ return result;
+ }
+
+--
+2.7.4
+
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/4] gdb: fix CVE-2017-9778
2019-04-29 6:26 [PATCH 1/4] gcc: fix CVE-2018-18484 Anuj Mittal
@ 2019-04-29 6:26 ` Anuj Mittal
2019-04-29 6:26 ` [PATCH 3/4] binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077 Anuj Mittal
2019-04-29 6:26 ` [PATCH 4/4] openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111 Anuj Mittal
2 siblings, 0 replies; 4+ messages in thread
From: Anuj Mittal @ 2019-04-29 6:26 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
meta/recipes-devtools/gdb/gdb-8.2.1.inc | 1 +
.../gdb/gdb/CVE-2017-9778.patch | 99 +++++++++++++++++++
2 files changed, 100 insertions(+)
create mode 100644 meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
diff --git a/meta/recipes-devtools/gdb/gdb-8.2.1.inc b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
index 1fc1ec0da4..cb8d189f2a 100644
--- a/meta/recipes-devtools/gdb/gdb-8.2.1.inc
+++ b/meta/recipes-devtools/gdb/gdb-8.2.1.inc
@@ -17,6 +17,7 @@ SRC_URI = "http://ftp.gnu.org/gnu/gdb/gdb-${PV}.tar.xz \
file://0011-Fix-invalid-sigprocmask-call.patch \
file://gdbserver-ctrl-c-handling.patch \
file://0001-Fix-build-with-latest-GCC-9.0-tree.patch \
+ file://CVE-2017-9778.patch \
"
SRC_URI[md5sum] = "f8b2562e830a4098dd5b5ea9e9296c70"
SRC_URI[sha256sum] = "0a6a432907a03c5c8eaad3c3cffd50c00a40c3a5e3c4039440624bae703f2202"
diff --git a/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
new file mode 100644
index 0000000000..935f2661fe
--- /dev/null
+++ b/meta/recipes-devtools/gdb/gdb/CVE-2017-9778.patch
@@ -0,0 +1,99 @@
+From a608b79f30ab3f670095e14ba3d3b5b24a19fe68 Mon Sep 17 00:00:00 2001
+From: Sandra Loosemore <sandra@codesourcery.com>
+Date: Thu, 25 Apr 2019 07:27:02 -0700
+Subject: [PATCH] Detect invalid length field in debug frame FDE header.
+
+GDB was failing to catch cases where a corrupt ELF or core file
+contained an invalid length value in a Dwarf debug frame FDE header.
+It was checking for buffer overflow but not cases where the length was
+negative or caused pointer wrap-around.
+
+In addition to the additional validity check, this patch cleans up the
+multiple signed/unsigned conversions on the length field so that an
+unsigned representation is used consistently throughout.
+
+This patch fixes CVE-2017-9778 and PR gdb/21600.
+
+2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
+ Kang Li <kanglictf@gmail.com>
+
+ PR gdb/21600
+
+ * dwarf2-frame.c (read_initial_length): Be consistent about using
+ unsigned representation of length.
+ (decode_frame_entry_1): Likewise. Check for wraparound of
+ end pointer as well as buffer overflow.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed]
+CVE: CVE-2017-9778
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ gdb/ChangeLog | 11 +++++++++++
+ gdb/dwarf2-frame.c | 14 +++++++-------
+ 2 files changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/gdb/ChangeLog b/gdb/ChangeLog
+index 3711dc7..0a9720b 100644
+--- a/gdb/ChangeLog
++++ b/gdb/ChangeLog
+@@ -1,3 +1,14 @@
++2019-04-25 Sandra Loosemore <sandra@codesourcery.com>
++ Kang Li <kanglictf@gmail.com>
++
++ PR gdb/21600
++
++ * dwarf2-frame.c (read_initial_length): Be consistent about using
++ unsigned representation of length.
++ (decode_frame_entry_1): Likewise. Check for wraparound of
++ end pointer as well as buffer overflow.
++
++
+ 2018-12-23 Joel Brobecker <brobecker@adacore.com>
+
+ * version.in: Set GDB version number to 8.2.1.
+diff --git a/gdb/dwarf2-frame.c b/gdb/dwarf2-frame.c
+index 91e16cf..a7b99fd 100644
+--- a/gdb/dwarf2-frame.c
++++ b/gdb/dwarf2-frame.c
+@@ -1477,7 +1477,7 @@ static ULONGEST
+ read_initial_length (bfd *abfd, const gdb_byte *buf,
+ unsigned int *bytes_read_ptr)
+ {
+- LONGEST result;
++ ULONGEST result;
+
+ result = bfd_get_32 (abfd, buf);
+ if (result == 0xffffffff)
+@@ -1780,7 +1780,7 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ {
+ struct gdbarch *gdbarch = get_objfile_arch (unit->objfile);
+ const gdb_byte *buf, *end;
+- LONGEST length;
++ ULONGEST length;
+ unsigned int bytes_read;
+ int dwarf64_p;
+ ULONGEST cie_id;
+@@ -1791,15 +1791,15 @@ decode_frame_entry_1 (struct comp_unit *unit, const gdb_byte *start,
+ buf = start;
+ length = read_initial_length (unit->abfd, buf, &bytes_read);
+ buf += bytes_read;
+- end = buf + length;
+-
+- /* Are we still within the section? */
+- if (end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
+- return NULL;
++ end = buf + (size_t) length;
+
+ if (length == 0)
+ return end;
+
++ /* Are we still within the section? */
++ if (end <= buf || end > unit->dwarf_frame_buffer + unit->dwarf_frame_size)
++ return NULL;
++
+ /* Distinguish between 32 and 64-bit encoded frame info. */
+ dwarf64_p = (bytes_read == 12);
+
+--
+2.7.4
+
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/4] binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077
2019-04-29 6:26 [PATCH 1/4] gcc: fix CVE-2018-18484 Anuj Mittal
2019-04-29 6:26 ` [PATCH 2/4] gdb: fix CVE-2017-9778 Anuj Mittal
@ 2019-04-29 6:26 ` Anuj Mittal
2019-04-29 6:26 ` [PATCH 4/4] openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111 Anuj Mittal
2 siblings, 0 replies; 4+ messages in thread
From: Anuj Mittal @ 2019-04-29 6:26 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
.../binutils/binutils-2.32.inc | 4 +
.../binutils/binutils/CVE-2019-9074.patch | 68 ++++++++++
.../binutils/binutils/CVE-2019-9075.patch | 119 ++++++++++++++++++
.../binutils/binutils/CVE-2019-9076.patch | 49 ++++++++
.../binutils/binutils/CVE-2019-9077.patch | 37 ++++++
5 files changed, 277 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 5d0c16b13e..49e6827c1f 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -44,6 +44,10 @@ SRC_URI = "\
file://0013-Detect-64-bit-MIPS-targets.patch \
file://0014-sync-with-OE-libtool-changes.patch \
file://0015-binutils-enable-x86_64-pep-for-producing-EFI-binarie.patch \
+ file://CVE-2019-9074.patch \
+ file://CVE-2019-9075.patch \
+ file://CVE-2019-9076.patch \
+ file://CVE-2019-9077.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
new file mode 100644
index 0000000000..a11a51200e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9074.patch
@@ -0,0 +1,68 @@
+From e2ebb3906432dcca2727186ad79415f920730fb2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Tue, 19 Feb 2019 22:48:44 +1030
+Subject: [PATCH] PR24235, Read memory violation in pei-x86_64.c
+
+ PR 24235
+ * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
+ attempting to prevent read past end of section.
+
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/179f2db0d9c397d7dd8a59907b84208b79f7f48c]
+CVE: CVE-2019-9074
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ bfd/ChangeLog | 6 ++++++
+ bfd/pei-x86_64.c | 9 ++++-----
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index dd2c741..cbf30de 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,9 @@
++2019-02-19 Alan Modra <amodra@gmail.com>
++
++ PR 24235
++ * pei-x86_64.c (pex64_bfd_print_pdata_section): Correct checks
++ attempting to prevent read past end of section.
++
+ 2019-02-04 Nick Clifton <nickc@redhat.com>
+
+ * development.sh (experimental) Set to false.
+diff --git a/bfd/pei-x86_64.c b/bfd/pei-x86_64.c
+index ff1093c..7e75104 100644
+--- a/bfd/pei-x86_64.c
++++ b/bfd/pei-x86_64.c
+@@ -541,7 +541,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ /* virt_size might be zero for objects. */
+ if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
+ {
+- stop = (datasize / onaline) * onaline;
++ stop = datasize;
+ virt_size_is_zero = TRUE;
+ }
+ else if (datasize < stop)
+@@ -551,8 +551,8 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
+ pdata_section->name, (unsigned long) datasize,
+ (unsigned long) stop);
+- /* Be sure not to read passed datasize. */
+- stop = datasize / onaline;
++ /* Be sure not to read past datasize. */
++ stop = datasize;
+ }
+
+ /* Display functions table. */
+@@ -724,8 +724,7 @@ pex64_bfd_print_pdata_section (bfd *abfd, void *vfile, asection *pdata_section)
+ altent += imagebase;
+
+ if (altent >= pdata_vma
+- && (altent + PDATA_ROW_SIZE <= pdata_vma
+- + pei_section_data (abfd, pdata_section)->virt_size))
++ && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
+ {
+ pex64_get_runtime_function
+ (abfd, &arf, &pdata[altent - pdata_vma]);
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
new file mode 100644
index 0000000000..bcb1310f16
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9075.patch
@@ -0,0 +1,119 @@
+From 8abac8031ed369a2734b1cdb7df28a39a54b4b49 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 08:21:24 +1030
+Subject: [PATCH] PR24236, Heap buffer overflow in
+ _bfd_archive_64_bit_slurp_armap
+
+ PR 24236
+ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
+ sentinel NUL to string buffer nearer to loop where it is used.
+ Don't go past sentinel when scanning strings, and don't write
+ NUL again.
+ * archive.c (do_slurp_coff_armap): Simplify string handling to
+ archive64.c style.
+
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/8abac8031ed369a2734b1cdb7df28a39a54b4b49]
+CVE: CVE-2019-9075
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ bfd/ChangeLog | 10 ++++++++++
+ bfd/archive.c | 17 +++++++----------
+ bfd/archive64.c | 10 +++++-----
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/bfd/ChangeLog b/bfd/ChangeLog
+index 72c87c7..e39bb12 100644
+--- a/bfd/ChangeLog
++++ b/bfd/ChangeLog
+@@ -1,3 +1,13 @@
++2019-02-20 Alan Modra <amodra@gmail.com>
++
++ PR 24236
++ * archive64.c (_bfd_archive_64_bit_slurp_armap): Move code adding
++ sentinel NUL to string buffer nearer to loop where it is used.
++ Don't go past sentinel when scanning strings, and don't write
++ NUL again.
++ * archive.c (do_slurp_coff_armap): Simplify string handling to
++ archive64.c style.
++
+ 2019-02-19 Alan Modra <amodra@gmail.com>
+
+ PR 24235
+diff --git a/bfd/archive.c b/bfd/archive.c
+index d2d9b72..68a92a3 100644
+--- a/bfd/archive.c
++++ b/bfd/archive.c
+@@ -1012,6 +1012,7 @@ do_slurp_coff_armap (bfd *abfd)
+ int *raw_armap, *rawptr;
+ struct artdata *ardata = bfd_ardata (abfd);
+ char *stringbase;
++ char *stringend;
+ bfd_size_type stringsize;
+ bfd_size_type parsed_size;
+ carsym *carsyms;
+@@ -1071,22 +1072,18 @@ do_slurp_coff_armap (bfd *abfd)
+ }
+
+ /* OK, build the carsyms. */
+- for (i = 0; i < nsymz && stringsize > 0; i++)
++ stringend = stringbase + stringsize;
++ *stringend = 0;
++ for (i = 0; i < nsymz; i++)
+ {
+- bfd_size_type len;
+-
+ rawptr = raw_armap + i;
+ carsyms->file_offset = swap ((bfd_byte *) rawptr);
+ carsyms->name = stringbase;
+- /* PR 17512: file: 4a1d50c1. */
+- len = strnlen (stringbase, stringsize);
+- if (len < stringsize)
+- len ++;
+- stringbase += len;
+- stringsize -= len;
++ stringbase += strlen (stringbase);
++ if (stringbase != stringend)
++ ++stringbase;
+ carsyms++;
+ }
+- *stringbase = 0;
+
+ ardata->symdef_count = nsymz;
+ ardata->first_file_filepos = bfd_tell (abfd);
+diff --git a/bfd/archive64.c b/bfd/archive64.c
+index 312bf82..42f6ed9 100644
+--- a/bfd/archive64.c
++++ b/bfd/archive64.c
+@@ -100,8 +100,6 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+ return FALSE;
+ carsyms = ardata->symdefs;
+ stringbase = ((char *) ardata->symdefs) + carsym_size;
+- stringbase[stringsize] = 0;
+- stringend = stringbase + stringsize;
+
+ raw_armap = (bfd_byte *) bfd_alloc (abfd, ptrsize);
+ if (raw_armap == NULL)
+@@ -115,15 +113,17 @@ _bfd_archive_64_bit_slurp_armap (bfd *abfd)
+ goto release_raw_armap;
+ }
+
++ stringend = stringbase + stringsize;
++ *stringend = 0;
+ for (i = 0; i < nsymz; i++)
+ {
+ carsyms->file_offset = bfd_getb64 (raw_armap + i * 8);
+ carsyms->name = stringbase;
+- if (stringbase < stringend)
+- stringbase += strlen (stringbase) + 1;
++ stringbase += strlen (stringbase);
++ if (stringbase != stringend)
++ ++stringbase;
+ ++carsyms;
+ }
+- *stringbase = '\0';
+
+ ardata->symdef_count = nsymz;
+ ardata->first_file_filepos = bfd_tell (abfd);
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
new file mode 100644
index 0000000000..ec8cde2503
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9076.patch
@@ -0,0 +1,49 @@
+From 9f841c583880eb6d0194455c1583a766f853e628 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Wed, 20 Feb 2019 12:06:31 +1030
+Subject: [PATCH] PR24233, Out of memory
+
+ PR 24233
+ * objdump.c (dump_bfd_private_header): Print warning if
+ bfd_print_private_bfd_data returns false.
+
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7d272a55caebfc26ab2e15d1e9439bac978b9bb7]
+CVE: CVE-2019-9076
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ binutils/ChangeLog | 6 ++++++
+ binutils/objdump.c | 4 +++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/binutils/ChangeLog b/binutils/ChangeLog
+index f837c37..d5dd7cb 100644
+--- a/binutils/ChangeLog
++++ b/binutils/ChangeLog
+@@ -1,3 +1,9 @@
++2019-02-20 Alan Modra <amodra@gmail.com>
++
++ PR 24233
++ * objdump.c (dump_bfd_private_header): Print warning if
++ bfd_print_private_bfd_data returns false.
++
+ 2019-02-02 Nick Clifton <nickc@redhat.com>
+
+ * configure: Regenerate.
+diff --git a/binutils/objdump.c b/binutils/objdump.c
+index 8725390..7d0c6a4 100644
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -3178,7 +3178,9 @@ dump_bfd_header (bfd *abfd)
+ static void
+ dump_bfd_private_header (bfd *abfd)
+ {
+- bfd_print_private_bfd_data (abfd, stdout);
++ if (!bfd_print_private_bfd_data (abfd, stdout))
++ non_fatal (_("warning: private headers incomplete: %s"),
++ bfd_errmsg (bfd_get_error ()));
+ }
+
+ static void
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
new file mode 100644
index 0000000000..11ecb71b2e
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2019-9077.patch
@@ -0,0 +1,37 @@
+From f7bbc8890de45df6eda0ddef5dd04f835f54eecf Mon Sep 17 00:00:00 2001
+From: Nick Clifton <nickc@redhat.com>
+Date: Wed, 20 Feb 2019 17:03:47 +0000
+Subject: [PATCH] Fix a illegal memory access fault when parsing a corrupt MIPS
+ option section using readelf.
+
+ PR 24243
+ * readelf.c (process_mips_specific): Check for an options section
+ that is too small to even contain a single option.
+
+Upstream-Status: Backport [https://github.com/bminor/binutils-gdb/commit/7fc0c668f2aceb8582d74db1ad2528e2bba8a921]
+CVE: CVE-2019-9077
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ binutils/readelf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/binutils/readelf.c b/binutils/readelf.c
+index 9df3742..18ab806 100644
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -16179,6 +16179,12 @@ process_mips_specific (Filedata * filedata)
+ error (_("No MIPS_OPTIONS header found\n"));
+ return FALSE;
+ }
++ /* PR 24243 */
++ if (sect->sh_size < sizeof (* eopt))
++ {
++ error (_("The MIPS options section is too small.\n"));
++ return FALSE;
++ }
+
+ eopt = (Elf_External_Options *) get_data (NULL, filedata, options_offset, 1,
+ sect->sh_size, _("options"));
+--
+2.7.4
+
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 4/4] openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111
2019-04-29 6:26 [PATCH 1/4] gcc: fix CVE-2018-18484 Anuj Mittal
2019-04-29 6:26 ` [PATCH 2/4] gdb: fix CVE-2017-9778 Anuj Mittal
2019-04-29 6:26 ` [PATCH 3/4] binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077 Anuj Mittal
@ 2019-04-29 6:26 ` Anuj Mittal
2 siblings, 0 replies; 4+ messages in thread
From: Anuj Mittal @ 2019-04-29 6:26 UTC (permalink / raw)
To: openembedded-core
Also backport a patch to fix issues introduced by fix for CVE-2019-6109.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
---
...ogressmeter-force-an-update-at-the-b.patch | 121 ++++++++
.../openssh/openssh/CVE-2018-20685.patch | 40 +++
.../openssh/openssh/CVE-2019-6109.patch | 275 ++++++++++++++++++
.../openssh/openssh/CVE-2019-6111.patch | 187 ++++++++++++
.../openssh/openssh_7.9p1.bb | 4 +
5 files changed, 627 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch b/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch
new file mode 100644
index 0000000000..2fb57da635
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch
@@ -0,0 +1,121 @@
+From 5df934e2279e8ed1f07b990f4b2b3baf6470f7e5 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Thu, 24 Jan 2019 16:52:17 +0000
+Subject: [PATCH] upstream: Have progressmeter force an update at the beginning
+ and
+
+end of each transfer. Fixes the problem recently introduces where very quick
+transfers do not display the progressmeter at all. Spotted by naddy@
+
+OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
+Ustream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ progressmeter.c | 13 +++++--------
+ progressmeter.h | 4 ++--
+ scp.c | 2 +-
+ sftp-client.c | 2 +-
+ 4 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/progressmeter.c b/progressmeter.c
+index add462d..e385c12 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
++/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */
+ /*
+ * Copyright (c) 2003 Nils Nordman. All rights reserved.
+ *
+@@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t);
+ static void sig_winch(int);
+ static void setscreensize(void);
+
+-/* updates the progressmeter to reflect the current state of the transfer */
+-void refresh_progress_meter(void);
+-
+ /* signal handler for updating the progress meter */
+ static void sig_alarm(int);
+
+@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes)
+ }
+
+ void
+-refresh_progress_meter(void)
++refresh_progress_meter(int force_update)
+ {
+ char buf[MAX_WINSIZE + 1];
+ off_t transferred;
+@@ -131,7 +128,7 @@ refresh_progress_meter(void)
+ int hours, minutes, seconds;
+ int file_len;
+
+- if ((!alarm_fired && !win_resized) || !can_output())
++ if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+ return;
+ alarm_fired = 0;
+
+@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ bytes_per_second = 0;
+
+ setscreensize();
+- refresh_progress_meter();
++ refresh_progress_meter(1);
+
+ signal(SIGALRM, sig_alarm);
+ signal(SIGWINCH, sig_winch);
+@@ -271,7 +268,7 @@ stop_progress_meter(void)
+
+ /* Ensure we complete the progress */
+ if (cur_pos != end_pos)
+- refresh_progress_meter();
++ refresh_progress_meter(1);
+
+ atomicio(vwrite, STDOUT_FILENO, "\n", 1);
+ }
+diff --git a/progressmeter.h b/progressmeter.h
+index 8f66780..1703ea7 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
++/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */
+ /*
+ * Copyright (c) 2002 Nils Nordman. All rights reserved.
+ *
+@@ -24,5 +24,5 @@
+ */
+
+ void start_progress_meter(const char *, off_t, off_t *);
+-void refresh_progress_meter(void);
++void refresh_progress_meter(int);
+ void stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index 4a342a6..0587cec 100644
+--- a/scp.c
++++ b/scp.c
+@@ -585,7 +585,7 @@ scpio(void *_cnt, size_t s)
+ off_t *cnt = (off_t *)_cnt;
+
+ *cnt += s;
+- refresh_progress_meter();
++ refresh_progress_meter(0);
+ if (limit_kbps > 0)
+ bandwidth_limit(&bwlimit, s);
+ return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index 2bc698f..cf2887a 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+ struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+
+- refresh_progress_meter();
++ refresh_progress_meter(0);
+ if (bwlimit != NULL)
+ bandwidth_limit(bwlimit, amount);
+ return 0;
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch
new file mode 100644
index 0000000000..e2fc607ff8
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2018-20685.patch
@@ -0,0 +1,40 @@
+From 6010c0303a422a9c5fa8860c061bf7105eb7f8b2 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 16 Nov 2018 03:03:10 +0000
+Subject: [PATCH] upstream: disallow empty incoming filename or ones that refer
+ to the
+
+current directory; based on report/patch from Harry Sintonen
+
+OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9
+
+CVE: CVE-2018-20685
+Ustream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ scp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 60682c6..4f3fdcd 100644
+--- a/scp.c
++++ b/scp.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: scp.c,v 1.197 2018/06/01 04:31:48 dtucker Exp $ */
++/* $OpenBSD: scp.c,v 1.198 2018/11/16 03:03:10 djm Exp $ */
+ /*
+ * scp - secure remote copy. This is basically patched BSD rcp which
+ * uses ssh to do the data transfer (instead of using rcmd).
+@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
+ SCREWUP("size out of range");
+ size = (off_t)ull;
+
+- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++ if (*cp == '\0' || strchr(cp, '/') != NULL ||
++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch
new file mode 100644
index 0000000000..dabe4a6c97
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6109.patch
@@ -0,0 +1,275 @@
+From 15d47c3bd8551521240bc459fc004c280daef817 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Wed, 23 Jan 2019 08:01:46 +0000
+Subject: [PATCH] upstream: Sanitize scp filenames via snmprintf. To do this we
+ move
+
+the progressmeter formatting outside of signal handler context and have the
+atomicio callback called for EINTR too. bz#2434 with contributions from djm
+and jjelen at redhat.com, ok djm@
+
+OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8
+CVE: CVE-2019-6109
+Upstream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ atomicio.c | 20 +++++++++++++++-----
+ progressmeter.c | 53 ++++++++++++++++++++++++-----------------------------
+ progressmeter.h | 3 ++-
+ scp.c | 1 +
+ sftp-client.c | 16 +++++++++-------
+ 5 files changed, 51 insertions(+), 42 deletions(-)
+
+diff --git a/atomicio.c b/atomicio.c
+index f854a06..d91bd76 100644
+--- a/atomicio.c
++++ b/atomicio.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
++/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2006 Damien Miller. All rights reserved.
+ * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
+@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
+ res = (f) (fd, s + pos, n - pos);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READ_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
+ res = (f) (fd, iov, iovcnt);
+ switch (res) {
+ case -1:
+- if (errno == EINTR)
++ if (errno == EINTR) {
++ /* possible SIGALARM, update callback */
++ if (cb != NULL && cb(cb_arg, 0) == -1) {
++ errno = EINTR;
++ return pos;
++ }
+ continue;
+- if (errno == EAGAIN || errno == EWOULDBLOCK) {
++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) {
+ #ifndef BROKEN_READV_COMPARISON
+ (void)poll(&pfd, 1, -1);
+ #endif
+diff --git a/progressmeter.c b/progressmeter.c
+index fe9bf52..add462d 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
++/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2003 Nils Nordman. All rights reserved.
+ *
+@@ -31,6 +31,7 @@
+
+ #include <errno.h>
+ #include <signal.h>
++#include <stdarg.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <time.h>
+@@ -39,6 +40,7 @@
+ #include "progressmeter.h"
+ #include "atomicio.h"
+ #include "misc.h"
++#include "utf8.h"
+
+ #define DEFAULT_WINSIZE 80
+ #define MAX_WINSIZE 512
+@@ -61,7 +63,7 @@ static void setscreensize(void);
+ void refresh_progress_meter(void);
+
+ /* signal handler for updating the progress meter */
+-static void update_progress_meter(int);
++static void sig_alarm(int);
+
+ static double start; /* start progress */
+ static double last_update; /* last progress update */
+@@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */
+ static int bytes_per_second; /* current speed in bytes per second */
+ static int win_size; /* terminal window size */
+ static volatile sig_atomic_t win_resized; /* for window resizing */
++static volatile sig_atomic_t alarm_fired;
+
+ /* units for format_size */
+ static const char unit[] = " KMGT";
+@@ -126,9 +129,17 @@ refresh_progress_meter(void)
+ off_t bytes_left;
+ int cur_speed;
+ int hours, minutes, seconds;
+- int i, len;
+ int file_len;
+
++ if ((!alarm_fired && !win_resized) || !can_output())
++ return;
++ alarm_fired = 0;
++
++ if (win_resized) {
++ setscreensize();
++ win_resized = 0;
++ }
++
+ transferred = *counter - (cur_pos ? cur_pos : start_pos);
+ cur_pos = *counter;
+ now = monotime_double();
+@@ -158,16 +169,11 @@ refresh_progress_meter(void)
+
+ /* filename */
+ buf[0] = '\0';
+- file_len = win_size - 35;
++ file_len = win_size - 36;
+ if (file_len > 0) {
+- len = snprintf(buf, file_len + 1, "\r%s", file);
+- if (len < 0)
+- len = 0;
+- if (len >= file_len + 1)
+- len = file_len;
+- for (i = len; i < file_len; i++)
+- buf[i] = ' ';
+- buf[file_len] = '\0';
++ buf[0] = '\r';
++ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s",
++ file_len * -1, file);
+ }
+
+ /* percent of transfer done */
+@@ -228,22 +234,11 @@ refresh_progress_meter(void)
+
+ /*ARGSUSED*/
+ static void
+-update_progress_meter(int ignore)
++sig_alarm(int ignore)
+ {
+- int save_errno;
+-
+- save_errno = errno;
+-
+- if (win_resized) {
+- setscreensize();
+- win_resized = 0;
+- }
+- if (can_output())
+- refresh_progress_meter();
+-
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
++ alarm_fired = 1;
+ alarm(UPDATE_INTERVAL);
+- errno = save_errno;
+ }
+
+ void
+@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ bytes_per_second = 0;
+
+ setscreensize();
+- if (can_output())
+- refresh_progress_meter();
++ refresh_progress_meter();
+
+- signal(SIGALRM, update_progress_meter);
++ signal(SIGALRM, sig_alarm);
+ signal(SIGWINCH, sig_winch);
+ alarm(UPDATE_INTERVAL);
+ }
+@@ -286,6 +280,7 @@ stop_progress_meter(void)
+ static void
+ sig_winch(int sig)
+ {
++ signal(SIGWINCH, sig_winch);
+ win_resized = 1;
+ }
+
+diff --git a/progressmeter.h b/progressmeter.h
+index bf179dc..8f66780 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
++/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
+ /*
+ * Copyright (c) 2002 Nils Nordman. All rights reserved.
+ *
+@@ -24,4 +24,5 @@
+ */
+
+ void start_progress_meter(const char *, off_t, off_t *);
++void refresh_progress_meter(void);
+ void stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index 4f3fdcd..4a342a6 100644
+--- a/scp.c
++++ b/scp.c
+@@ -585,6 +585,7 @@ scpio(void *_cnt, size_t s)
+ off_t *cnt = (off_t *)_cnt;
+
+ *cnt += s;
++ refresh_progress_meter();
+ if (limit_kbps > 0)
+ bandwidth_limit(&bwlimit, s);
+ return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index 4986d6d..2bc698f 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+ struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+
+- bandwidth_limit(bwlimit, amount);
++ refresh_progress_meter();
++ if (bwlimit != NULL)
++ bandwidth_limit(bwlimit, amount);
+ return 0;
+ }
+
+@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m)
+ iov[1].iov_base = (u_char *)sshbuf_ptr(m);
+ iov[1].iov_len = sshbuf_len(m);
+
+- if (atomiciov6(writev, conn->fd_out, iov, 2,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) !=
++ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) !=
+ sshbuf_len(m) + sizeof(mlen))
+ fatal("Couldn't send packet: %s", strerror(errno));
+
+@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+
+ if ((r = sshbuf_reserve(m, 4, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, 4,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) {
++ if (atomicio6(read, conn->fd_in, p, 4, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) {
+ if (errno == EPIPE || errno == ECONNRESET)
+ fatal("Connection closed");
+ else
+@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial)
+
+ if ((r = sshbuf_reserve(m, msg_len, &p)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+- if (atomicio6(read, conn->fd_in, p, msg_len,
+- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in)
++ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio,
++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL)
+ != msg_len) {
+ if (errno == EPIPE)
+ fatal("Connection closed");
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch
new file mode 100644
index 0000000000..80cf39b923
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2019-6111.patch
@@ -0,0 +1,187 @@
+From 15cc3497367d2e9729353b3df75518548e845c82 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sat, 26 Jan 2019 22:41:28 +0000
+Subject: [PATCH] upstream: check in scp client that filenames sent during
+
+remote->local directory copies satisfy the wildcard specified by the user.
+
+This checking provides some protection against a malicious server
+sending unexpected filenames, but it comes at a risk of rejecting wanted
+files due to differences between client and server wildcard expansion rules.
+
+For this reason, this also adds a new -T flag to disable the check.
+
+reported by Harry Sintonen
+fix approach suggested by markus@;
+has been in snaps for ~1wk courtesy deraadt@
+
+OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda
+
+CVE: CVE-2019-6111
+Ustream-Status: Backport
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ scp.1 | 12 +++++++++++-
+ scp.c | 37 +++++++++++++++++++++++++++++--------
+ 2 files changed, 40 insertions(+), 9 deletions(-)
+
+diff --git a/scp.1 b/scp.1
+index 0e5cc1b..397e770 100644
+--- a/scp.1
++++ b/scp.1
+@@ -18,7 +18,7 @@
+ .Nd secure copy (remote file copy program)
+ .Sh SYNOPSIS
+ .Nm scp
+-.Op Fl 346BCpqrv
++.Op Fl 346BCpqrTv
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+@@ -208,6 +208,16 @@ to use for the encrypted connection.
+ The program must understand
+ .Xr ssh 1
+ options.
++.It Fl T
++Disable strict filename checking.
++By default when copying files from a remote host to a local directory
++.Nm
++checks that the received filenames match those requested on the command-line
++to prevent the remote end from sending unexpected or unwanted files.
++Because of differences in how various operating systems and shells interpret
++filename wildcards, these checks may cause wanted files to be rejected.
++This option disables these checks at the expense of fully trusting that
++the server will not send unexpected filenames.
+ .It Fl v
+ Verbose mode.
+ Causes
+diff --git a/scp.c b/scp.c
+index 0587cec..b2d331e 100644
+--- a/scp.c
++++ b/scp.c
+@@ -94,6 +94,7 @@
+ #include <dirent.h>
+ #include <errno.h>
+ #include <fcntl.h>
++#include <fnmatch.h>
+ #include <limits.h>
+ #include <locale.h>
+ #include <pwd.h>
+@@ -375,14 +376,14 @@ void verifydir(char *);
+ struct passwd *pwd;
+ uid_t userid;
+ int errs, remin, remout;
+-int pflag, iamremote, iamrecursive, targetshouldbedirectory;
++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory;
+
+ #define CMDNEEDS 64
+ char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */
+
+ int response(void);
+ void rsource(char *, struct stat *);
+-void sink(int, char *[]);
++void sink(int, char *[], const char *);
+ void source(int, char *[]);
+ void tolocal(int, char *[]);
+ void toremote(int, char *[]);
+@@ -421,8 +422,9 @@ main(int argc, char **argv)
+ addargs(&args, "-oRemoteCommand=none");
+ addargs(&args, "-oRequestTTY=no");
+
+- fflag = tflag = 0;
+- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
++ fflag = Tflag = tflag = 0;
++ while ((ch = getopt(argc, argv,
++ "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) {
+ switch (ch) {
+ /* User-visible flags. */
+ case '1':
+@@ -501,9 +503,13 @@ main(int argc, char **argv)
+ setmode(0, O_BINARY);
+ #endif
+ break;
++ case 'T':
++ Tflag = 1;
++ break;
+ default:
+ usage();
+ }
++ }
+ argc -= optind;
+ argv += optind;
+
+@@ -534,7 +540,7 @@ main(int argc, char **argv)
+ }
+ if (tflag) {
+ /* Receive data. */
+- sink(argc, argv);
++ sink(argc, argv, NULL);
+ exit(errs != 0);
+ }
+ if (argc < 2)
+@@ -792,7 +798,7 @@ tolocal(int argc, char **argv)
+ continue;
+ }
+ free(bp);
+- sink(1, argv + argc - 1);
++ sink(1, argv + argc - 1, src);
+ (void) close(remin);
+ remin = remout = -1;
+ }
+@@ -968,7 +974,7 @@ rsource(char *name, struct stat *statp)
+ (sizeof(type) != 4 && sizeof(type) != 8))
+
+ void
+-sink(int argc, char **argv)
++sink(int argc, char **argv, const char *src)
+ {
+ static BUF buffer;
+ struct stat stb;
+@@ -984,6 +990,7 @@ sink(int argc, char **argv)
+ unsigned long long ull;
+ int setimes, targisdir, wrerrno = 0;
+ char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
++ char *src_copy = NULL, *restrict_pattern = NULL;
+ struct timeval tv[2];
+
+ #define atime tv[0]
+@@ -1008,6 +1015,17 @@ sink(int argc, char **argv)
+ (void) atomicio(vwrite, remout, "", 1);
+ if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
+ targisdir = 1;
++ if (src != NULL && !iamrecursive && !Tflag) {
++ /*
++ * Prepare to try to restrict incoming filenames to match
++ * the requested destination file glob.
++ */
++ if ((src_copy = strdup(src)) == NULL)
++ fatal("strdup failed");
++ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
++ *restrict_pattern++ = '\0';
++ }
++ }
+ for (first = 1;; first = 0) {
+ cp = buf;
+ if (atomicio(read, remin, cp, 1) != 1)
+@@ -1112,6 +1130,9 @@ sink(int argc, char **argv)
+ run_err("error: unexpected filename: %s", cp);
+ exit(1);
+ }
++ if (restrict_pattern != NULL &&
++ fnmatch(restrict_pattern, cp, 0) != 0)
++ SCREWUP("filename does not match request");
+ if (targisdir) {
+ static char *namebuf;
+ static size_t cursize;
+@@ -1149,7 +1170,7 @@ sink(int argc, char **argv)
+ goto bad;
+ }
+ vect[0] = xstrdup(np);
+- sink(1, vect);
++ sink(1, vect, src);
+ if (setimes) {
+ setimes = 0;
+ if (utimes(vect[0], tv) < 0)
+--
+2.7.4
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.9p1.bb b/meta/recipes-connectivity/openssh/openssh_7.9p1.bb
index 6260135d5b..b971b2b1e8 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.9p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.9p1.bb
@@ -24,6 +24,10 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
file://sshd_check_keys \
file://add-test-support-for-busybox.patch \
+ file://CVE-2018-20685.patch \
+ file://CVE-2019-6109.patch \
+ file://0001-upstream-Have-progressmeter-force-an-update-at-the-b.patch \
+ file://CVE-2019-6111.patch \
"
SRC_URI[md5sum] = "c6af50b7a474d04726a5aa747a5dce8f"
SRC_URI[sha256sum] = "6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad"
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-04-29 6:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-29 6:26 [PATCH 1/4] gcc: fix CVE-2018-18484 Anuj Mittal
2019-04-29 6:26 ` [PATCH 2/4] gdb: fix CVE-2017-9778 Anuj Mittal
2019-04-29 6:26 ` [PATCH 3/4] binutils: fix CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077 Anuj Mittal
2019-04-29 6:26 ` [PATCH 4/4] openssh: fix CVE-2018-20685, CVE-2019-6109, CVE-2019-6111 Anuj Mittal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.