* [PATCH 0/4] Fix CVEs and qemu run-ptest script
@ 2016-11-10 7:01 kai.kang
2016-11-10 7:01 ` [PATCH 1/4] openssh: fix CVE-2016-8858 kai.kang
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: kai.kang @ 2016-11-10 7:01 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
The following changes since commit 09278be8c209976da03f63b5a956d212ac171317:
conf/distro/include/maintainers: move toolchain to Khem Raj (2016-11-09 12:20:48 +0000)
are available in the git repository at:
git://git.pokylinux.org/poky-contrib kangkai/fixes-20161110
http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=kangkai/fixes-20161110
Kai Kang (4):
openssh: fix CVE-2016-8858
glibc: fix CVE-2016-6323
qemu: fix CVE-2016-7909
qemu: update run-ptest script
.../openssh/openssh/fix-CVE-2016-8858.patch | 39 ++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_7.3p1.bb | 1 +
...k-__startcontext-as-.cantunwind-bug-20435.patch | 46 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.24.bb | 1 +
.../qemu/qemu/0004-fix-CVE-2016-7909.patch | 42 ++++++++++++++++++++
meta/recipes-devtools/qemu/qemu/run-ptest | 8 ++--
meta/recipes-devtools/qemu/qemu_2.7.0.bb | 1 +
7 files changed, 135 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
create mode 100644 meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
--
2.10.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/4] openssh: fix CVE-2016-8858
2016-11-10 7:01 [PATCH 0/4] Fix CVEs and qemu run-ptest script kai.kang
@ 2016-11-10 7:01 ` kai.kang
2016-11-10 7:01 ` [PATCH 2/4] glibc: fix CVE-2016-6323 kai.kang
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: kai.kang @ 2016-11-10 7:01 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2016-8858 of openssh.
Ref:
https://bugzilla.redhat.com/show_bug.cgi?id=1384860
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../openssh/openssh/fix-CVE-2016-8858.patch | 39 ++++++++++++++++++++++
meta/recipes-connectivity/openssh/openssh_7.3p1.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
new file mode 100644
index 0000000..b26ee81
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
@@ -0,0 +1,39 @@
+Fix CVE-2016-8858 of openssh
+
+Backport patch from upstream and drop the change of comment which can NOT be applied.
+
+Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ]
+CVE: CVE-2016-8858
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
+From: "markus@openbsd.org" <markus@openbsd.org>
+Date: Mon, 10 Oct 2016 19:28:48 +0000
+Subject: [PATCH] upstream commit
+
+Unregister the KEXINIT handler after message has been
+received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
+allocation of up to 128MB -- until the connection is closed. Reported by
+shilei-c at 360.cn
+
+Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
+---
+ kex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kex.c b/kex.c
+index 3f97f8c..6a94bc5 100644
+--- a/kex.c
++++ b/kex.c
+@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
+--
+2.10.1
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index 039b0ff..94eb0ed 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
+ file://fix-CVE-2016-8858.patch \
"
PAM_SRC_URI = "file://sshd"
--
2.10.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/4] glibc: fix CVE-2016-6323
2016-11-10 7:01 [PATCH 0/4] Fix CVEs and qemu run-ptest script kai.kang
2016-11-10 7:01 ` [PATCH 1/4] openssh: fix CVE-2016-8858 kai.kang
@ 2016-11-10 7:01 ` kai.kang
2016-11-10 7:01 ` [PATCH 3/4] qemu: fix CVE-2016-7909 kai.kang
2016-11-10 7:01 ` [PATCH 4/4] qemu: update run-ptest script kai.kang
3 siblings, 0 replies; 5+ messages in thread
From: kai.kang @ 2016-11-10 7:01 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2016-6323 of glibc. And remove the section of
file ChangeLog which can't be applied.
Ref:
https://sourceware.org/bugzilla/show_bug.cgi?id=20435
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
...k-__startcontext-as-.cantunwind-bug-20435.patch | 46 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.24.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch
diff --git a/meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch b/meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch
new file mode 100644
index 0000000..95067d3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch
@@ -0,0 +1,46 @@
+Backport patch to fix CVE-2016-6323 for glibc. And remove the section of
+ChangeLog which can't be applied.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c]
+CVE: CVE-2016-6323
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Mon, 8 Aug 2016 09:29:18 +0200
+Subject: [PATCH] arm: mark __startcontext as .cantunwind (bug 20435)
+
+__startcontext marks the bottom of the call stack of the contexts created
+by makecontext.
+---
+ ChangeLog | 6 ++++++
+ sysdeps/unix/sysv/linux/arm/setcontext.S | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/sysdeps/unix/sysv/linux/arm/setcontext.S b/sysdeps/unix/sysv/linux/arm/setcontext.S
+index 603e508..d1f168f 100644
+--- a/sysdeps/unix/sysv/linux/arm/setcontext.S
++++ b/sysdeps/unix/sysv/linux/arm/setcontext.S
+@@ -86,12 +86,19 @@ weak_alias(__setcontext, setcontext)
+
+ /* Called when a makecontext() context returns. Start the
+ context in R4 or fall through to exit(). */
++ /* Unwind descriptors are looked up based on PC - 2, so we have to
++ make sure to mark the instruction preceding the __startcontext
++ label as .cantunwind. */
++ .fnstart
++ .cantunwind
++ nop
+ ENTRY(__startcontext)
+ movs r0, r4
+ bne PLTJMP(__setcontext)
+
+ @ New context was 0 - exit
+ b PLTJMP(HIDDEN_JUMPTARGET(exit))
++ .fnend
+ END(__startcontext)
+
+ #ifdef PIC
+--
+2.10.1
+
diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb
index f5a21b2..475c133 100644
--- a/meta/recipes-core/glibc/glibc_2.24.bb
+++ b/meta/recipes-core/glibc/glibc_2.24.bb
@@ -37,6 +37,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0024-eglibc-Forward-port-cross-locale-generation-support.patch \
file://0025-Define-DUMMY_LOCALE_T-if-not-defined.patch \
file://0026-build_local_scope.patch \
+ file://0027-arm-mark-__startcontext-as-.cantunwind-bug-20435.patch \
"
SRC_URI += "\
--
2.10.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/4] qemu: fix CVE-2016-7909
2016-11-10 7:01 [PATCH 0/4] Fix CVEs and qemu run-ptest script kai.kang
2016-11-10 7:01 ` [PATCH 1/4] openssh: fix CVE-2016-8858 kai.kang
2016-11-10 7:01 ` [PATCH 2/4] glibc: fix CVE-2016-6323 kai.kang
@ 2016-11-10 7:01 ` kai.kang
2016-11-10 7:01 ` [PATCH 4/4] qemu: update run-ptest script kai.kang
3 siblings, 0 replies; 5+ messages in thread
From: kai.kang @ 2016-11-10 7:01 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Backport patch to fix CVE-2016-7909 of qemu.
Ref:
https://security-tracker.debian.org/tracker/CVE-2016-7909
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
.../qemu/qemu/0004-fix-CVE-2016-7909.patch | 42 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_2.7.0.bb | 1 +
2 files changed, 43 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
diff --git a/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
new file mode 100644
index 0000000..e71bbf6
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0004-fix-CVE-2016-7909.patch
@@ -0,0 +1,42 @@
+Upstream-Status: Backport [http://git.qemu.org/?p=qemu.git;a=commit;h=34e29ce]
+CVE: CVE-2016-7909
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From 34e29ce754c02bb6b3bdd244fbb85033460feaff Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 30 Sep 2016 00:27:33 +0530
+Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/pcnet.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 198a01f..3078de8 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
+ case 47: /* POLLINT */
+ case 72:
+ case 74:
++ break;
+ case 76: /* RCVRL */
+ case 78: /* XMTRL */
++ val = (val > 0) ? val : 512;
++ break;
+ case 112:
+ if (CSR_STOP(s) || CSR_SPND(s))
+ break;
+--
+2.10.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.7.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index a75bcdf..cef181d 100644
--- a/meta/recipes-devtools/qemu/qemu_2.7.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
file://0001-virtio-zero-vq-inuse-in-virtio_reset.patch \
file://0002-fix-CVE-2016-7423.patch \
file://0003-fix-CVE-2016-7908.patch \
+ file://0004-fix-CVE-2016-7909.patch \
"
SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
--
2.10.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 4/4] qemu: update run-ptest script
2016-11-10 7:01 [PATCH 0/4] Fix CVEs and qemu run-ptest script kai.kang
` (2 preceding siblings ...)
2016-11-10 7:01 ` [PATCH 3/4] qemu: fix CVE-2016-7909 kai.kang
@ 2016-11-10 7:01 ` kai.kang
3 siblings, 0 replies; 5+ messages in thread
From: kai.kang @ 2016-11-10 7:01 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
The Makefile in directory tests has been renamed, then update script
run-ptest to follow the change.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
meta/recipes-devtools/qemu/qemu/run-ptest | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-devtools/qemu/qemu/run-ptest b/meta/recipes-devtools/qemu/qemu/run-ptest
index f4b8e97..2206b31 100644
--- a/meta/recipes-devtools/qemu/qemu/run-ptest
+++ b/meta/recipes-devtools/qemu/qemu/run-ptest
@@ -1,8 +1,10 @@
#!/bin/sh
#
#This script is used to run qemu test suites
-ptestdir=$(pwd)
-cd tests
+#
+ptestdir=$(dirname "$(readlink -f "$0")")
export SRC_PATH=$ptestdir
-make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g'
+
+cd $ptestdir/tests
+make -f Makefile.include -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g'
--
2.10.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-11-10 7:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-11-10 7:01 [PATCH 0/4] Fix CVEs and qemu run-ptest script kai.kang
2016-11-10 7:01 ` [PATCH 1/4] openssh: fix CVE-2016-8858 kai.kang
2016-11-10 7:01 ` [PATCH 2/4] glibc: fix CVE-2016-6323 kai.kang
2016-11-10 7:01 ` [PATCH 3/4] qemu: fix CVE-2016-7909 kai.kang
2016-11-10 7:01 ` [PATCH 4/4] qemu: update run-ptest script kai.kang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.