* [PATCH][dunfell 1/3] libproxy: fix CVE-2020-25219
@ 2020-10-19 12:59 Lee Chee Yang
2020-10-19 12:59 ` [PATCH][dunfell 2/3] python3: fix CVE-2020-26116 Lee Chee Yang
2020-10-19 12:59 ` [PATCH][dunfell 3/3] grub2: fix CVE-2020-10713 Lee Chee Yang
0 siblings, 2 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-10-19 12:59 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../libproxy/libproxy/CVE-2020-25219.patch | 61 +++++++++++++++++++
.../libproxy/libproxy_0.4.15.bb | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
new file mode 100644
index 0000000000..3ef7f85451
--- /dev/null
+++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch
@@ -0,0 +1,61 @@
+From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@gnome.org>
+Date: Wed, 9 Sep 2020 11:12:02 -0500
+Subject: [PATCH] Rewrite url::recvline to be nonrecursive
+
+This function processes network input. It's semi-trusted, because the
+PAC ought to be trusted. But we still shouldn't allow it to control how
+far we recurse. A malicious PAC can cause us to overflow the stack by
+sending a sufficiently-long line without any '\n' character.
+
+Also, this function failed to properly handle EINTR, so let's fix that
+too, for good measure.
+
+Fixes #134
+
+Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa]
+CVE: CVE-2020-25219
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ libproxy/url.cpp | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/libproxy/url.cpp b/libproxy/url.cpp
+index ee776b2..68d69cd 100644
+--- a/libproxy/url.cpp
++++ b/libproxy/url.cpp
+@@ -388,16 +388,24 @@ string url::to_string() const {
+ return m_orig;
+ }
+
+-static inline string recvline(int fd) {
+- // Read a character.
+- // If we don't get a character, return empty string.
+- // If we are at the end of the line, return empty string.
+- char c = '\0';
+-
+- if (recv(fd, &c, 1, 0) != 1 || c == '\n')
+- return "";
+-
+- return string(1, c) + recvline(fd);
++static string recvline(int fd) {
++ string line;
++ int ret;
++
++ // Reserve arbitrary amount of space to avoid small memory reallocations.
++ line.reserve(128);
++
++ do {
++ char c;
++ ret = recv(fd, &c, 1, 0);
++ if (ret == 1) {
++ if (c == '\n')
++ return line;
++ line += c;
++ }
++ } while (ret == 1 || (ret == -1 && errno == EINTR));
++
++ return line;
+ }
+
+ char* url::get_pac() {
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
index 19dddebd44..a14c358cc2 100644
--- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb
+++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb
@@ -10,6 +10,7 @@ DEPENDS = "glib-2.0"
SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \
file://0001-get-pac-test-Fix-build-with-clang-libc.patch \
+ file://CVE-2020-25219.patch \
"
SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152"
SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH][dunfell 2/3] python3: fix CVE-2020-26116
2020-10-19 12:59 [PATCH][dunfell 1/3] libproxy: fix CVE-2020-25219 Lee Chee Yang
@ 2020-10-19 12:59 ` Lee Chee Yang
2020-10-19 12:59 ` [PATCH][dunfell 3/3] grub2: fix CVE-2020-10713 Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-10-19 12:59 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../python/python3/CVE-2020-26116.patch | 104 ++++++++++++++++++
meta/recipes-devtools/python/python3_3.8.2.bb | 1 +
2 files changed, 105 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2020-26116.patch b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
new file mode 100644
index 0000000000..c019db2a76
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2020-26116.patch
@@ -0,0 +1,104 @@
+From 668d321476d974c4f51476b33aaca870272523bf Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Sat, 18 Jul 2020 13:39:12 -0700
+Subject: [PATCH] bpo-39603: Prevent header injection in http methods
+ (GH-18485)
+
+reject control chars in http method in http.client.putrequest to prevent http header injection
+(cherry picked from commit 8ca8a2e8fb068863c1138f07e3098478ef8be12e)
+
+Co-authored-by: AMIR <31338382+amiremohamadi@users.noreply.github.com>
+
+Upstream-Status: Backport [https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf]
+CVE: CVE-2020-26116
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ Lib/http/client.py | 15 +++++++++++++
+ Lib/test/test_httplib.py | 22 +++++++++++++++++++
+ .../2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst | 2 ++
+ 3 files changed, 39 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
+
+diff --git a/Lib/http/client.py b/Lib/http/client.py
+index 019380a720318..c2ad0471bfee5 100644
+--- a/Lib/http/client.py
++++ b/Lib/http/client.py
+@@ -147,6 +147,10 @@
+ # _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -1087,6 +1091,8 @@ def putrequest(self, method, url, skip_host=False,
+ else:
+ raise CannotSendRequest(self.__state)
+
++ self._validate_method(method)
++
+ # Save the method for use later in the response phase
+ self._method = method
+
+@@ -1177,6 +1183,15 @@ def _encode_request(self, request):
+ # ASCII also helps prevent CVE-2019-9740.
+ return request.encode('ascii')
+
++ def _validate_method(self, method):
++ """Validate a method name for putrequest."""
++ # prevent http header injection
++ match = _contains_disallowed_method_pchar_re.search(method)
++ if match:
++ raise ValueError(
++ f"method can't contain control characters. {method!r} "
++ f"(found at least {match.group()!r})")
++
+ def _validate_path(self, url):
+ """Validate a url for putrequest."""
+ # Prevent CVE-2019-9740.
+diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
+index 8f0e27a1fb836..5a5fcecbc9c15 100644
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -364,6 +364,28 @@ def test_headers_debuglevel(self):
+ self.assertEqual(lines[3], "header: Second: val2")
+
+
++class HttpMethodTests(TestCase):
++ def test_invalid_method_names(self):
++ methods = (
++ 'GET\r',
++ 'POST\n',
++ 'PUT\n\r',
++ 'POST\nValue',
++ 'POST\nHOST:abc',
++ 'GET\nrHost:abc\n',
++ 'POST\rRemainder:\r',
++ 'GET\rHOST:\n',
++ '\nPUT'
++ )
++
++ for method in methods:
++ with self.assertRaisesRegex(
++ ValueError, "method can't contain control characters"):
++ conn = client.HTTPConnection('example.com')
++ conn.sock = FakeSocket(None)
++ conn.request(method=method, url="/")
++
++
+ class TransferEncodingTest(TestCase):
+ expected_body = b"It's just a flesh wound"
+
+diff --git a/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
+new file mode 100644
+index 0000000000000..990affc3edd9d
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2020-02-12-14-17-39.bpo-39603.Gt3RSg.rst
+@@ -0,0 +1,2 @@
++Prevent http header injection by rejecting control characters in
++http.client.putrequest(...).
diff --git a/meta/recipes-devtools/python/python3_3.8.2.bb b/meta/recipes-devtools/python/python3_3.8.2.bb
index 99d9f6748f..169bc87988 100644
--- a/meta/recipes-devtools/python/python3_3.8.2.bb
+++ b/meta/recipes-devtools/python/python3_3.8.2.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
file://0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch \
file://CVE-2020-14422.patch \
+ file://CVE-2020-26116.patch \
"
SRC_URI_append_class-native = " \
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH][dunfell 3/3] grub2: fix CVE-2020-10713
2020-10-19 12:59 [PATCH][dunfell 1/3] libproxy: fix CVE-2020-25219 Lee Chee Yang
2020-10-19 12:59 ` [PATCH][dunfell 2/3] python3: fix CVE-2020-26116 Lee Chee Yang
@ 2020-10-19 12:59 ` Lee Chee Yang
1 sibling, 0 replies; 3+ messages in thread
From: Lee Chee Yang @ 2020-10-19 12:59 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
.../grub/files/CVE-2020-10713.patch | 73 +++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-10713.patch
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-10713.patch b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
new file mode 100644
index 0000000000..c507ed3ea8
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-10713.patch
@@ -0,0 +1,73 @@
+From a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 15 Apr 2020 15:45:02 -0400
+Subject: yylex: Make lexer fatal errors actually be fatal
+
+When presented with a command that can't be tokenized to anything
+smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
+expecting that will stop further processing, as such:
+
+ #define YY_DO_BEFORE_ACTION \
+ yyg->yytext_ptr = yy_bp; \
+ yyleng = (int) (yy_cp - yy_bp); \
+ yyg->yy_hold_char = *yy_cp; \
+ *yy_cp = '\0'; \
+ if ( yyleng >= YYLMAX ) \
+ YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
+ yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
+ yyg->yy_c_buf_p = yy_cp;
+
+The code flex generates expects that YY_FATAL_ERROR() will either return
+for it or do some form of longjmp(), or handle the error in some way at
+least, and so the strncpy() call isn't in an "else" clause, and thus if
+YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
+questionable limit, and predictable results ensue.
+
+Unfortunately, our implementation of YY_FATAL_ERROR() is:
+
+ #define YY_FATAL_ERROR(msg) \
+ do { \
+ grub_printf (_("fatal error: %s\n"), _(msg)); \
+ } while (0)
+
+The same pattern exists in yyless(), and similar problems exist in users
+of YY_INPUT(), several places in the main parsing loop,
+yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
+yy_scan_buffer(), etc.
+
+All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
+the things they do if it returns after calling it are wildly unsafe.
+
+Fixes: CVE-2020-10713
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=a4d3fbdff1e3ca8f87642af2ac8752c30c617a3e]
+CVE: CVE-2020-10713
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ grub-core/script/yylex.l | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
+index 7b44c37b7..b7203c823 100644
+--- a/grub-core/script/yylex.l
++++ b/grub-core/script/yylex.l
+@@ -37,11 +37,11 @@
+
+ /*
+ * As we don't have access to yyscanner, we cannot do much except to
+- * print the fatal error.
++ * print the fatal error and exit.
+ */
+ #define YY_FATAL_ERROR(msg) \
+ do { \
+- grub_printf (_("fatal error: %s\n"), _(msg)); \
++ grub_fatal (_("fatal error: %s\n"), _(msg));\
+ } while (0)
+
+ #define COPY(str, hint) \
+--
+cgit v1.2.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index e796904f5b..e3d929a824 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -18,6 +18,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://autogen.sh-exclude-pc.patch \
file://grub-module-explicitly-keeps-symbole-.module_license.patch \
file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \
+ file://CVE-2020-10713.patch \
"
SRC_URI[md5sum] = "5ce674ca6b2612d8939b9e6abed32934"
SRC_URI[sha256sum] = "f10c85ae3e204dbaec39ae22fa3c5e99f0665417e91c2cb49b7e5031658ba6ea"
--
2.17.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-10-19 13:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-19 12:59 [PATCH][dunfell 1/3] libproxy: fix CVE-2020-25219 Lee Chee Yang
2020-10-19 12:59 ` [PATCH][dunfell 2/3] python3: fix CVE-2020-26116 Lee Chee Yang
2020-10-19 12:59 ` [PATCH][dunfell 3/3] grub2: fix CVE-2020-10713 Lee Chee Yang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.