* [OE-core][dunfell 00/25] Patch review
@ 2021-09-24 14:15 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 01/25] libgcrypt: Security fix CVE-2021-33560 Steve Sakoman
` (24 more replies)
0 siblings, 25 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by end of
day Tuesday. Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2639
The following changes since commit 49ca1f62cc17c951b7737a4ee3c236f732bc8ebe:
build-appliance-image: Update to dunfell head revision (2021-09-15 10:42:23 +0100)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (2):
wic: keep rootfs_size as integer
testimage: symlink the task log and qemu console log to tmp/log/oeqa
Armin Kuster (9):
libgcrypt: Security fix CVE-2021-33560
apr: Security fix for CVE-2021-35940
libsndfile: Security fix for CVE-2021-3246
qemu: Security fix CVE-2020-12829
qemu: Security fix for CVE-2020-27617
qemu: Security fix for CVE-2020-28916
nettle: Security fix for CVE-2021-3580
nettle: Security fix for CVE-2021-20305
tar: ignore node-tar CVEs
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.143
linux-yocto/5.4: update to v5.4.144
Jon Mason (2):
Update mailing list address
core-image-sato: Fix runqemu error for qemuarmv5
Kai Kang (1):
squashfs-tools: fix CVE-2021-40153
Mike Crowe (1):
curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945
Ranjitsinh Rathod (1):
rpm: Handle proper return value to avoid major issues
Richard Purdie (3):
vim: Backport fix for CVE-2021-3770
useradd: Ensure preinst data is expanded correctly in pkgdata
bash: Ensure deterministic build
Ross Burton (1):
libsoup-2.4: remove obsolete intltool dependency
Sakib Sajal (1):
qemu: fix CVE-2021-3682
Steve Sakoman (1):
connman: add CVE_PRODUCT
Visa Hankala (1):
iputils: Fix regression of arp table update
meta/classes/testimage.bbclass | 12 +-
meta/classes/useradd.bbclass | 4 +
meta/conf/distro/include/maintainers.inc | 2 +-
meta/recipes-connectivity/connman/connman.inc | 2 +
.../ldconfig-native-2.12.1/ldconfig.patch | 2 +-
meta/recipes-devtools/qemu/qemu.inc | 8 +
.../qemu/qemu/CVE-2020-12829_1.patch | 164 ++++++++
.../qemu/qemu/CVE-2020-12829_2.patch | 139 +++++++
.../qemu/qemu/CVE-2020-12829_3.patch | 47 +++
.../qemu/qemu/CVE-2020-12829_4.patch | 100 +++++
.../qemu/qemu/CVE-2020-12829_5.patch | 266 +++++++++++++
.../qemu/qemu/CVE-2020-27617.patch | 49 +++
.../qemu/qemu/CVE-2020-28916.patch | 48 +++
.../qemu/qemu/CVE-2021-3682.patch | 41 ++
...rict-virtual-memory-usage-if-limit-s.patch | 25 +-
.../squashfs-tools/files/CVE-2021-40153.patch | 253 +++++++++++++
.../squashfs-tools/squashfs-tools_git.bb | 1 +
meta/recipes-extended/bash/bash.inc | 5 +
...ng-make-update-neighbours-work-again.patch | 79 ++++
.../iputils/iputils_s20190709.bb | 1 +
meta/recipes-extended/tar/tar_1.32.bb | 1 +
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
.../libsndfile1/CVE-2021-3246_1.patch | 36 ++
.../libsndfile1/CVE-2021-3246_2.patch | 44 +++
.../libsndfile/libsndfile1_1.0.28.bb | 2 +
meta/recipes-sato/images/core-image-sato.bb | 1 +
.../apr/apr/CVE-2021-35940.patch | 58 +++
meta/recipes-support/apr/apr_1.7.0.bb | 1 +
.../curl/curl/CVE-2021-22946-pre1.patch | 86 +++++
.../curl/curl/CVE-2021-22946.patch | 328 ++++++++++++++++
.../curl/curl/CVE-2021-22947.patch | 352 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 5 +-
.../libgcrypt/files/CVE-2021-33560.patch | 109 ++++++
.../libgcrypt/libgcrypt_1.8.5.bb | 1 +
.../libsoup/libsoup-2.4_2.68.4.bb | 2 +-
.../nettle-3.5.1/CVE-2021-20305-1.patch | 215 +++++++++++
.../nettle-3.5.1/CVE-2021-20305-2.patch | 53 +++
.../nettle-3.5.1/CVE-2021-20305-3.patch | 122 ++++++
.../nettle-3.5.1/CVE-2021-20305-4.patch | 48 +++
.../nettle-3.5.1/CVE-2021-20305-5.patch | 53 +++
.../nettle/nettle-3.5.1/CVE-2021-3580_1.patch | 277 ++++++++++++++
.../nettle/nettle-3.5.1/CVE-2021-3580_2.patch | 163 ++++++++
meta/recipes-support/nettle/nettle_3.5.1.bb | 7 +
...1e135a16091c93f6f5f7525a5c58fb7ca9f9.patch | 207 ++++++++++
meta/recipes-support/vim/vim.inc | 2 +
scripts/lib/wic/partition.py | 2 +-
48 files changed, 3423 insertions(+), 36 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
create mode 100644 meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
create mode 100644 meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
create mode 100644 meta/recipes-support/apr/apr/CVE-2021-35940.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22946.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22947.patch
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
create mode 100644 meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
--
2.25.1
^ permalink raw reply [flat|nested] 26+ messages in thread
* [OE-core][dunfell 01/25] libgcrypt: Security fix CVE-2021-33560
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 02/25] apr: Security fix for CVE-2021-35940 Steve Sakoman
` (23 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: https://sources.debian.org/patches/libgcrypt20/1.8.4-5+deb10u1
MR: 111591
Type: Security Fix
Disposition: Backport from https://sources.debian.org/data/main/libg/libgcrypt20/1.8.4-5%2Bdeb10u1/debian/patches/31_cipher-Fix-ElGamal-encryption-for-other-implementati.patch
ChangeID: d066a9baacc0d967dd80ac54c684cde031ac686e
Description:
Affects before 1.8.8 and 1.9.x before 1.9.3
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libgcrypt/files/CVE-2021-33560.patch | 109 ++++++++++++++++++
.../libgcrypt/libgcrypt_1.8.5.bb | 1 +
2 files changed, 110 insertions(+)
create mode 100644 meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
diff --git a/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
new file mode 100644
index 0000000000..c0d00485e6
--- /dev/null
+++ b/meta/recipes-support/libgcrypt/files/CVE-2021-33560.patch
@@ -0,0 +1,109 @@
+From 707c3c5c511ee70ad0e39ec613471f665305fbea Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 21 May 2021 11:15:07 +0900
+Subject: [PATCH] cipher: Fix ElGamal encryption for other implementations.
+
+* cipher/elgamal.c (gen_k): Remove support of smaller K.
+(do_encrypt): Never use smaller K.
+(sign): Folllow the change of gen_k.
+
+--
+
+Cherry-pick master commit of:
+ 632d80ef30e13de6926d503aa697f92b5dbfbc5e
+
+This change basically reverts encryption changes in two commits:
+
+ 74386120dad6b3da62db37f7044267c8ef34689b
+ 78531373a342aeb847950f404343a05e36022065
+
+Use of smaller K for ephemeral key in ElGamal encryption is only good,
+when we can guarantee that recipient's key is generated by our
+implementation (or compatible).
+
+For detail, please see:
+
+ Luca De Feo, Bertram Poettering, Alessandro Sorniotti,
+ "On the (in)security of ElGamal in OpenPGP";
+ in the proceedings of CCS'2021.
+
+CVE-id: CVE-2021-33560
+GnuPG-bug-id: 5328
+Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-33560
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ cipher/elgamal.c | 24 ++++++------------------
+ 1 file changed, 6 insertions(+), 18 deletions(-)
+
+diff --git a/cipher/elgamal.c b/cipher/elgamal.c
+index 4eb52d62..ae7a631e 100644
+--- a/cipher/elgamal.c
++++ b/cipher/elgamal.c
+@@ -66,7 +66,7 @@ static const char *elg_names[] =
+
+
+ static int test_keys (ELG_secret_key *sk, unsigned int nbits, int nodie);
+-static gcry_mpi_t gen_k (gcry_mpi_t p, int small_k);
++static gcry_mpi_t gen_k (gcry_mpi_t p);
+ static gcry_err_code_t generate (ELG_secret_key *sk, unsigned nbits,
+ gcry_mpi_t **factors);
+ static int check_secret_key (ELG_secret_key *sk);
+@@ -189,11 +189,10 @@ test_keys ( ELG_secret_key *sk, unsigned int nbits, int nodie )
+
+ /****************
+ * Generate a random secret exponent k from prime p, so that k is
+- * relatively prime to p-1. With SMALL_K set, k will be selected for
+- * better encryption performance - this must never be used signing!
++ * relatively prime to p-1.
+ */
+ static gcry_mpi_t
+-gen_k( gcry_mpi_t p, int small_k )
++gen_k( gcry_mpi_t p )
+ {
+ gcry_mpi_t k = mpi_alloc_secure( 0 );
+ gcry_mpi_t temp = mpi_alloc( mpi_get_nlimbs(p) );
+@@ -202,18 +201,7 @@ gen_k( gcry_mpi_t p, int small_k )
+ unsigned int nbits, nbytes;
+ char *rndbuf = NULL;
+
+- if (small_k)
+- {
+- /* Using a k much lesser than p is sufficient for encryption and
+- * it greatly improves the encryption performance. We use
+- * Wiener's table and add a large safety margin. */
+- nbits = wiener_map( orig_nbits ) * 3 / 2;
+- if( nbits >= orig_nbits )
+- BUG();
+- }
+- else
+- nbits = orig_nbits;
+-
++ nbits = orig_nbits;
+
+ nbytes = (nbits+7)/8;
+ if( DBG_CIPHER )
+@@ -492,7 +480,7 @@ do_encrypt(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_public_key *pkey )
+ * error code.
+ */
+
+- k = gen_k( pkey->p, 1 );
++ k = gen_k( pkey->p );
+ mpi_powm (a, pkey->g, k, pkey->p);
+
+ /* b = (y^k * input) mod p
+@@ -594,7 +582,7 @@ sign(gcry_mpi_t a, gcry_mpi_t b, gcry_mpi_t input, ELG_secret_key *skey )
+ *
+ */
+ mpi_sub_ui(p_1, p_1, 1);
+- k = gen_k( skey->p, 0 /* no small K ! */ );
++ k = gen_k( skey->p );
+ mpi_powm( a, skey->g, k, skey->p );
+ mpi_mul(t, skey->x, a );
+ mpi_subm(t, input, t, p_1 );
+--
+2.30.2
+
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 16a58ad9b8..174b087b24 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -28,6 +28,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
file://0002-AES-move-look-up-tables-to-.data-section-and-unshare.patch \
file://0003-GCM-move-look-up-table-to-.data-section-and-unshare-.patch \
file://determinism.patch \
+ file://CVE-2021-33560.patch \
"
SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 02/25] apr: Security fix for CVE-2021-35940
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 01/25] libgcrypt: Security fix CVE-2021-33560 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 03/25] libsndfile: Security fix for CVE-2021-3246 Steve Sakoman
` (22 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: https://dist.apache.org
MR: 112793
Type: Security Fix
Disposition: Backport from https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
ChangeID: c8247210204ffcc7d1425e3d60f077ad3dd54ebc
Description:
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the
Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue
was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed
compared to 1.6.3 and is vulnerable to the same issue.
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../apr/apr/CVE-2021-35940.patch | 58 +++++++++++++++++++
meta/recipes-support/apr/apr_1.7.0.bb | 1 +
2 files changed, 59 insertions(+)
create mode 100644 meta/recipes-support/apr/apr/CVE-2021-35940.patch
diff --git a/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
new file mode 100644
index 0000000000..00befdacee
--- /dev/null
+++ b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
@@ -0,0 +1,58 @@
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+Upstream-Status: Backport
+CVE: CVE-2021-35940
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+
+Index: time/unix/time.c
+===================================================================
+--- a/time/unix/time.c (revision 1891197)
++++ b/time/unix/time.c (revision 1891198)
+@@ -142,6 +142,9 @@
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
+Index: time/win32/time.c
+===================================================================
+--- a/time/win32/time.c (revision 1891197)
++++ b/time/win32/time.c (revision 1891198)
+@@ -54,6 +54,9 @@
+ static const int dayoffset[12] =
+ {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+
++ if (tm->wMonth < 1 || tm->wMonth > 12)
++ return APR_EBADDATE;
++
+ /* Note; the caller is responsible for filling in detailed tm_usec,
+ * tm_gmtoff and tm_isdst data when applicable.
+ */
+@@ -228,6 +231,9 @@
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.0.bb
index 432fa3255c..92cc61a864 100644
--- a/meta/recipes-support/apr/apr_1.7.0.bb
+++ b/meta/recipes-support/apr/apr_1.7.0.bb
@@ -23,6 +23,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
file://libtoolize_check.patch \
file://0001-Add-option-to-disable-timed-dependant-tests.patch \
+ file://CVE-2021-35940.patch \
"
SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 03/25] libsndfile: Security fix for CVE-2021-3246
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 01/25] libgcrypt: Security fix CVE-2021-33560 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 02/25] apr: Security fix for CVE-2021-35940 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 04/25] qemu: Security fix CVE-2020-12829 Steve Sakoman
` (21 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: https://github.com/libsndfile/libsndfile
MR: 112098
Type: Security Fix
Disposition: Backport from https://github.com/libsndfile/libsndfile/pull/713
ChangeID: 10d137de063b7a1e543ee96fbcf948945a452869
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsndfile1/CVE-2021-3246_1.patch | 36 +++++++++++++++
.../libsndfile1/CVE-2021-3246_2.patch | 44 +++++++++++++++++++
.../libsndfile/libsndfile1_1.0.28.bb | 2 +
3 files changed, 82 insertions(+)
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
create mode 100644 meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
new file mode 100644
index 0000000000..6354f856cb
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
+From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Wed, 17 Feb 2021 23:21:48 +0000
+Subject: [PATCH 1/2] wavlike: Fix incorrect size check
+
+The SF_CART_INFO_16K struct has an additional 4 byte field to hold
+the size of 'tag_text' which the file header doesn't, so don't
+include it as part of the check when looking for the max length.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
+
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/wavlike.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: libsndfile-1.0.28/src/wavlike.c
+===================================================================
+--- libsndfile-1.0.28.orig/src/wavlike.c
++++ libsndfile-1.0.28/src/wavlike.c
+@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
+ return 0 ;
+ } ;
+
+- if (chunksize >= sizeof (SF_CART_INFO_16K))
++ /*
++ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
++ ** of the chunk, so don't include it in the size check.
++ */
++ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+ { psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
+ psf_binheader_readf (psf, "j", chunksize) ;
+ return 0 ;
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
new file mode 100644
index 0000000000..d6b03d7d4d
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_2.patch
@@ -0,0 +1,44 @@
+From deb669ee8be55a94565f6f8a6b60890c2e7c6f32 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Thu, 18 Feb 2021 21:52:09 +0000
+Subject: [PATCH 2/2] ms_adpcm: Fix and extend size checks
+
+'blockalign' is the size of a block, and each block contains 7 samples
+per channel as part of the preamble, so check against 'samplesperblock'
+rather than 'blockalign'. Also add an additional check that the block
+is big enough to hold the samples it claims to hold.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26803
+
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/ms_adpcm.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
+index 5e8f1a31..a21cb994 100644
+--- a/src/ms_adpcm.c
++++ b/src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ if (psf->file.mode == SFM_WRITE)
+ samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+
+- if (blockalign < 7 * psf->sf.channels)
+- { psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
++ /* There's 7 samples per channel in the preamble of each block */
++ if (samplesperblock < 7 * psf->sf.channels)
++ { psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++ return SFE_INTERNAL ;
++ } ;
++
++ if (2 * blockalign < samplesperblock * psf->sf.channels)
++ { psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+ return SFE_INTERNAL ;
+ } ;
+
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 044881a859..2525af8fe0 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -20,6 +20,8 @@ SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://CVE-2017-12562.patch \
file://CVE-2018-19758.patch \
file://CVE-2019-3832.patch \
+ file://CVE-2021-3246_1.patch \
+ file://CVE-2021-3246_2.patch \
"
SRC_URI[md5sum] = "646b5f98ce89ac60cdb060fcd398247c"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 04/25] qemu: Security fix CVE-2020-12829
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (2 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 03/25] libsndfile: Security fix for CVE-2021-3246 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 05/25] qemu: Security fix for CVE-2020-27617 Steve Sakoman
` (20 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 105490
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4
ChangeID: 6e222b766fc67c76cdc311d02cc47801992d0e66
Description:
Affect qemu < 5.0.0
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 5 +
.../qemu/qemu/CVE-2020-12829_1.patch | 164 +++++++++++
.../qemu/qemu/CVE-2020-12829_2.patch | 139 +++++++++
.../qemu/qemu/CVE-2020-12829_3.patch | 47 ++++
.../qemu/qemu/CVE-2020-12829_4.patch | 100 +++++++
.../qemu/qemu/CVE-2020-12829_5.patch | 266 ++++++++++++++++++
6 files changed, 721 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index c8c170dda0..f5e8a9ae49 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -84,6 +84,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3582.patch \
file://CVE-2021-3607.patch \
file://CVE-2021-3608.patch \
+ file://CVE-2020-12829_1.patch \
+ file://CVE-2020-12829_2.patch \
+ file://CVE-2020-12829_3.patch \
+ file://CVE-2020-12829_4.patch \
+ file://CVE-2020-12829_5.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
new file mode 100644
index 0000000000..6fee4f640d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_1.patch
@@ -0,0 +1,164 @@
+From e29da77e5fddf6480e3a0e80b63d703edaec751b Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH] sm501: Convert printf + abort to qemu_log_mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some places already use qemu_log_mask() to log unimplemented features
+or errors but some others have printf() then abort(). Convert these to
+qemu_log_mask() and avoid aborting to prevent guests to easily cause
+denial of service.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index acc692531a..bd3ccfe311 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s)
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+
+ if (addressing != 0x0) {
+- printf("%s: only XY addressing is supported.\n", __func__);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
++ return;
+ }
+
+ if (rop_mode == 0) {
+@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s)
+
+ if ((s->twoD_source_base & 0x08000000) ||
+ (s->twoD_destination_base & 0x08000000)) {
+- printf("%s: only local memory is supported.\n", __func__);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
++ return;
+ }
+
+ switch (operation) {
+@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s)
+ break;
+
+ default:
+- printf("non-implemented SM501 2D operation. %d\n", operation);
+- abort();
+- break;
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
++ operation);
++ return;
+ }
+
+ if (dst_base >= get_fb_addr(s, crt) &&
+@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,
+ break;
+
+ default:
+- printf("sm501 system config : not implemented register read."
+- " addr=%x\n", (int)addr);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
++ "register read. addr=%" HWADDR_PRIx "\n", addr);
+ }
+
+ return ret;
+@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr,
+ break;
+ case SM501_ENDIAN_CONTROL:
+ if (value & 0x00000001) {
+- printf("sm501 system config : big endian mode not implemented.\n");
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not"
++ " implemented.\n");
+ }
+ break;
+
+ default:
+- printf("sm501 system config : not implemented register write."
+- " addr=%x, val=%x\n", (int)addr, (uint32_t)value);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
++ "register write. addr=%" HWADDR_PRIx
++ ", val=%" PRIx64 "\n", addr, value);
+ }
+ }
+
+@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr,
+ break;
+
+ default:
+- printf("sm501 disp ctrl : not implemented register read."
+- " addr=%x\n", (int)addr);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++ "read. addr=%" HWADDR_PRIx "\n", addr);
+ }
+
+ return ret;
+@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
+ break;
+
+ default:
+- printf("sm501 disp ctrl : not implemented register write."
+- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++ "write. addr=%" HWADDR_PRIx
++ ", val=%" PRIx64 "\n", addr, value);
+ }
+ }
+
+@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr,
+ ret = 0; /* Should return interrupt status */
+ break;
+ default:
+- printf("sm501 disp ctrl : not implemented register read."
+- " addr=%x\n", (int)addr);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
++ "read. addr=%" HWADDR_PRIx "\n", addr);
+ }
+
+ return ret;
+@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr,
+ /* ignored, writing 0 should clear interrupt status */
+ break;
+ default:
+- printf("sm501 2d engine : not implemented register write."
+- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
+- abort();
++ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register "
++ "write. addr=%" HWADDR_PRIx
++ ", val=%" PRIx64 "\n", addr, value);
+ }
+ }
+
+@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque)
+ draw_line = draw_line32_funcs[dst_depth_index];
+ break;
+ default:
+- printf("sm501 update display : invalid control register value.\n");
+- abort();
+- break;
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
++ "invalid control register value.\n");
++ return;
+ }
+
+ /* set up to draw hardware cursor */
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
new file mode 100644
index 0000000000..e7258a43d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_2.patch
@@ -0,0 +1,139 @@
+From 6f8183b5dc5b309378687830a25e85ea8fb860ea Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 2/5] sm501: Shorten long variable names in sm501_2d_operation
+
+This increases readability and cleans up some confusing naming.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index bd3ccfe311..f42d05e1e4 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+ static void sm501_2d_operation(SM501State *s)
+ {
+ /* obtain operation parameters */
+- int operation = (s->twoD_control >> 16) & 0x1f;
++ int cmd = (s->twoD_control >> 16) & 0x1F;
+ int rtl = s->twoD_control & 0x8000000;
+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
+ int src_y = s->twoD_source & 0xFFFF;
+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+ int dst_y = s->twoD_destination & 0xFFFF;
+- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
+- int operation_height = s->twoD_dimension & 0xFFFF;
++ int width = (s->twoD_dimension >> 16) & 0x1FFF;
++ int height = s->twoD_dimension & 0xFFFF;
+ uint32_t color = s->twoD_foreground;
+- int format_flags = (s->twoD_stretch >> 20) & 0x3;
+- int addressing = (s->twoD_stretch >> 16) & 0xF;
++ int format = (s->twoD_stretch >> 20) & 0x3;
+ int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+ /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+ int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
+ /* get frame buffer info */
+ uint8_t *src = s->local_mem + src_base;
+ uint8_t *dst = s->local_mem + dst_base;
+- int src_width = s->twoD_pitch & 0x1FFF;
+- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
++ int src_pitch = s->twoD_pitch & 0x1FFF;
++ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+
+- if (addressing != 0x0) {
++ if ((s->twoD_stretch >> 16) & 0xF) {
+ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
+ return;
+ }
+@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
+ return;
+ }
+
+- switch (operation) {
++ switch (cmd) {
+ case 0x00: /* copy area */
+ #define COPY_AREA(_bpp, _pixel_type, rtl) { \
+ int y, x, index_d, index_s; \
+- for (y = 0; y < operation_height; y++) { \
+- for (x = 0; x < operation_width; x++) { \
++ for (y = 0; y < height; y++) { \
++ for (x = 0; x < width; x++) { \
+ _pixel_type val; \
+ \
+ if (rtl) { \
+- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \
+- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \
++ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
++ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
+ } else { \
+- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \
+- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
++ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
++ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+ } \
+ if (rop_mode == 1 && rop == 5) { \
+ /* Invert dest */ \
+@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
+ } \
+ } \
+ }
+- switch (format_flags) {
++ switch (format) {
+ case 0:
+ COPY_AREA(1, uint8_t, rtl);
+ break;
+@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
+ case 0x01: /* fill rectangle */
+ #define FILL_RECT(_bpp, _pixel_type) { \
+ int y, x; \
+- for (y = 0; y < operation_height; y++) { \
+- for (x = 0; x < operation_width; x++) { \
+- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
++ for (y = 0; y < height; y++) { \
++ for (x = 0; x < width; x++) { \
++ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+ *(_pixel_type *)&dst[index] = (_pixel_type)color; \
+ } \
+ } \
+ }
+
+- switch (format_flags) {
++ switch (format) {
+ case 0:
+ FILL_RECT(1, uint8_t);
+ break;
+@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
+
+ default:
+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+- operation);
++ cmd);
+ return;
+ }
+
+ if (dst_base >= get_fb_addr(s, crt) &&
+ dst_base <= get_fb_addr(s, crt) + fb_len) {
+- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
+- dst_x + operation_width) * (1 << format_flags));
++ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
++ dst_x + width) * (1 << format));
+ if (dst_len) {
+ memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
new file mode 100644
index 0000000000..c647028cfe
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_3.patch
@@ -0,0 +1,47 @@
+From 2824809b7f8f03ddc6e2b7e33e78c06022424298 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 3/5] sm501: Use BIT(x) macro to shorten constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index f42d05e1e4..97660090bb 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s)
+ {
+ /* obtain operation parameters */
+ int cmd = (s->twoD_control >> 16) & 0x1F;
+- int rtl = s->twoD_control & 0x8000000;
++ int rtl = s->twoD_control & BIT(27);
+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
+ int src_y = s->twoD_source & 0xFFFF;
+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+@@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s)
+ }
+ }
+
+- if ((s->twoD_source_base & 0x08000000) ||
+- (s->twoD_destination_base & 0x08000000)) {
++ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
+ return;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
new file mode 100644
index 0000000000..485af05e1e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_4.patch
@@ -0,0 +1,100 @@
+From 3d0b096298b5579a7fa0753ad90968b27bc65372 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 4/5] sm501: Clean up local variables in sm501_2d_operation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Make variables local to the block they are used in to make it clearer
+which operation they are needed for.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829 dep#4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index 97660090bb..5ed57703d8 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt)
+
+ static void sm501_2d_operation(SM501State *s)
+ {
+- /* obtain operation parameters */
+ int cmd = (s->twoD_control >> 16) & 0x1F;
+ int rtl = s->twoD_control & BIT(27);
+- int src_x = (s->twoD_source >> 16) & 0x01FFF;
+- int src_y = s->twoD_source & 0xFFFF;
+- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+- int dst_y = s->twoD_destination & 0xFFFF;
+- int width = (s->twoD_dimension >> 16) & 0x1FFF;
+- int height = s->twoD_dimension & 0xFFFF;
+- uint32_t color = s->twoD_foreground;
+ int format = (s->twoD_stretch >> 20) & 0x3;
+ int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
+ /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+ int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+ int rop = s->twoD_control & 0xFF;
+- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
++ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
++ int dst_y = s->twoD_destination & 0xFFFF;
++ int width = (s->twoD_dimension >> 16) & 0x1FFF;
++ int height = s->twoD_dimension & 0xFFFF;
+ uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
+-
+- /* get frame buffer info */
+- uint8_t *src = s->local_mem + src_base;
+ uint8_t *dst = s->local_mem + dst_base;
+- int src_pitch = s->twoD_pitch & 0x1FFF;
+ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s)
+
+ switch (cmd) {
+ case 0x00: /* copy area */
++ {
++ int src_x = (s->twoD_source >> 16) & 0x01FFF;
++ int src_y = s->twoD_source & 0xFFFF;
++ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
++ uint8_t *src = s->local_mem + src_base;
++ int src_pitch = s->twoD_pitch & 0x1FFF;
++
+ #define COPY_AREA(_bpp, _pixel_type, rtl) { \
+ int y, x, index_d, index_s; \
+ for (y = 0; y < height; y++) { \
+@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s)
+ break;
+ }
+ break;
+-
++ }
+ case 0x01: /* fill rectangle */
++ {
++ uint32_t color = s->twoD_foreground;
++
+ #define FILL_RECT(_bpp, _pixel_type) { \
+ int y, x; \
+ for (y = 0; y < height; y++) { \
+@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s)
+ break;
+ }
+ break;
+-
++ }
+ default:
+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
+ cmd);
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
new file mode 100644
index 0000000000..ab09e8b039
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-12829_5.patch
@@ -0,0 +1,266 @@
+From b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Thu, 21 May 2020 21:39:44 +0200
+Subject: [PATCH 5/5] sm501: Replace hand written implementation with pixman
+ where possible
+
+Besides being faster this should also prevent malicious guests to
+abuse 2D engine to overwrite data or cause a crash.
+
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-12829
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/display/sm501.c | 207 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 119 insertions(+), 88 deletions(-)
+
+diff --git a/hw/display/sm501.c b/hw/display/sm501.c
+index 5ed57703d8..8bf4d111f4 100644
+--- a/hw/display/sm501.c
++++ b/hw/display/sm501.c
+@@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s)
+ /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
+ int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
+ int rop = s->twoD_control & 0xFF;
+- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
+- int dst_y = s->twoD_destination & 0xFFFF;
+- int width = (s->twoD_dimension >> 16) & 0x1FFF;
+- int height = s->twoD_dimension & 0xFFFF;
++ unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
++ unsigned int dst_y = s->twoD_destination & 0xFFFF;
++ unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF;
++ unsigned int height = s->twoD_dimension & 0xFFFF;
+ uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
+- uint8_t *dst = s->local_mem + dst_base;
+- int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
++ unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
+ int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
+ int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
+
+@@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s)
+ return;
+ }
+
+- if (rop_mode == 0) {
+- if (rop != 0xcc) {
+- /* Anything other than plain copies are not supported */
+- qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not "
+- "supported.\n", rop);
+- }
+- } else {
+- if (rop2_source_is_pattern && rop != 0x5) {
+- /* For pattern source, we support only inverse dest */
+- qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and "
+- "rop %x is not supported.\n", rop);
+- } else {
+- if (rop != 0x5 && rop != 0xc) {
+- /* Anything other than plain copies or inverse dest is not
+- * supported */
+- qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not "
+- "supported.\n", rop);
+- }
+- }
+- }
+-
+ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
+ return;
+ }
+
++ if (!dst_pitch) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n");
++ return;
++ }
++
++ if (!width || !height) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n");
++ return;
++ }
++
++ if (rtl) {
++ dst_x -= width - 1;
++ dst_y -= height - 1;
++ }
++
++ if (dst_base >= get_local_mem_size(s) || dst_base +
++ (dst_x + width + (dst_y + height) * (dst_pitch + width)) *
++ (1 << format) >= get_local_mem_size(s)) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n");
++ return;
++ }
++
+ switch (cmd) {
+- case 0x00: /* copy area */
++ case 0: /* BitBlt */
+ {
+- int src_x = (s->twoD_source >> 16) & 0x01FFF;
+- int src_y = s->twoD_source & 0xFFFF;
++ unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF;
++ unsigned int src_y = s->twoD_source & 0xFFFF;
+ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
+- uint8_t *src = s->local_mem + src_base;
+- int src_pitch = s->twoD_pitch & 0x1FFF;
+-
+-#define COPY_AREA(_bpp, _pixel_type, rtl) { \
+- int y, x, index_d, index_s; \
+- for (y = 0; y < height; y++) { \
+- for (x = 0; x < width; x++) { \
+- _pixel_type val; \
+- \
+- if (rtl) { \
+- index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
+- index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
+- } else { \
+- index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
+- index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+- } \
+- if (rop_mode == 1 && rop == 5) { \
+- /* Invert dest */ \
+- val = ~*(_pixel_type *)&dst[index_d]; \
+- } else { \
+- val = *(_pixel_type *)&src[index_s]; \
+- } \
+- *(_pixel_type *)&dst[index_d] = val; \
+- } \
+- } \
+- }
+- switch (format) {
+- case 0:
+- COPY_AREA(1, uint8_t, rtl);
+- break;
+- case 1:
+- COPY_AREA(2, uint16_t, rtl);
+- break;
+- case 2:
+- COPY_AREA(4, uint32_t, rtl);
+- break;
++ unsigned int src_pitch = s->twoD_pitch & 0x1FFF;
++
++ if (!src_pitch) {
++ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n");
++ return;
++ }
++
++ if (rtl) {
++ src_x -= width - 1;
++ src_y -= height - 1;
++ }
++
++ if (src_base >= get_local_mem_size(s) || src_base +
++ (src_x + width + (src_y + height) * (src_pitch + width)) *
++ (1 << format) >= get_local_mem_size(s)) {
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "sm501: 2D op src is outside vram.\n");
++ return;
++ }
++
++ if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) {
++ /* Invert dest, is there a way to do this with pixman? */
++ unsigned int x, y, i;
++ uint8_t *d = s->local_mem + dst_base;
++
++ for (y = 0; y < height; y++) {
++ i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format);
++ for (x = 0; x < width; x++, i += (1 << format)) {
++ switch (format) {
++ case 0:
++ d[i] = ~d[i];
++ break;
++ case 1:
++ *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i];
++ break;
++ case 2:
++ *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i];
++ break;
++ }
++ }
++ }
++ } else {
++ /* Do copy src for unimplemented ops, better than unpainted area */
++ if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) ||
++ (!rop_mode && rop != 0xcc)) {
++ qemu_log_mask(LOG_UNIMP,
++ "sm501: rop%d op %x%s not implemented\n",
++ (rop_mode ? 2 : 3), rop,
++ (rop2_source_is_pattern ?
++ " with pattern source" : ""));
++ }
++ /* Check for overlaps, this could be made more exact */
++ uint32_t sb, se, db, de;
++ sb = src_base + src_x + src_y * (width + src_pitch);
++ se = sb + width + height * (width + src_pitch);
++ db = dst_base + dst_x + dst_y * (width + dst_pitch);
++ de = db + width + height * (width + dst_pitch);
++ if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) {
++ /* regions may overlap: copy via temporary */
++ int llb = width * (1 << format);
++ int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t));
++ uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) *
++ height);
++ pixman_blt((uint32_t *)&s->local_mem[src_base], tmp,
++ src_pitch * (1 << format) / sizeof(uint32_t),
++ tmp_stride, 8 * (1 << format), 8 * (1 << format),
++ src_x, src_y, 0, 0, width, height);
++ pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base],
++ tmp_stride,
++ dst_pitch * (1 << format) / sizeof(uint32_t),
++ 8 * (1 << format), 8 * (1 << format),
++ 0, 0, dst_x, dst_y, width, height);
++ g_free(tmp);
++ } else {
++ pixman_blt((uint32_t *)&s->local_mem[src_base],
++ (uint32_t *)&s->local_mem[dst_base],
++ src_pitch * (1 << format) / sizeof(uint32_t),
++ dst_pitch * (1 << format) / sizeof(uint32_t),
++ 8 * (1 << format), 8 * (1 << format),
++ src_x, src_y, dst_x, dst_y, width, height);
++ }
+ }
+ break;
+ }
+- case 0x01: /* fill rectangle */
++ case 1: /* Rectangle Fill */
+ {
+ uint32_t color = s->twoD_foreground;
+
+-#define FILL_RECT(_bpp, _pixel_type) { \
+- int y, x; \
+- for (y = 0; y < height; y++) { \
+- for (x = 0; x < width; x++) { \
+- int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
+- *(_pixel_type *)&dst[index] = (_pixel_type)color; \
+- } \
+- } \
+- }
+-
+- switch (format) {
+- case 0:
+- FILL_RECT(1, uint8_t);
+- break;
+- case 1:
+- color = cpu_to_le16(color);
+- FILL_RECT(2, uint16_t);
+- break;
+- case 2:
++ if (format == 2) {
+ color = cpu_to_le32(color);
+- FILL_RECT(4, uint32_t);
+- break;
++ } else if (format == 1) {
++ color = cpu_to_le16(color);
+ }
++
++ pixman_fill((uint32_t *)&s->local_mem[dst_base],
++ dst_pitch * (1 << format) / sizeof(uint32_t),
++ 8 * (1 << format), dst_x, dst_y, width, height, color);
+ break;
+ }
+ default:
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 05/25] qemu: Security fix for CVE-2020-27617
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (3 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 04/25] qemu: Security fix CVE-2020-12829 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 06/25] qemu: Security fix for CVE-2020-28916 Steve Sakoman
` (19 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 106462
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=7564bf7701f00214cdc8a678a9f7df765244def1
ChangeID: b9dc1b656c07d6a0aecaf7680ed33801bd5f6352
Description:
Affects qemu < 5.2.0
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-27617.patch | 49 +++++++++++++++++++
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index f5e8a9ae49..3113d638d7 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -89,6 +89,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-12829_3.patch \
file://CVE-2020-12829_4.patch \
file://CVE-2020-12829_5.patch \
+ file://CVE-2020-27617.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
new file mode 100644
index 0000000000..7bfc2beecb
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-27617.patch
@@ -0,0 +1,49 @@
+From 7564bf7701f00214cdc8a678a9f7df765244def1 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 21 Oct 2020 11:35:50 +0530
+Subject: [PATCH] net: remove an assert call in eth_get_gso_type
+
+eth_get_gso_type() routine returns segmentation offload type based on
+L3 protocol type. It calls g_assert_not_reached if L3 protocol is
+unknown, making the following return statement unreachable. Remove the
+g_assert call, it maybe triggered by a guest user.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upsteram-Status: Backport
+CVE: CVE-2020-27617
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ net/eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/eth.c b/net/eth.c
+index 0c1d413ee2..1e0821c5f8 100644
+--- a/net/eth.c
++++ b/net/eth.c
+@@ -16,6 +16,7 @@
+ */
+
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "net/eth.h"
+ #include "net/checksum.h"
+ #include "net/tap.h"
+@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
+ return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
+ }
+ }
+-
+- /* Unsupported offload */
+- g_assert_not_reached();
++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
+
+ return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
+ }
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 06/25] qemu: Security fix for CVE-2020-28916
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (4 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 05/25] qemu: Security fix for CVE-2020-27617 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 07/25] qemu: fix CVE-2021-3682 Steve Sakoman
` (18 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: qemu.org
MR: 107262
Type: Security Fix
Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=c2cb511634012344e3d0fe49a037a33b12d8a98a
ChangeID: 3024b894ab045c1a74ab2276359d5e599ec9e822
Description:
Affects qemu < 5.0.0
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2020-28916.patch | 48 +++++++++++++++++++
2 files changed, 49 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 3113d638d7..211c03e57b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -90,6 +90,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-12829_4.patch \
file://CVE-2020-12829_5.patch \
file://CVE-2020-27617.patch \
+ file://CVE-2020-28916.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
new file mode 100644
index 0000000000..756b1c1495
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-28916.patch
@@ -0,0 +1,48 @@
+From c2cb511634012344e3d0fe49a037a33b12d8a98a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 11 Nov 2020 18:36:36 +0530
+Subject: [PATCH] hw/net/e1000e: advance desc_offset in case of null descriptor
+
+While receiving packets via e1000e_write_packet_to_guest() routine,
+'desc_offset' is advanced only when RX descriptor is processed. And
+RX descriptor is not processed if it has NULL buffer address.
+This may lead to an infinite loop condition. Increament 'desc_offset'
+to process next descriptor in the ring to avoid infinite loop.
+
+Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2020-28916
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ hw/net/e1000e_core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index d8b9e4b2f4..095c01ebc6 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
+ (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
+ }
+ }
+- desc_offset += desc_size;
+- if (desc_offset >= total_size) {
+- is_last = true;
+- }
+ } else { /* as per intel docs; skip descriptors with null buf addr */
+ trace_e1000e_rx_null_descriptor();
+ }
++ desc_offset += desc_size;
++ if (desc_offset >= total_size) {
++ is_last = true;
++ }
+
+ e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
+ rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 07/25] qemu: fix CVE-2021-3682
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (5 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 06/25] qemu: Security fix for CVE-2020-28916 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 08/25] nettle: Security fix for CVE-2021-3580 Steve Sakoman
` (17 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Sakib Sajal <sakib.sajal@windriver.com>
Source: https://git.yoctoproject.org/git/poky
MR: 112369
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-devtools/qemu?id=48960ce56265e9ec7ec352c0d0fcde6ed44569be
ChangeID: 799afc7adf3f2c915751744b618e38cccb01d854
Description:
(From OE-Core rev: e16cd155c5ef7cfe8b4d3a94485cb7b13fd95036)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 48960ce56265e9ec7ec352c0d0fcde6ed44569be)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-3682.patch | 41 +++++++++++++++++++
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 211c03e57b..ef9bc3f64a 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -91,6 +91,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2020-12829_5.patch \
file://CVE-2020-27617.patch \
file://CVE-2020-28916.patch \
+ file://CVE-2021-3682.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
new file mode 100644
index 0000000000..50a49233d3
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3682.patch
@@ -0,0 +1,41 @@
+From 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 22 Jul 2021 09:27:56 +0200
+Subject: [PATCH] usbredir: fix free call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+data might point into the middle of a larger buffer, there is a separate
+free_on_destroy pointer passed into bufp_alloc() to handle that. It is
+only used in the normal workflow though, not when dropping packets due
+to the queue being full. Fix that.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210722072756.647673-1-kraxel@redhat.com>
+
+CVE: CVE-2021-3682
+Upstream-Status: Backport [5e796671e6b8d5de4b0b423dce1b3eba144a92c9]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ hw/usb/redirect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index 4ec9326e05..1ec909a63a 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -476,7 +476,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len,
+ if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
+ if (dev->endpoint[EP2I(ep)].bufpq_size >
+ dev->endpoint[EP2I(ep)].bufpq_target_size) {
+- free(data);
++ free(free_on_destroy);
+ return -1;
+ }
+ dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
+--
+2.25.1
+
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 08/25] nettle: Security fix for CVE-2021-3580
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (6 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 07/25] qemu: fix CVE-2021-3682 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 09/25] curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945 Steve Sakoman
` (16 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: https://git.lysator.liu.se/nettle/nettle
MR: 112331
Type: Security Fix
Disposition: Backport from https://git.lysator.liu.se/nettle/nettle/-/commit/0ad0b5df315665250dfdaa4a1e087f4799edaefe
ChangeID: ffbbadbfa862e715ec7da4695d7db67484f8517a
Description:
Affects nettle < 3.7.3
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../nettle/nettle-3.5.1/CVE-2021-3580_1.patch | 277 ++++++++++++++++++
.../nettle/nettle-3.5.1/CVE-2021-3580_2.patch | 163 +++++++++++
meta/recipes-support/nettle/nettle_3.5.1.bb | 2 +
3 files changed, 442 insertions(+)
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
new file mode 100644
index 0000000000..ac3a638e72
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_1.patch
@@ -0,0 +1,277 @@
+From cd6059aebdd3059fbcf674dddb850b821c13b6c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:31:39 +0200
+Subject: [PATCH 1/2] Change _rsa_sec_compute_root_tr to take a fix input size.
+
+Improves consistency with _rsa_sec_compute_root, and fixes zero-input bug.
+
+(cherry picked from commit 485b5e2820a057e873b1ba812fdb39cae4adf98c)
+
+Upstream-Status: Backport
+CVE: CVE-2021-3580 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 17 +++++++++-
+ rsa-decrypt-tr.c | 7 ++---
+ rsa-internal.h | 4 +--
+ rsa-sec-decrypt.c | 9 ++++--
+ rsa-sign-tr.c | 61 +++++++++++++++++-------------------
+ testsuite/rsa-encrypt-test.c | 14 ++++++++-
+ 6 files changed, 69 insertions(+), 43 deletions(-)
+
+Index: nettle-3.5.1/rsa-decrypt-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt-tr.c
++++ nettle-3.5.1/rsa-decrypt-tr.c
+@@ -52,14 +52,13 @@ rsa_decrypt_tr(const struct rsa_public_k
+ mp_size_t key_limb_size;
+ int res;
+
+- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++ key_limb_size = mpz_size(pub->n);
+
+ TMP_GMP_ALLOC (m, key_limb_size);
+ TMP_GMP_ALLOC (em, key->size);
++ mpz_limbs_copy(m, gibberish, key_limb_size);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+- mpz_limbs_read(gibberish),
+- mpz_size(gibberish));
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+
+ mpn_get_base256 (em, key->size, m, key_limb_size);
+
+Index: nettle-3.5.1/rsa-internal.h
+===================================================================
+--- nettle-3.5.1.orig/rsa-internal.h
++++ nettle-3.5.1/rsa-internal.h
+@@ -78,11 +78,11 @@ _rsa_sec_compute_root(const struct rsa_p
+ mp_limb_t *scratch);
+
+ /* Safe side-channel silent variant, using RSA blinding, and checking the
+- * result after CRT. */
++ * result after CRT. In-place calls, with x == m, is allowed. */
+ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn);
++ mp_limb_t *x, const mp_limb_t *m);
+
+ #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
+Index: nettle-3.5.1/rsa-sec-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sec-decrypt.c
++++ nettle-3.5.1/rsa-sec-decrypt.c
+@@ -58,9 +58,12 @@ rsa_sec_decrypt(const struct rsa_public_
+ TMP_GMP_ALLOC (m, mpz_size(pub->n));
+ TMP_GMP_ALLOC (em, key->size);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m,
+- mpz_limbs_read(gibberish),
+- mpz_size(gibberish));
++ /* We need a copy because m can be shorter than key_size,
++ * but _rsa_sec_compute_root_tr expect all inputs to be
++ * normalized to a key_size long buffer length */
++ mpz_limbs_copy(m, gibberish, mpz_size(pub->n));
++
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m);
+
+ mpn_get_base256 (em, key->size, m, mpz_size(pub->n));
+
+Index: nettle-3.5.1/rsa-sign-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sign-tr.c
++++ nettle-3.5.1/rsa-sign-tr.c
+@@ -131,35 +131,34 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn)
++ mp_limb_t *x, const mp_limb_t *m)
+ {
++ mp_size_t nn;
+ mpz_t mz;
+ mpz_t xz;
+ int res;
+
+- mpz_init(mz);
+ mpz_init(xz);
+
+- mpn_copyi(mpz_limbs_write(mz, mn), m, mn);
+- mpz_limbs_finish(mz, mn);
++ nn = mpz_size (pub->n);
+
+- res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mz);
++ res = rsa_compute_root_tr(pub, key, random_ctx, random, xz,
++ mpz_roinit_n(mz, m, nn));
+
+ if (res)
+- mpz_limbs_copy(x, xz, mpz_size(pub->n));
++ mpz_limbs_copy(x, xz, nn);
+
+- mpz_clear(mz);
+ mpz_clear(xz);
+ return res;
+ }
+ #else
+ /* Blinds m, by computing c = m r^e (mod n), for a random r. Also
+- returns the inverse (ri), for use by rsa_unblind. */
++ returns the inverse (ri), for use by rsa_unblind. Must have c != m,
++ no in-place operation.*/
+ static void
+ rsa_sec_blind (const struct rsa_public_key *pub,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m,
+- mp_size_t mn)
++ mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m)
+ {
+ const mp_limb_t *ep = mpz_limbs_read (pub->e);
+ const mp_limb_t *np = mpz_limbs_read (pub->n);
+@@ -177,15 +176,15 @@ rsa_sec_blind (const struct rsa_public_k
+
+ /* c = m*(r^e) mod n */
+ itch = mpn_sec_powm_itch(nn, ebn, nn);
+- i2 = mpn_sec_mul_itch(nn, mn);
++ i2 = mpn_sec_mul_itch(nn, nn);
+ itch = MAX(itch, i2);
+- i2 = mpn_sec_div_r_itch(nn + mn, nn);
++ i2 = mpn_sec_div_r_itch(2*nn, nn);
+ itch = MAX(itch, i2);
+ i2 = mpn_sec_invert_itch(nn);
+ itch = MAX(itch, i2);
+
+- TMP_GMP_ALLOC (tp, nn + mn + itch);
+- scratch = tp + nn + mn;
++ TMP_GMP_ALLOC (tp, 2*nn + itch);
++ scratch = tp + 2*nn;
+
+ /* ri = r^(-1) */
+ do
+@@ -198,9 +197,8 @@ rsa_sec_blind (const struct rsa_public_k
+ while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch));
+
+ mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch);
+- /* normally mn == nn, but m can be smaller in some cases */
+- mpn_sec_mul (tp, c, nn, m, mn, scratch);
+- mpn_sec_div_r (tp, nn + mn, np, nn, scratch);
++ mpn_sec_mul (tp, c, nn, m, nn, scratch);
++ mpn_sec_div_r (tp, 2*nn, np, nn, scratch);
+ mpn_copyi(c, tp, nn);
+
+ TMP_GMP_FREE (r);
+@@ -208,7 +206,7 @@ rsa_sec_blind (const struct rsa_public_k
+ TMP_GMP_FREE (tp);
+ }
+
+-/* m = c ri mod n */
++/* m = c ri mod n. Allows x == c. */
+ static void
+ rsa_sec_unblind (const struct rsa_public_key *pub,
+ mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c)
+@@ -299,7 +297,7 @@ int
+ _rsa_sec_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+ void *random_ctx, nettle_random_func *random,
+- mp_limb_t *x, const mp_limb_t *m, size_t mn)
++ mp_limb_t *x, const mp_limb_t *m)
+ {
+ TMP_GMP_DECL (c, mp_limb_t);
+ TMP_GMP_DECL (ri, mp_limb_t);
+@@ -307,7 +305,7 @@ _rsa_sec_compute_root_tr(const struct rs
+ size_t key_limb_size;
+ int ret;
+
+- key_limb_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
++ key_limb_size = mpz_size(pub->n);
+
+ /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the
+ key is invalid and rejected by rsa_private_key_prepare. However,
+@@ -321,19 +319,18 @@ _rsa_sec_compute_root_tr(const struct rs
+ }
+
+ assert(mpz_size(pub->n) == key_limb_size);
+- assert(mn <= key_limb_size);
+
+ TMP_GMP_ALLOC (c, key_limb_size);
+ TMP_GMP_ALLOC (ri, key_limb_size);
+ TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key));
+
+- rsa_sec_blind (pub, random_ctx, random, x, ri, m, mn);
++ rsa_sec_blind (pub, random_ctx, random, c, ri, m);
+
+- _rsa_sec_compute_root(key, c, x, scratch);
++ _rsa_sec_compute_root(key, x, c, scratch);
+
+- ret = rsa_sec_check_root(pub, c, x);
++ ret = rsa_sec_check_root(pub, x, c);
+
+- rsa_sec_unblind(pub, x, ri, c);
++ rsa_sec_unblind(pub, x, ri, x);
+
+ cnd_mpn_zero(1 - ret, x, key_limb_size);
+
+@@ -357,17 +354,17 @@ rsa_compute_root_tr(const struct rsa_pub
+ mpz_t x, const mpz_t m)
+ {
+ TMP_GMP_DECL (l, mp_limb_t);
++ mp_size_t nn = mpz_size(pub->n);
+ int res;
+
+- mp_size_t l_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size);
+- TMP_GMP_ALLOC (l, l_size);
++ TMP_GMP_ALLOC (l, nn);
++ mpz_limbs_copy(l, m, nn);
+
+- res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l,
+- mpz_limbs_read(m), mpz_size(m));
++ res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l);
+ if (res) {
+- mp_limb_t *xp = mpz_limbs_write (x, l_size);
+- mpn_copyi (xp, l, l_size);
+- mpz_limbs_finish (x, l_size);
++ mp_limb_t *xp = mpz_limbs_write (x, nn);
++ mpn_copyi (xp, l, nn);
++ mpz_limbs_finish (x, nn);
+ }
+
+ TMP_GMP_FREE (l);
+Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
+@@ -19,6 +19,7 @@ test_main(void)
+ uint8_t after;
+
+ mpz_t gibberish;
++ mpz_t zero;
+
+ rsa_private_key_init(&key);
+ rsa_public_key_init(&pub);
+@@ -101,6 +102,17 @@ test_main(void)
+ ASSERT(decrypted[decrypted_length] == after);
+ ASSERT(decrypted[0] == 'A');
+
++ /* Test zero input. */
++ mpz_init_set_ui (zero, 0);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, zero));
++ ASSERT(decrypted_length == msg_length);
+
+ /* Test invalid key. */
+ mpz_add_ui (key.q, key.q, 2);
+@@ -112,6 +124,6 @@ test_main(void)
+ rsa_private_key_clear(&key);
+ rsa_public_key_clear(&pub);
+ mpz_clear(gibberish);
++ mpz_clear(zero);
+ free(decrypted);
+ }
+-
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
new file mode 100644
index 0000000000..18e952ddf7
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-3580_2.patch
@@ -0,0 +1,163 @@
+From c80961c646b0962ab152619ac0a7c6a21850a380 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Tue, 8 Jun 2021 21:32:38 +0200
+Subject: [PATCH 2/2] Add input check to rsa_decrypt family of functions.
+
+(cherry picked from commit 0ad0b5df315665250dfdaa4a1e087f4799edaefe)
+
+Upstream-Status: Backport
+CVE: CVE-2021-3580
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 10 +++++++++-
+ rsa-decrypt-tr.c | 4 ++++
+ rsa-decrypt.c | 10 ++++++++++
+ rsa-sec-decrypt.c | 4 ++++
+ rsa.h | 5 +++--
+ testsuite/rsa-encrypt-test.c | 38 ++++++++++++++++++++++++++++++------
+ 6 files changed, 62 insertions(+), 9 deletions(-)
+
+Index: nettle-3.5.1/rsa-decrypt-tr.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt-tr.c
++++ nettle-3.5.1/rsa-decrypt-tr.c
+@@ -52,6 +52,10 @@ rsa_decrypt_tr(const struct rsa_public_k
+ mp_size_t key_limb_size;
+ int res;
+
++ /* First check that input is in range. */
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++ return 0;
++
+ key_limb_size = mpz_size(pub->n);
+
+ TMP_GMP_ALLOC (m, key_limb_size);
+Index: nettle-3.5.1/rsa-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-decrypt.c
++++ nettle-3.5.1/rsa-decrypt.c
+@@ -48,6 +48,16 @@ rsa_decrypt(const struct rsa_private_key
+ int res;
+
+ mpz_init(m);
++
++ /* First check that input is in range. Since we don't have the
++ public key available here, we need to reconstruct n. */
++ mpz_mul (m, key->p, key->q);
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0)
++ {
++ mpz_clear (m);
++ return 0;
++ }
++
+ rsa_compute_root(key, m, gibberish);
+
+ res = pkcs1_decrypt (key->size, m, length, message);
+Index: nettle-3.5.1/rsa-sec-decrypt.c
+===================================================================
+--- nettle-3.5.1.orig/rsa-sec-decrypt.c
++++ nettle-3.5.1/rsa-sec-decrypt.c
+@@ -55,6 +55,10 @@ rsa_sec_decrypt(const struct rsa_public_
+ TMP_GMP_DECL (em, uint8_t);
+ int res;
+
++ /* First check that input is in range. */
++ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0)
++ return 0;
++
+ TMP_GMP_ALLOC (m, mpz_size(pub->n));
+ TMP_GMP_ALLOC (em, key->size);
+
+Index: nettle-3.5.1/rsa.h
+===================================================================
+--- nettle-3.5.1.orig/rsa.h
++++ nettle-3.5.1/rsa.h
+@@ -428,13 +428,14 @@ rsa_sec_decrypt(const struct rsa_public_
+ size_t length, uint8_t *message,
+ const mpz_t gibberish);
+
+-/* Compute x, the e:th root of m. Calling it with x == m is allowed. */
++/* Compute x, the e:th root of m. Calling it with x == m is allowed.
++ It is required that 0 <= m < n. */
+ void
+ rsa_compute_root(const struct rsa_private_key *key,
+ mpz_t x, const mpz_t m);
+
+ /* Safer variant, using RSA blinding, and checking the result after
+- CRT. */
++ CRT. It is required that 0 <= m < n. */
+ int
+ rsa_compute_root_tr(const struct rsa_public_key *pub,
+ const struct rsa_private_key *key,
+Index: nettle-3.5.1/testsuite/rsa-encrypt-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/rsa-encrypt-test.c
++++ nettle-3.5.1/testsuite/rsa-encrypt-test.c
+@@ -19,11 +19,12 @@ test_main(void)
+ uint8_t after;
+
+ mpz_t gibberish;
+- mpz_t zero;
++ mpz_t bad_input;
+
+ rsa_private_key_init(&key);
+ rsa_public_key_init(&pub);
+ mpz_init(gibberish);
++ mpz_init(bad_input);
+
+ knuth_lfib_init(&lfib, 17);
+
+@@ -103,15 +104,40 @@ test_main(void)
+ ASSERT(decrypted[0] == 'A');
+
+ /* Test zero input. */
+- mpz_init_set_ui (zero, 0);
++ mpz_set_ui (bad_input, 0);
+ decrypted_length = msg_length;
+- ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, zero));
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_decrypt_tr(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+- &decrypted_length, decrypted, zero));
++ &decrypted_length, decrypted, bad_input));
+ ASSERT(!rsa_sec_decrypt(&pub, &key,
+ &lfib, (nettle_random_func *) knuth_lfib_random,
+- decrypted_length, decrypted, zero));
++ decrypted_length, decrypted, bad_input));
++ ASSERT(decrypted_length == msg_length);
++
++ /* Test input that is slightly larger than n */
++ mpz_add(bad_input, gibberish, pub.n);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, bad_input));
++ ASSERT(decrypted_length == msg_length);
++
++ /* Test input that is considerably larger than n */
++ mpz_mul_2exp (bad_input, pub.n, 100);
++ mpz_add (bad_input, bad_input, gibberish);
++ decrypted_length = msg_length;
++ ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_decrypt_tr(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ &decrypted_length, decrypted, bad_input));
++ ASSERT(!rsa_sec_decrypt(&pub, &key,
++ &lfib, (nettle_random_func *) knuth_lfib_random,
++ decrypted_length, decrypted, bad_input));
+ ASSERT(decrypted_length == msg_length);
+
+ /* Test invalid key. */
+@@ -124,6 +150,6 @@ test_main(void)
+ rsa_private_key_clear(&key);
+ rsa_public_key_clear(&pub);
+ mpz_clear(gibberish);
+- mpz_clear(zero);
++ mpz_clear(bad_input);
+ free(decrypted);
+ }
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb
index b2ec24b36c..9212d9deb5 100644
--- a/meta/recipes-support/nettle/nettle_3.5.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.5.1.bb
@@ -18,6 +18,8 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
file://Add-target-to-only-build-tests-not-run-them.patch \
file://run-ptest \
file://check-header-files-of-openssl-only-if-enable_.patch \
+ file://CVE-2021-3580_1.patch \
+ file://CVE-2021-3580_2.patch \
"
SRC_URI_append_class-target = "\
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 09/25] curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (7 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 08/25] nettle: Security fix for CVE-2021-3580 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 10/25] nettle: Security fix for CVE-2021-20305 Steve Sakoman
` (15 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Mike Crowe <mac@mcrowe.com>
curl v7.79.0 contained fixes for three CVEs:
The description of CVE-2021-22945[1] contains:
> This flaw was introduced in commit 2522903b79 but since MQTT support
> was marked 'experimental' then and not enabled in the build by default
> until curl 7.73.0 (October 14, 2020) we count that as the first flawed
> version.
which I believe means that curl v7.69.1 is not vulnerable.
curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3].
These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches
applied without conflicts, but I used devtool to regenerate them to
avoid fuzz warnings.
[1] https://curl.se/docs/CVE-2021-22945.html
[2] https://curl.se/docs/CVE-2021-22946.html
[3] https://curl.se/docs/CVE-2021-22947.html
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2021-22946-pre1.patch | 86 +++++
.../curl/curl/CVE-2021-22946.patch | 328 ++++++++++++++++
.../curl/curl/CVE-2021-22947.patch | 352 ++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 5 +-
4 files changed, 770 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22946.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2021-22947.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
new file mode 100644
index 0000000000..4afd755149
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946-pre1.patch
@@ -0,0 +1,86 @@
+Backport of:
+
+From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 21 Sep 2020 09:15:51 +0200
+Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy"
+
+When using HTTPS proxy, SSL is used but not in the view of the FTP
+protocol handler itself so separate the connection's use of SSL from the
+FTP control connection's sue.
+
+Reported-by: Mingtao Yang
+Fixes #5523
+Closes #6006
+
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+---
+ lib/ftp.c | 13 ++++++-------
+ lib/urldata.h | 1 +
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 3382772..677527f 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2488,7 +2488,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
+ {
+ CURLcode result = CURLE_OK;
+
+- if(conn->ssl[FIRSTSOCKET].use) {
++ if(conn->bits.ftp_use_control_ssl) {
+ /* PBSZ = PROTECTION BUFFER SIZE.
+
+ The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
+@@ -2633,11 +2633,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ }
+ #endif
+
+- if(data->set.use_ssl &&
+- (!conn->ssl[FIRSTSOCKET].use ||
+- (conn->bits.proxy_ssl_connected[FIRSTSOCKET] &&
+- !conn->proxy_ssl[FIRSTSOCKET].use))) {
+- /* We don't have a SSL/TLS connection yet, but FTPS is
++ if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
++ /* We don't have a SSL/TLS control connection yet, but FTPS is
+ requested. Try a FTPS connection now */
+
+ ftpc->count3 = 0;
+@@ -2682,6 +2679,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ result = Curl_ssl_connect(conn, FIRSTSOCKET);
+ if(!result) {
+ conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
++ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
+ result = ftp_state_user(conn);
+ }
+ }
+@@ -3072,7 +3070,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
+ *
+ */
+ static CURLcode ftp_connect(struct connectdata *conn,
+- bool *done) /* see description above */
++ bool *done) /* see description above */
+ {
+ CURLcode result;
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
+@@ -3093,6 +3091,7 @@ static CURLcode ftp_connect(struct connectdata *conn,
+ result = Curl_ssl_connect(conn, FIRSTSOCKET);
+ if(result)
+ return result;
++ conn->bits.ftp_use_control_ssl = TRUE;
+ }
+
+ Curl_pp_init(pp); /* init the generic pingpong data */
+diff --git a/lib/urldata.h b/lib/urldata.h
+index ff2d686..d1fb4a9 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -461,6 +461,7 @@ struct ConnectBits {
+ EPRT doesn't work we disable it for the forthcoming
+ requests */
+ BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */
++ BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */
+ #endif
+ BIT(netrc); /* name+password provided by netrc */
+ BIT(userpwd_in_url); /* name+password found in url */
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22946.patch b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
new file mode 100644
index 0000000000..98032d8b78
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22946.patch
@@ -0,0 +1,328 @@
+Backport of:
+
+From 96d71feb27e533a8b337512841a537952916262c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Wed, 8 Sep 2021 11:56:22 +0200
+Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
+
+In imap and pop3, check if TLS is required even when capabilities
+request has failed.
+
+In ftp, ignore preauthentication (230 status of server greeting) if TLS
+is required.
+
+Bug: https://curl.se/docs/CVE-2021-22946.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22946
+---
+ lib/ftp.c | 9 ++++---
+ lib/imap.c | 24 ++++++++----------
+ lib/pop3.c | 33 +++++++++++-------------
+ tests/data/Makefile.inc | 2 ++
+ tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++
+ 7 files changed, 195 insertions(+), 36 deletions(-)
+ create mode 100644 tests/data/test984
+ create mode 100644 tests/data/test985
+ create mode 100644 tests/data/test986
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 677527f..91b43d8 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2606,9 +2606,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ /* we have now received a full FTP server response */
+ switch(ftpc->state) {
+ case FTP_WAIT220:
+- if(ftpcode == 230)
+- /* 230 User logged in - already! */
+- return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++ if(ftpcode == 230) {
++ /* 230 User logged in - already! Take as 220 if TLS required. */
++ if(data->set.use_ssl <= CURLUSESSL_TRY ||
++ conn->bits.ftp_use_control_ssl)
++ return ftp_state_user_resp(conn, ftpcode, ftpc->state);
++ }
+ else if(ftpcode != 220) {
+ failf(data, "Got a %03d ftp-server response when 220 was expected",
+ ftpcode);
+diff --git a/lib/imap.c b/lib/imap.c
+index 66172bd..9880ce1 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
+ line += wordlen;
+ }
+ }
+- else if(imapcode == IMAP_RESP_OK) {
+- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+- /* We don't have a SSL/TLS connection yet, but SSL is requested */
+- if(imapc->tls_supported)
+- /* Switch to TLS connection now */
+- result = imap_perform_starttls(conn);
+- else if(data->set.use_ssl == CURLUSESSL_TRY)
+- /* Fallback and carry on with authentication */
+- result = imap_perform_authentication(conn);
+- else {
+- failf(data, "STARTTLS not supported.");
+- result = CURLE_USE_SSL_FAILED;
+- }
++ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
++ /* PREAUTH is not compatible with STARTTLS. */
++ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
++ /* Switch to TLS connection now */
++ result = imap_perform_starttls(conn);
+ }
+- else
++ else if(data->set.use_ssl <= CURLUSESSL_TRY)
+ result = imap_perform_authentication(conn);
++ else {
++ failf(data, "STARTTLS not available.");
++ result = CURLE_USE_SSL_FAILED;
++ }
+ }
+ else
+ result = imap_perform_authentication(conn);
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 57c1373..145b2b4 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
+ }
+ }
+ }
+- else if(pop3code == '+') {
+- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
+- /* We don't have a SSL/TLS connection yet, but SSL is requested */
+- if(pop3c->tls_supported)
+- /* Switch to TLS connection now */
+- result = pop3_perform_starttls(conn);
+- else if(data->set.use_ssl == CURLUSESSL_TRY)
+- /* Fallback and carry on with authentication */
+- result = pop3_perform_authentication(conn);
+- else {
+- failf(data, "STLS not supported.");
+- result = CURLE_USE_SSL_FAILED;
+- }
+- }
+- else
+- result = pop3_perform_authentication(conn);
+- }
+ else {
+ /* Clear text is supported when CAPA isn't recognised */
+- pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
++ if(pop3code != '+')
++ pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
+
+- result = pop3_perform_authentication(conn);
++ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
++ result = pop3_perform_authentication(conn);
++ else if(pop3code == '+' && pop3c->tls_supported)
++ /* Switch to TLS connection now */
++ result = pop3_perform_starttls(conn);
++ else if(data->set.use_ssl <= CURLUSESSL_TRY)
++ /* Fallback and carry on with authentication */
++ result = pop3_perform_authentication(conn);
++ else {
++ failf(data, "STLS not supported.");
++ result = CURLE_USE_SSL_FAILED;
++ }
+ }
+
+ return result;
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index f9535a6..0fa6799 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
++test984 test985 test986 \
++\
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+ test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
+ test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
+diff --git a/tests/data/test984 b/tests/data/test984
+new file mode 100644
+index 0000000..e573f23
+--- /dev/null
++++ b/tests/data/test984
+@@ -0,0 +1,56 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPABILITY A001 BAD Not implemented
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP require STARTTLS with failing capabilities
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++A001 CAPABILITY
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test985 b/tests/data/test985
+new file mode 100644
+index 0000000..d0db4aa
+--- /dev/null
++++ b/tests/data/test985
+@@ -0,0 +1,54 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY CAPA -ERR Not implemented
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++ yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 require STARTTLS with failing capabilities
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++CAPA
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test986 b/tests/data/test986
+new file mode 100644
+index 0000000..a709437
+--- /dev/null
++++ b/tests/data/test986
+@@ -0,0 +1,53 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY welcome 230 Welcome
++REPLY AUTH 500 unknown command
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP require STARTTLS while preauthenticated
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++ to
++ see
++that FTPS
++works
++ so does it?
++</file>
++ <command>
++--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 64 is CURLE_USE_SSL_FAILED
++<errorcode>
++64
++</errorcode>
++<protocol>
++AUTH SSL
++AUTH TLS
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl/CVE-2021-22947.patch b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
new file mode 100644
index 0000000000..070a328e27
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2021-22947.patch
@@ -0,0 +1,352 @@
+Backport of:
+
+From 259b4f2e1fd01fbc55e569ee0a507afeae34f77c Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <patrick@monnerat.net>
+Date: Tue, 7 Sep 2021 13:26:42 +0200
+Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
+ pipelining
+
+If a server pipelines future responses within the STARTTLS response, the
+former are preserved in the pingpong cache across TLS negotiation and
+used as responses to the encrypted commands.
+
+This fix detects pipelined STARTTLS responses and rejects them with an
+error.
+
+Bug: https://curl.se/docs/CVE-2021-22947.html
+Upstream-Status: backport from 7.68.0-1ubuntu2.7
+Signed-off-by: Mike Crowe <mac@mcrowe.com>
+CVE: CVE-2021-22947
+
+---
+ lib/ftp.c | 3 +++
+ lib/imap.c | 4 +++
+ lib/pop3.c | 4 +++
+ lib/smtp.c | 4 +++
+ tests/data/Makefile.inc | 2 ++
+ tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++
+ tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++
+ tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++
+ tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++
+ 9 files changed, 237 insertions(+)
+ create mode 100644 tests/data/test980
+ create mode 100644 tests/data/test981
+ create mode 100644 tests/data/test982
+ create mode 100644 tests/data/test983
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 91b43d8..31a34e8 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2670,6 +2670,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ case FTP_AUTH:
+ /* we have gotten the response to a previous AUTH command */
+
++ if(pp->cache_size)
++ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
++
+ /* RFC2228 (page 5) says:
+ *
+ * If the server is willing to accept the named security mechanism,
+diff --git a/lib/imap.c b/lib/imap.c
+index 9880ce1..0ca700f 100644
+--- a/lib/imap.c
++++ b/lib/imap.c
+@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
+
+ (void)instate; /* no use for this yet */
+
++ /* Pipelining in response is forbidden. */
++ if(data->conn->proto.imapc.pp.cache_size)
++ return CURLE_WEIRD_SERVER_REPLY;
++
+ if(imapcode != IMAP_RESP_OK) {
+ if(data->set.use_ssl != CURLUSESSL_TRY) {
+ failf(data, "STARTTLS denied");
+diff --git a/lib/pop3.c b/lib/pop3.c
+index 145b2b4..8a2d52e 100644
+--- a/lib/pop3.c
++++ b/lib/pop3.c
+@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
+
+ (void)instate; /* no use for this yet */
+
++ /* Pipelining in response is forbidden. */
++ if(data->conn->proto.pop3c.pp.cache_size)
++ return CURLE_WEIRD_SERVER_REPLY;
++
+ if(pop3code != '+') {
+ if(data->set.use_ssl != CURLUSESSL_TRY) {
+ failf(data, "STARTTLS denied");
+diff --git a/lib/smtp.c b/lib/smtp.c
+index e187287..66183e2 100644
+--- a/lib/smtp.c
++++ b/lib/smtp.c
+@@ -820,6 +820,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
+
+ (void)instate; /* no use for this yet */
+
++ /* Pipelining in response is forbidden. */
++ if(data->conn->proto.smtpc.pp.cache_size)
++ return CURLE_WEIRD_SERVER_REPLY;
++
+ if(smtpcode != 220) {
+ if(data->set.use_ssl != CURLUSESSL_TRY) {
+ failf(data, "STARTTLS denied, code %d", smtpcode);
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 0fa6799..60e8176 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -112,6 +112,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
+ test954 test955 test956 test957 test958 test959 test960 test961 test962 \
+ test963 test964 test965 test966 test967 test968 test969 \
+ \
++test980 test981 test982 test983 \
++\
+ test984 test985 test986 \
+ \
+ test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
+diff --git a/tests/data/test980 b/tests/data/test980
+new file mode 100644
+index 0000000..97567f8
+--- /dev/null
++++ b/tests/data/test980
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++SMTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++AUTH PLAIN
++REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
++REPLY AUTH 535 5.7.8 Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++smtp
++</server>
++ <name>
++SMTP STARTTLS pipelined server response
++ </name>
++<stdin>
++mail body
++</stdin>
++ <command>
++smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
++</command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++EHLO %TESTNUMBER
++STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test981 b/tests/data/test981
+new file mode 100644
+index 0000000..2b98ce4
+--- /dev/null
++++ b/tests/data/test981
+@@ -0,0 +1,59 @@
++<testcase>
++<info>
++<keywords>
++IMAP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STARTTLS
++REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
++REPLY LOGIN A003 BAD Authentication credentials invalid
++</servercmd>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++imap
++</server>
++ <name>
++IMAP STARTTLS pipelined server response
++ </name>
++ <command>
++imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
++</command>
++<file name="log/upload%TESTNUMBER">
++Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
++From: Fred Foobar <foobar@example.COM>
++Subject: afternoon meeting
++To: joe@example.com
++Message-Id: <B27397-0100000@example.COM>
++MIME-Version: 1.0
++Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
++
++Hello Joe, do you think we can meet at 3:30 tomorrow?
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++A001 CAPABILITY
++A002 STARTTLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test982 b/tests/data/test982
+new file mode 100644
+index 0000000..9e07cc0
+--- /dev/null
++++ b/tests/data/test982
+@@ -0,0 +1,57 @@
++<testcase>
++<info>
++<keywords>
++POP3
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++CAPA STLS USER
++REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
++REPLY PASS -ERR Authentication credentials invalid
++</servercmd>
++<data nocheck="yes">
++From: me@somewhere
++To: fake@nowhere
++
++body
++
++--
++ yours sincerely
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++pop3
++</server>
++ <name>
++POP3 STARTTLS pipelined server response
++ </name>
++ <command>
++pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
++ </command>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++CAPA
++STLS
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test983 b/tests/data/test983
+new file mode 100644
+index 0000000..300ec45
+--- /dev/null
++++ b/tests/data/test983
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++STARTTLS
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<servercmd>
++REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
++REPLY PASS 530 Login incorrect
++</servercmd>
++</reply>
++
++# Client-side
++<client>
++<features>
++SSL
++</features>
++<server>
++ftp
++</server>
++ <name>
++FTP STARTTLS pipelined server response
++ </name>
++<file name="log/test%TESTNUMBER.txt">
++data
++ to
++ see
++that FTPS
++works
++ so does it?
++</file>
++ <command>
++--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
++</command>
++</client>
++
++# Verify data after the test has been "shot"
++<verify>
++# 8 is CURLE_WEIRD_SERVER_REPLY
++<errorcode>
++8
++</errorcode>
++<protocol>
++AUTH SSL
++</protocol>
++</verify>
++</testcase>
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 21c673feda..d7ffb2dc50 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -22,6 +22,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2021-22898.patch \
file://CVE-2021-22924.patch \
file://CVE-2021-22925.patch \
+ file://CVE-2021-22946-pre1.patch \
+ file://CVE-2021-22946.patch \
+ file://CVE-2021-22947.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
@@ -29,7 +32,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5
# Curl has used many names over the years...
CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl"
-CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926"
+CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-22945"
inherit autotools pkgconfig binconfig multilib_header
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 10/25] nettle: Security fix for CVE-2021-20305
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (8 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 09/25] curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 11/25] squashfs-tools: fix CVE-2021-40153 Steve Sakoman
` (14 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Source: Debian.org
MR: 110174
Type: Security Fix
Disposition: Backport from https://sources.debian.org/patches/nettle/3.4.1-1+deb10u1/
ChangeID: 47746f3e58c03a62fef572797d0ae6e0cd865092
Description:
Affects: Nettle < 3.7.2
Minor fixup for nettle_secp_224r1 to _nettle_secp_224r1 to match 3.5.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../nettle-3.5.1/CVE-2021-20305-1.patch | 215 ++++++++++++++++++
.../nettle-3.5.1/CVE-2021-20305-2.patch | 53 +++++
.../nettle-3.5.1/CVE-2021-20305-3.patch | 122 ++++++++++
.../nettle-3.5.1/CVE-2021-20305-4.patch | 48 ++++
.../nettle-3.5.1/CVE-2021-20305-5.patch | 53 +++++
meta/recipes-support/nettle/nettle_3.5.1.bb | 5 +
6 files changed, 496 insertions(+)
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
create mode 100644 meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
new file mode 100644
index 0000000000..cfc0f382fa
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-1.patch
@@ -0,0 +1,215 @@
+Backport of:
+
+From a63893791280d441c713293491da97c79c0950fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Thu, 11 Mar 2021 19:37:41 +0100
+Subject: [PATCH] New functions ecc_mod_mul_canonical and
+ ecc_mod_sqr_canonical.
+
+* ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+New functions.
+* ecc-internal.h: Declare and document new functions.
+* curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+* curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+* ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+* ecc-j-to-a.c (ecc_j_to_a): Likewise.
+* ecc-mul-m.c (ecc_mul_m): Likewise.
+
+(cherry picked from commit 2bf497ba4d6acc6f352bca015837fad33008565c)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-1.patch
+CVE: CVE-2021-20305 dep1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 11 +++++++++++
+ curve25519-eh-to-x.c | 6 +-----
+ curve448-eh-to-x.c | 5 +----
+ ecc-eh-to-a.c | 12 ++----------
+ ecc-internal.h | 15 +++++++++++++++
+ ecc-j-to-a.c | 15 +++------------
+ ecc-mod-arith.c | 24 ++++++++++++++++++++++++
+ ecc-mul-m.c | 6 ++----
+ 8 files changed, 59 insertions(+), 35 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index fd138d82..5cc5c188 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,14 @@
+#+2021-03-11 Niels Möller <nisse@lysator.liu.se>
+#+
+#+ * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+#+ New functions.
+#+ * ecc-internal.h: Declare and document new functions.
+#+ * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical.
+#+ * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical.
+#+ * ecc-eh-to-a.c (ecc_eh_to_a): Likewise.
+#+ * ecc-j-to-a.c (ecc_j_to_a): Likewise.
+#+ * ecc-mul-m.c (ecc_mul_m): Likewise.
+#+
+# 2021-02-17 Niels Möller <nisse@lysator.liu.se>
+#
+# * Released Nettle-3.7.1.
+Index: nettle-3.5.1/curve25519-eh-to-x.c
+===================================================================
+--- nettle-3.5.1.orig/curve25519-eh-to-x.c
++++ nettle-3.5.1/curve25519-eh-to-x.c
+@@ -53,7 +53,6 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+ #define t2 (scratch + 2*ecc->p.size)
+
+ const struct ecc_curve *ecc = &_nettle_curve25519;
+- mp_limb_t cy;
+
+ /* If u = U/W and v = V/W are the coordiantes of the point on the
+ Edwards curve we get the curve25519 x coordinate as
+@@ -69,10 +68,7 @@ curve25519_eh_to_x (mp_limb_t *xp, const
+ ecc->p.invert (&ecc->p, t1, t0, t2 + ecc->p.size);
+
+ ecc_modp_add (ecc, t0, wp, vp);
+- ecc_modp_mul (ecc, t2, t0, t1);
+-
+- cy = mpn_sub_n (xp, t2, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, xp, t2, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, t2);
+ #undef vp
+ #undef wp
+ #undef t0
+Index: nettle-3.5.1/ecc-eh-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-eh-to-a.c
++++ nettle-3.5.1/ecc-eh-to-a.c
+@@ -59,9 +59,7 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+ /* Needs 2*size + scratch for the invert call. */
+ ecc->p.invert (&ecc->p, izp, zp, tp + ecc->p.size);
+
+- ecc_modp_mul (ecc, tp, xp, izp);
+- cy = mpn_sub_n (r, tp, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r, tp, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp);
+
+ if (op)
+ {
+@@ -81,7 +79,5 @@ ecc_eh_to_a (const struct ecc_curve *ecc
+ }
+ return;
+ }
+- ecc_modp_mul (ecc, tp, yp, izp);
+- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp);
+ }
+Index: nettle-3.5.1/ecc-internal.h
+===================================================================
+--- nettle-3.5.1.orig/ecc-internal.h
++++ nettle-3.5.1/ecc-internal.h
+@@ -49,6 +49,8 @@
+ #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1
+ #define ecc_mod_mul _nettle_ecc_mod_mul
+ #define ecc_mod_sqr _nettle_ecc_mod_sqr
++#define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical
++#define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical
+ #define ecc_mod_random _nettle_ecc_mod_random
+ #define ecc_mod _nettle_ecc_mod
+ #define ecc_mod_inv _nettle_ecc_mod_inv
+@@ -263,6 +265,19 @@ ecc_mod_sqr (const struct ecc_modulo *m,
+ #define ecc_modq_mul(ecc, r, a, b) \
+ ecc_mod_mul (&(ecc)->q, (r), (a), (b))
+
++/* These mul and sqr functions produce a canonical result, 0 <= R < M.
++ Requirements on input and output areas are similar to the above
++ functions, except that it is *not* allowed to pass rp = rp +
++ m->size.
++ */
++void
++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp);
++
++void
++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, mp_limb_t *tp);
++
+ /* mod q operations. */
+ void
+ ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp,
+Index: nettle-3.5.1/ecc-j-to-a.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-j-to-a.c
++++ nettle-3.5.1/ecc-j-to-a.c
+@@ -51,8 +51,6 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ #define izBp (scratch + 3*ecc->p.size)
+ #define tp scratch
+
+- mp_limb_t cy;
+-
+ if (ecc->use_redc)
+ {
+ /* Set v = (r_z / B^2)^-1,
+@@ -86,17 +84,14 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ ecc_modp_sqr (ecc, iz2p, izp);
+ }
+
+- ecc_modp_mul (ecc, iz3p, iz2p, p);
+- /* ecc_modp (and ecc_modp_mul) may return a value up to 2p - 1, so
+- do a conditional subtraction. */
+- cy = mpn_sub_n (r, iz3p, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r, iz3p, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p);
+
+ if (op)
+ {
+ /* Skip y coordinate */
+ if (op > 1)
+ {
++ mp_limb_t cy;
+ /* Also reduce the x coordinate mod ecc->q. It should
+ already be < 2*ecc->q, so one subtraction should
+ suffice. */
+@@ -106,10 +101,7 @@ ecc_j_to_a (const struct ecc_curve *ecc,
+ return;
+ }
+ ecc_modp_mul (ecc, iz3p, iz2p, izp);
+- ecc_modp_mul (ecc, tp, iz3p, p + ecc->p.size);
+- /* And a similar subtraction. */
+- cy = mpn_sub_n (r + ecc->p.size, tp, ecc->p.m, ecc->p.size);
+- cnd_copy (cy, r + ecc->p.size, tp, ecc->p.size);
++ ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, iz3p);
+
+ #undef izp
+ #undef up
+Index: nettle-3.5.1/ecc-mod-arith.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-mod-arith.c
++++ nettle-3.5.1/ecc-mod-arith.c
+@@ -119,6 +119,30 @@ ecc_mod_mul (const struct ecc_modulo *m,
+ }
+
+ void
++ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp)
++{
++ mp_limb_t cy;
++ mpn_mul_n (tp + m->size, ap, bp, m->size);
++ m->reduce (m, tp + m->size);
++
++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
++ cnd_copy (cy, rp, tp + m->size, m->size);
++}
++
++void
++ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp,
++ const mp_limb_t *ap, mp_limb_t *tp)
++{
++ mp_limb_t cy;
++ mpn_sqr (tp + m->size, ap, m->size);
++ m->reduce (m, tp + m->size);
++
++ cy = mpn_sub_n (rp, tp + m->size, m->m, m->size);
++ cnd_copy (cy, rp, tp + m->size, m->size);
++}
++
++void
+ ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp,
+ const mp_limb_t *ap)
+ {
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
new file mode 100644
index 0000000000..bb56b14c8c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-2.patch
@@ -0,0 +1,53 @@
+Backport of:
+
+From 971bed6ab4b27014eb23085e8176917e1a096fd5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 17:26:37 +0100
+Subject: [PATCH] Use ecc_mod_mul_canonical for point comparison.
+
+* eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+
+(cherry picked from commit 5b7608fde3a6d2ab82bffb35db1e4e330927c906)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-2.patch
+CVE: CVE-2021-20305 dep2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 4 ++++
+ eddsa-verify.c | 9 ++-------
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 5cc5c188..2a9217a6 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,3 +1,7 @@
+#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#+
+#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+
+# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
+#
+# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/eddsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-verify.c
++++ nettle-3.5.1/eddsa-verify.c
+@@ -53,13 +53,8 @@ equal_h (const struct ecc_modulo *p,
+ #define t0 scratch
+ #define t1 (scratch + p->size)
+
+- ecc_mod_mul (p, t0, x1, z2);
+- if (mpn_cmp (t0, p->m, p->size) >= 0)
+- mpn_sub_n (t0, t0, p->m, p->size);
+-
+- ecc_mod_mul (p, t1, x2, z1);
+- if (mpn_cmp (t1, p->m, p->size) >= 0)
+- mpn_sub_n (t1, t1, p->m, p->size);
++ ecc_mod_mul_canonical (p, t0, x1, z2, t0);
++ ecc_mod_mul_canonical (p, t1, x2, z1, t1);
+
+ return mpn_cmp (t0, t1, p->size) == 0;
+
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
new file mode 100644
index 0000000000..15a892ecdf
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-3.patch
@@ -0,0 +1,122 @@
+Backport of:
+
+From 74ee0e82b6891e090f20723750faeb19064e31b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 15:19:19 +0100
+Subject: [PATCH] Fix bug in ecc_ecdsa_verify.
+
+* ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+to compute the scalars used for ecc multiplication.
+* testsuite/ecdsa-verify-test.c (test_main): Add test case that
+triggers an assert on 64-bit platforms, without above fix.
+* testsuite/ecdsa-sign-test.c (test_main): Test case generating
+the same signature.
+
+(cherry picked from commit 2397757b3f95fcae1e2d3011bf99ca5b5438378f)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-3.patch
+CVE: CVE-2021-20305 dep3
+[Minor fixup on _nettle_secp_224r1]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 10 +++++++++-
+ ecc-ecdsa-verify.c | 4 ++--
+ testsuite/ecdsa-sign-test.c | 13 +++++++++++++
+ testsuite/ecdsa-verify-test.c | 20 ++++++++++++++++++++
+ 4 files changed, 44 insertions(+), 3 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 2a9217a6..63848f53 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,7 +1,15 @@
+# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#- * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+#+ * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+#+ to compute the scalars used for ecc multiplication.
+#+ * testsuite/ecdsa-verify-test.c (test_main): Add test case that
+#+ triggers an assert on 64-bit platforms, without above fix.
+#+ * testsuite/ecdsa-sign-test.c (test_main): Test case generating
+#+ the same signature.
+#+
+#+2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#+ * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical.
+# 2021-03-11 Niels Möller <nisse@lysator.liu.se>
+#
+# * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical):
+Index: nettle-3.5.1/ecc-ecdsa-verify.c
+===================================================================
+--- nettle-3.5.1.orig/ecc-ecdsa-verify.c
++++ nettle-3.5.1/ecc-ecdsa-verify.c
+@@ -112,10 +112,10 @@ ecc_ecdsa_verify (const struct ecc_curve
+
+ /* u1 = h / s, P1 = u1 * G */
+ ecc_hash (&ecc->q, hp, length, digest);
+- ecc_modq_mul (ecc, u1, hp, sinv);
++ ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1);
+
+ /* u2 = r / s, P2 = u2 * Y */
+- ecc_modq_mul (ecc, u2, rp, sinv);
++ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2);
+
+ /* Total storage: 5*ecc->p.size + ecc->mul_itch */
+ ecc->mul (ecc, P2, u2, pp, u2 + ecc->p.size);
+Index: nettle-3.5.1/testsuite/ecdsa-sign-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-sign-test.c
++++ nettle-3.5.1/testsuite/ecdsa-sign-test.c
+@@ -58,6 +58,19 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
++ /* Producing the signature for corresponding test in
++ ecdsa-verify-test.c, with special u1 and u2. */
++ test_ecdsa (&_nettle_secp_224r1,
++ "99b5b787484def12894ca507058b3bf5"
++ "43d72d82fa7721d2e805e5e6",
++ "2",
++ SHEX("cdb887ac805a3b42e22d224c85482053"
++ "16c755d4a736bb2032c92553"),
++ "706a46dc76dcb76798e60e6d89474788"
++ "d16dc18032d268fd1a704fa6", /* r */
++ "3a41e1423b1853e8aa89747b1f987364"
++ "44705d6d6d8371ea1f578f2e"); /* s */
++
+ /* Test cases for the smaller groups, verified with a
+ proof-of-concept implementation done for Yubico AB. */
+ test_ecdsa (&_nettle_secp_192r1,
+Index: nettle-3.5.1/testsuite/ecdsa-verify-test.c
+===================================================================
+--- nettle-3.5.1.orig/testsuite/ecdsa-verify-test.c
++++ nettle-3.5.1/testsuite/ecdsa-verify-test.c
+@@ -81,6 +81,26 @@ test_ecdsa (const struct ecc_curve *ecc,
+ void
+ test_main (void)
+ {
++ /* Corresponds to nonce k = 2 and private key z =
++ 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and
++ hash are chosen so that intermediate scalars in the verify
++ equations are u1 = 0x6b245680e700, u2 =
++ 259da6542d4ba7d21ad916c3bd57f811. These values require canonical
++ reduction of the scalars. Bug caused by missing canonical
++ reduction reported by Guido Vranken. */
++ test_ecdsa (&_nettle_secp_224r1,
++ "9e7e6cc6b1bdfa8ee039b66ad85e5490"
++ "7be706a900a3cba1c8fdd014", /* x */
++ "74855db3f7c1b4097ae095745fc915e3"
++ "8a79d2a1de28f282eafb22ba", /* y */
++
++ SHEX("cdb887ac805a3b42e22d224c85482053"
++ "16c755d4a736bb2032c92553"),
++ "706a46dc76dcb76798e60e6d89474788"
++ "d16dc18032d268fd1a704fa6", /* r */
++ "3a41e1423b1853e8aa89747b1f987364"
++ "44705d6d6d8371ea1f578f2e"); /* s */
++
+ /* From RFC 4754 */
+ test_ecdsa (&_nettle_secp_256r1,
+ "2442A5CC 0ECD015F A3CA31DC 8E2BBC70"
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
new file mode 100644
index 0000000000..54b4fa584c
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-4.patch
@@ -0,0 +1,48 @@
+Backport of:
+
+From 51f643eee00e2caa65c8a2f5857f49acdf3ef1ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:27:50 +0100
+Subject: [PATCH] Ensure ecdsa_sign output is canonically reduced.
+
+* ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+canonical range.
+
+(cherry picked from commit c24b36160dc5303f7541dd9da1429c4046f27398)
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-4.patch
+CVE: CVE-2021-20305 dep4
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 3 +++
+ ecc-ecdsa-sign.c | 3 +--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 63848f53..fb2d7f66 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#+ * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to
+#+ canonical range.
+#+
+# * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical
+# to compute the scalars used for ecc multiplication.
+# * testsuite/ecdsa-verify-test.c (test_main): Add test case that
+--- a/ecc-ecdsa-sign.c
++++ b/ecc-ecdsa-sign.c
+@@ -90,9 +90,8 @@ ecc_ecdsa_sign (const struct ecc_curve *
+
+ ecc_modq_mul (ecc, tp, zp, rp);
+ ecc_modq_add (ecc, hp, hp, tp);
+- ecc_modq_mul (ecc, tp, hp, kinv);
++ ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp);
+
+- mpn_copyi (sp, tp, ecc->p.size);
+ #undef P
+ #undef hp
+ #undef kinv
diff --git a/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
new file mode 100644
index 0000000000..468ff66266
--- /dev/null
+++ b/meta/recipes-support/nettle/nettle-3.5.1/CVE-2021-20305-5.patch
@@ -0,0 +1,53 @@
+Backport of:
+
+From ae3801a0e5cce276c270973214385c86048d5f7b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
+Date: Sat, 13 Mar 2021 16:42:21 +0100
+Subject: [PATCH] Similar fix for eddsa.
+
+* eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+reduced. Two of the three call sites need that.
+
+(cherry picked from commit d9b564e4b3b3a5691afb9328c7342b3f7ca64288)
+
+
+Upstream-Status: Backport
+https://sources.debian.org/data/main/n/nettle/3.4.1-1%2Bdeb10u1/debian/patches/CVE-2021-20305-6.patch
+CVE: CVE-2021-20305
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 3 +++
+ eddsa-hash.c | 10 +++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+#diff --git a/ChangeLog b/ChangeLog
+#index 5f8a22c2..ce330831 100644
+#--- a/ChangeLog
+#+++ b/ChangeLog
+#@@ -1,5 +1,8 @@
+# 2021-03-13 Niels Möller <nisse@lysator.liu.se>
+#
+#+ * eddsa-hash.c (_eddsa_hash): Ensure result is canonically
+#+ reduced. Two of the three call sites need that.
+#+
+# * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical
+# to compute the scalars used for ecc multiplication.
+#
+Index: nettle-3.5.1/eddsa-hash.c
+===================================================================
+--- nettle-3.5.1.orig/eddsa-hash.c
++++ nettle-3.5.1/eddsa-hash.c
+@@ -46,7 +46,12 @@ void
+ _eddsa_hash (const struct ecc_modulo *m,
+ mp_limb_t *rp, const uint8_t *digest)
+ {
++ mp_limb_t cy;
+ size_t nbytes = 1 + m->bit_size / 8;
+ mpn_set_base256_le (rp, 2*m->size, digest, 2*nbytes);
+ m->mod (m, rp);
++ mpn_copyi (rp + m->size, rp, m->size);
++ /* Ensure canonical reduction. */
++ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size);
++ cnd_copy (cy, rp, rp + m->size, m->size);
+ }
diff --git a/meta/recipes-support/nettle/nettle_3.5.1.bb b/meta/recipes-support/nettle/nettle_3.5.1.bb
index 9212d9deb5..192fd295e9 100644
--- a/meta/recipes-support/nettle/nettle_3.5.1.bb
+++ b/meta/recipes-support/nettle/nettle_3.5.1.bb
@@ -20,6 +20,11 @@ SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \
file://check-header-files-of-openssl-only-if-enable_.patch \
file://CVE-2021-3580_1.patch \
file://CVE-2021-3580_2.patch \
+ file://CVE-2021-20305-1.patch \
+ file://CVE-2021-20305-2.patch \
+ file://CVE-2021-20305-3.patch \
+ file://CVE-2021-20305-4.patch \
+ file://CVE-2021-20305-5.patch \
"
SRC_URI_append_class-target = "\
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 11/25] squashfs-tools: fix CVE-2021-40153
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (9 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 10/25] nettle: Security fix for CVE-2021-20305 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 12/25] tar: ignore node-tar CVEs Steve Sakoman
` (13 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Kai Kang <kai.kang@windriver.com>
Source: http://git.yoctoproject.org/poky.git
MR: 113126
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=hardknott&id=cfc17a7ab5d3b0d6354a7194b8c8746c501959d9
ChangeID: cfc17a7ab5d3b0d6354a7194b8c8746c501959d9
Description:
Backport patch to fix CVE-2021-40153, and remove version update in
unsquashfs.c for compatible.
CVE: CVE-2021-40153
Ref:
* https://security-tracker.debian.org/tracker/CVE-2021-40153
(From OE-Core rev: 09de4ef3f33540069a37e9fe6e13081984b77511)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../squashfs-tools/files/CVE-2021-40153.patch | 253 ++++++++++++++++++
.../squashfs-tools/squashfs-tools_git.bb | 1 +
2 files changed, 254 insertions(+)
create mode 100644 meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
diff --git a/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
new file mode 100644
index 0000000000..95e2534ee4
--- /dev/null
+++ b/meta/recipes-devtools/squashfs-tools/files/CVE-2021-40153.patch
@@ -0,0 +1,253 @@
+Backport patch to fix CVE-2021-40153, and remove version update in unsquashfs.c
+for compatible.
+
+Upstream-Status: Backport [https://github.com/plougher/squashfs-tools/commit/79b5a55]
+CVE: CVE-2021-40153
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 79b5a555058eef4e1e7ff220c344d39f8cd09646 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sat, 16 Jan 2021 20:08:55 +0000
+Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
+
+An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
+shows how some specially crafted Squashfs filesystems containing
+invalid file names (with '/' and ..) can cause Unsquashfs to write
+files outside of the destination directory.
+
+This commit fixes this exploit by checking all names for
+validity.
+
+In doing so I have also added checks for '.' and for names that
+are shorter than they should be (names in the file system should
+not have '\0' terminators).
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/Makefile | 5 ++-
+ squashfs-tools/unsquash-1.c | 9 +++++-
+ squashfs-tools/unsquash-1234.c | 58 ++++++++++++++++++++++++++++++++++
+ squashfs-tools/unsquash-2.c | 9 +++++-
+ squashfs-tools/unsquash-3.c | 9 +++++-
+ squashfs-tools/unsquash-4.c | 9 +++++-
+ squashfs-tools/unsquashfs.h | 5 ++-
+ 7 files changed, 98 insertions(+), 6 deletions(-)
+ create mode 100644 squashfs-tools/unsquash-1234.c
+
+diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
+index aee4b960..20feaca2 100644
+--- a/squashfs-tools/Makefile
++++ b/squashfs-tools/Makefile
+@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
+ caches-queues-lists.o
+
+ UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
+- unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
++ unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
++ compressor.o unsquashfs_info.o
+
+ CFLAGS ?= -O2
+ CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
+@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
+
+ unsquash-34.o: unsquashfs.h unsquash-34.c
+
++unsquash-1234.o: unsquash-1234.c
++
+ unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
+
+ unsquashfs_info.o: unsquashfs.h squashfs_fs.h
+diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
+index 34eced36..28326cb1 100644
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
+new file mode 100644
+index 00000000..c2d4f42b
+--- /dev/null
++++ b/squashfs-tools/unsquash-1234.c
+@@ -0,0 +1,58 @@
++/*
++ * Unsquash a squashfs filesystem. This is a highly compressed read only
++ * filesystem.
++ *
++ * Copyright (c) 2021
++ * Phillip Lougher <phillip@squashfs.org.uk>
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2,
++ * or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++ *
++ * unsquash-1234.c
++ *
++ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
++ * unsquash-4.
++ */
++
++#define TRUE 1
++#define FALSE 0
++/*
++ * Check name for validity, name should not
++ * - be ".", "./", or
++ * - be "..", "../" or
++ * - have a "/" anywhere in the name, or
++ * - be shorter than the expected size
++ */
++int check_name(char *name, int size)
++{
++ char *start = name;
++
++ if(name[0] == '.') {
++ if(name[1] == '.')
++ name++;
++ if(name[1] == '/' || name[1] == '\0')
++ return FALSE;
++ }
++
++ while(name[0] != '/' && name[0] != '\0')
++ name ++;
++
++ if(name[0] == '/')
++ return FALSE;
++
++ if((name - start) != size)
++ return FALSE;
++
++ return TRUE;
++}
+diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
+index 4b3d767e..474064e1 100644
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2013, 2019
++ * Copyright (c) 2009, 2010, 2013, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
+index 02c31fc5..65cfe4d9 100644
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index 8475835c..aa23a841 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -2,7 +2,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ memcpy(dire->name, directory_table + bytes,
+ dire->size + 1);
+ dire->name[dire->size + 1] = '\0';
++
++ /* check name for invalid characters (i.e /, ., ..) */
++ if(check_name(dire->name, dire->size + 1) == FALSE) {
++ ERROR("File system corrupted: invalid characters in name\n");
++ goto corrupted;
++ }
++
+ TRACE("squashfs_opendir: directory entry %s, inode "
+ "%d:%d, type %d\n", dire->name,
+ dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
+index 934618b2..db1da7a0 100644
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -4,7 +4,7 @@
+ * Unsquash a squashfs filesystem. This is a highly compressed read only
+ * filesystem.
+ *
+- * Copyright (c) 2009, 2010, 2013, 2014, 2019
++ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
+ * Phillip Lougher <phillip@squashfs.org.uk>
+ *
+ * This program is free software; you can redistribute it and/or
+@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
+
+ /* unsquash-34.c */
+ extern long long *alloc_index_table(int);
++
++/* unsquash-1234.c */
++extern int check_name(char *, int);
+ #endif
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
index 2b1409d78d..083e597b03 100644
--- a/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
+++ b/meta/recipes-devtools/squashfs-tools/squashfs-tools_git.bb
@@ -11,6 +11,7 @@ PV = "4.4"
SRCREV = "52eb4c279cd283ed9802dd1ceb686560b22ffb67"
SRC_URI = "git://github.com/plougher/squashfs-tools.git;protocol=https \
file://0001-squashfs-tools-fix-build-failure-against-gcc-10.patch;striplevel=2 \
+ file://CVE-2021-40153.patch;striplevel=2 \
"
S = "${WORKDIR}/git/squashfs-tools"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 12/25] tar: ignore node-tar CVEs
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (10 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 11/25] squashfs-tools: fix CVE-2021-40153 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 13/25] vim: Backport fix for CVE-2021-3770 Steve Sakoman
` (12 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster808@gmail.com>
These three CVEs are specific to the Node package node-tar.
exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f9317a02d73c1e5aea026683a037e52c996c7bb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/tar/tar_1.32.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index 0fe0b801c2..87eb8b4188 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -68,3 +68,4 @@ BBCLASSEXTEND = "native nativesdk"
# These are both specific to the NPM package node-tar
CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804"
+CVE_CHECK_WHITELIST += "CVE-2021-37701 CVE-2021-37712 CVE-2021-37713"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 13/25] vim: Backport fix for CVE-2021-3770
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (11 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 12/25] tar: ignore node-tar CVEs Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 14/25] iputils: Fix regression of arp table update Steve Sakoman
` (11 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 54d3d023ce55ba4a7160ed25a283f0918e7d8e2e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...1e135a16091c93f6f5f7525a5c58fb7ca9f9.patch | 207 ++++++++++++++++++
meta/recipes-support/vim/vim.inc | 2 +
2 files changed, 209 insertions(+)
create mode 100644 meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
diff --git a/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
new file mode 100644
index 0000000000..1cee759502
--- /dev/null
+++ b/meta/recipes-support/vim/files/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch
@@ -0,0 +1,207 @@
+From b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 4 Sep 2021 18:47:28 +0200
+Subject: [PATCH] patch 8.2.3402: invalid memory access when using :retab with
+ large value
+
+Problem: Invalid memory access when using :retab with large value.
+Solution: Check the number is positive.
+
+CVE: CVE-2021-3770
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Upstream-Status: Backport [https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9]
+---
+ src/indent.c | 34 +++++++++++++++++++++-------------
+ src/option.c | 12 ++++++------
+ src/optionstr.c | 4 ++--
+ src/testdir/test_retab.vim | 3 +++
+ src/version.c | 2 ++
+ 5 files changed, 34 insertions(+), 21 deletions(-)
+
+Index: git/src/indent.c
+===================================================================
+--- git.orig/src/indent.c
++++ git/src/indent.c
+@@ -18,18 +18,19 @@
+ /*
+ * Set the integer values corresponding to the string setting of 'vartabstop'.
+ * "array" will be set, caller must free it if needed.
++ * Return FAIL for an error.
+ */
+ int
+ tabstop_set(char_u *var, int **array)
+ {
+- int valcount = 1;
+- int t;
+- char_u *cp;
++ int valcount = 1;
++ int t;
++ char_u *cp;
+
+ if (var[0] == NUL || (var[0] == '0' && var[1] == NUL))
+ {
+ *array = NULL;
+- return TRUE;
++ return OK;
+ }
+
+ for (cp = var; *cp != NUL; ++cp)
+@@ -43,8 +44,8 @@ tabstop_set(char_u *var, int **array)
+ if (cp != end)
+ emsg(_(e_positive));
+ else
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), cp);
++ return FAIL;
+ }
+ }
+
+@@ -55,26 +56,33 @@ tabstop_set(char_u *var, int **array)
+ ++valcount;
+ continue;
+ }
+- emsg(_(e_invarg));
+- return FALSE;
++ semsg(_(e_invarg2), var);
++ return FAIL;
+ }
+
+ *array = ALLOC_MULT(int, valcount + 1);
+ if (*array == NULL)
+- return FALSE;
++ return FAIL;
+ (*array)[0] = valcount;
+
+ t = 1;
+ for (cp = var; *cp != NUL;)
+ {
+- (*array)[t++] = atoi((char *)cp);
+- while (*cp != NUL && *cp != ',')
++ int n = atoi((char *)cp);
++
++ if (n < 0 || n > 9999)
++ {
++ semsg(_(e_invarg2), cp);
++ return FAIL;
++ }
++ (*array)[t++] = n;
++ while (*cp != NUL && *cp != ',')
+ ++cp;
+ if (*cp != NUL)
+ ++cp;
+ }
+
+- return TRUE;
++ return OK;
+ }
+
+ /*
+@@ -1556,7 +1564,7 @@ ex_retab(exarg_T *eap)
+
+ #ifdef FEAT_VARTABS
+ new_ts_str = eap->arg;
+- if (!tabstop_set(eap->arg, &new_vts_array))
++ if (tabstop_set(eap->arg, &new_vts_array) == FAIL)
+ return;
+ while (vim_isdigit(*(eap->arg)) || *(eap->arg) == ',')
+ ++(eap->arg);
+Index: git/src/option.c
+===================================================================
+--- git.orig/src/option.c
++++ git/src/option.c
+@@ -2292,9 +2292,9 @@ didset_options2(void)
+ #endif
+ #ifdef FEAT_VARTABS
+ vim_free(curbuf->b_p_vsts_array);
+- tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
++ (void)tabstop_set(curbuf->b_p_vsts, &curbuf->b_p_vsts_array);
+ vim_free(curbuf->b_p_vts_array);
+- tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
++ (void)tabstop_set(curbuf->b_p_vts, &curbuf->b_p_vts_array);
+ #endif
+ }
+
+@@ -5756,7 +5756,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_vsts = vim_strsave(p_vsts);
+ COPY_OPT_SCTX(buf, BV_VSTS);
+ if (p_vsts && p_vsts != empty_option)
+- tabstop_set(p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ buf->b_p_vsts_nopaste = p_vsts_nopaste
+@@ -5914,7 +5914,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_isk = save_p_isk;
+ #ifdef FEAT_VARTABS
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -5929,7 +5929,7 @@ buf_copy_options(buf_T *buf, int flags)
+ buf->b_p_vts = vim_strsave(p_vts);
+ COPY_OPT_SCTX(buf, BV_VTS);
+ if (p_vts && p_vts != empty_option && !buf->b_p_vts_array)
+- tabstop_set(p_vts, &buf->b_p_vts_array);
++ (void)tabstop_set(p_vts, &buf->b_p_vts_array);
+ else
+ buf->b_p_vts_array = NULL;
+ #endif
+@@ -6634,7 +6634,7 @@ paste_option_changed(void)
+ if (buf->b_p_vsts_array)
+ vim_free(buf->b_p_vsts_array);
+ if (buf->b_p_vsts && buf->b_p_vsts != empty_option)
+- tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
++ (void)tabstop_set(buf->b_p_vsts, &buf->b_p_vsts_array);
+ else
+ buf->b_p_vsts_array = 0;
+ #endif
+Index: git/src/optionstr.c
+===================================================================
+--- git.orig/src/optionstr.c
++++ git/src/optionstr.c
+@@ -2166,7 +2166,7 @@ did_set_string_option(
+ if (errmsg == NULL)
+ {
+ int *oldarray = curbuf->b_p_vsts_array;
+- if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vsts_array)) == OK)
+ {
+ if (oldarray)
+ vim_free(oldarray);
+@@ -2205,7 +2205,7 @@ did_set_string_option(
+ {
+ int *oldarray = curbuf->b_p_vts_array;
+
+- if (tabstop_set(*varp, &(curbuf->b_p_vts_array)))
++ if (tabstop_set(*varp, &(curbuf->b_p_vts_array)) == OK)
+ {
+ vim_free(oldarray);
+ #ifdef FEAT_FOLDING
+Index: git/src/testdir/test_retab.vim
+===================================================================
+--- git.orig/src/testdir/test_retab.vim
++++ git/src/testdir/test_retab.vim
+@@ -74,4 +74,7 @@ endfunc
+ func Test_retab_error()
+ call assert_fails('retab -1', 'E487:')
+ call assert_fails('retab! -1', 'E487:')
++ call assert_fails('ret -1000', 'E487:')
++ call assert_fails('ret 10000', 'E475:')
++ call assert_fails('ret 80000000000000000000', 'E475:')
+ endfunc
+Index: git/src/version.c
+===================================================================
+--- git.orig/src/version.c
++++ git/src/version.c
+@@ -743,6 +743,8 @@ static char *(features[]) =
+ static int included_patches[] =
+ { /* Add new patch number below this line */
+ /**/
++ 3402,
++/**/
+ 0
+ };
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 6fe8fb90db..ecaba7107e 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -17,7 +17,9 @@ SRC_URI = "git://github.com/vim/vim.git \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
file://racefix.patch \
+ file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
"
+
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
# Do not consider .z in x.y.z, as that is updated with every commit
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 14/25] iputils: Fix regression of arp table update
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (12 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 13/25] vim: Backport fix for CVE-2021-3770 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 15/25] linux-yocto/5.4: update to v5.4.143 Steve Sakoman
` (10 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Visa Hankala <visa@hankala.org>
Backport a fix from iputils 20210202 to make arp table updating
work again.
Fixes: 77c5792aa5e7 ("iputils: fix various arping regressions")
Signed-off-by: Visa Hankala <visa@hankala.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ng-make-update-neighbours-work-again.patch | 79 +++++++++++++++++++
.../iputils/iputils_s20190709.bb | 1 +
2 files changed, 80 insertions(+)
create mode 100644 meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
diff --git a/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
new file mode 100644
index 0000000000..bf86115843
--- /dev/null
+++ b/meta/recipes-extended/iputils/iputils/0001-arping-make-update-neighbours-work-again.patch
@@ -0,0 +1,79 @@
+From 86ed08936d49e2c81ef49dfbd02aca1c74d0c098 Mon Sep 17 00:00:00 2001
+From: lac-0073 <61903197+lac-0073@users.noreply.github.com>
+Date: Mon, 26 Oct 2020 09:45:42 +0800
+Subject: [PATCH] arpping: make update neighbours work again
+
+The arping is using inconsistent sender_ip_addr and target_ip_addr in
+messages. This causes the client receiving the arp message not to update
+the arp table entries.
+
+The specific performance is as follows:
+
+There is a machine 2 with IP 10.20.30.3 configured on eth0:0 that is in the
+same IP subnet as eth0. This IP was originally used on another machine 1,
+and th IP needs to be changed back to the machine 1. When using the arping
+command to announce what ethernet address has IP 10.20.30.3, the arp table
+on machine 3 is not updated.
+
+Machine 3 original arp table:
+
+ 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02
+ 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
+ 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
+
+Create interface eth0:0 on machine 1, and use the arping command to send arp
+packets. Expected outcome on machine 3:
+
+ 10.20.30.3 machine 1 eth0:0 00:00:00:00:00:01
+ 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
+ 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
+
+Actual results on machine 3:
+
+ 10.20.30.3 machine 2 eth0:0 00:00:00:00:00:02
+ 10.20.30.2 machine 2 eth0 00:00:00:00:00:02
+ 10.20.30.1 machine 1 eth0 00:00:00:00:00:01
+
+Fixes: https://github.com/iputils/iputils/issues/298
+Fixes: 68f12fc4a0dbef4ae4c404da24040d22c5a14339
+Signed-off-by: Aichun Li <liaichun@huawei.com>
+Upstream-Status: Backport [https://github.com/iputils/iputils/commit/86ed08936d49e2c81ef49dfbd02aca1c74d0c098]
+Signed-off-by: Visa Hankala <visa@hankala.org>
+---
+ arping.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index a002786..53fdbb4 100644
+--- a/arping.c
++++ b/arping.c
+@@ -968,7 +968,7 @@ int main(int argc, char **argv)
+ }
+ memset(&saddr, 0, sizeof(saddr));
+ saddr.sin_family = AF_INET;
+- if (!ctl.unsolicited && (ctl.source || ctl.gsrc.s_addr)) {
++ if (ctl.source || ctl.gsrc.s_addr) {
+ saddr.sin_addr = ctl.gsrc;
+ if (bind(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+ error(2, errno, "bind");
+@@ -979,12 +979,14 @@ int main(int argc, char **argv)
+ saddr.sin_port = htons(1025);
+ saddr.sin_addr = ctl.gdst;
+
+- if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
+- error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
+- if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
+- error(2, errno, "connect");
+- if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
+- error(2, errno, "getsockname");
++ if (!ctl.unsolicited) {
++ if (setsockopt(probe_fd, SOL_SOCKET, SO_DONTROUTE, (char *)&on, sizeof(on)) == -1)
++ error(0, errno, _("WARNING: setsockopt(SO_DONTROUTE)"));
++ if (connect(probe_fd, (struct sockaddr *)&saddr, sizeof(saddr)) == -1)
++ error(2, errno, "connect");
++ if (getsockname(probe_fd, (struct sockaddr *)&saddr, &alen) == -1)
++ error(2, errno, "getsockname");
++ }
+ ctl.gsrc = saddr.sin_addr;
+ }
+ close(probe_fd);
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb
index d652bfcaad..b33b913817 100644
--- a/meta/recipes-extended/iputils/iputils_s20190709.bb
+++ b/meta/recipes-extended/iputils/iputils_s20190709.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/iputils/iputils \
file://0003-arping-Fix-comparison-of-different-signedness-warnin.patch \
file://0004-arping-return-success-when-unsolicited-ARP-mode-dest.patch \
file://0005-arping-use-additional-timerfd-to-control-when-timeou.patch \
+ file://0001-arping-make-update-neighbours-work-again.patch \
"
SRCREV = "13e00847176aa23683d68fce1d17ffb523510946"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 15/25] linux-yocto/5.4: update to v5.4.143
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (13 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 14/25] iputils: Fix regression of arp table update Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 16/25] linux-yocto/5.4: update to v5.4.144 Steve Sakoman
` (9 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:
fd80923202c6 Linux 5.4.143
4bf194158102 netfilter: nft_exthdr: fix endianness of tcp option cast
e4fd994f02c5 fs: warn about impending deprecation of mandatory locks
41c7f46c89f6 mm: memcontrol: fix occasional OOMs due to proportional memory.low reclaim
1a3aa81444d3 mm, memcg: avoid stale protection values when cgroup is above protection
9c1c449dcca0 ASoC: intel: atom: Fix breakage for PCM buffer address setup
846ba58a7c06 PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI
548b75f4905e btrfs: prevent rename2 from exchanging a subvol with a directory from different parents
0fc6a9c2025b ipack: tpci200: fix memory leak in the tpci200_register
280d66b31797 ipack: tpci200: fix many double free issues in tpci200_pci_probe
cb7aa5103146 slimbus: ngd: reset dma setup during runtime pm
abce32d0f7f4 slimbus: messaging: check for valid transaction id
0786d315f55c slimbus: messaging: start transaction ids from 1 instead of zero
20c2f141b1e5 tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name
8fbfebe188c0 ALSA: hda - fix the 'Capture Switch' value change notifications
85e60614d1f6 mmc: dw_mmc: Fix hang on data CRC error
4f6c9caf7b6c ovl: add splice file read write helper
85813f1f9e86 iavf: Fix ping is lost after untrusted VF had tried to change MAC
a498115dcd9c i40e: Fix ATR queue selection
1b8a8fba7853 ovs: clear skb->tstamp in forwarding path
84dbbf5482e3 net: mdio-mux: Handle -EPROBE_DEFER correctly
453486e79ed2 net: mdio-mux: Don't ignore memory allocation errors
6b70c67849bb net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
da92ce364595 virtio-net: use NETIF_F_GRO_HW instead of NETIF_F_LRO
9aeadce8e33b virtio-net: support XDP when not more queues
3ed7cf8386c9 vrf: Reset skb conntrack connection on VRF rcv
447b16028956 bnxt_en: Add missing DMA memory barriers
c9566df334d0 ptp_pch: Restore dependency on PCI
a73b9aa14269 net: 6pack: fix slab-out-of-bounds in decode_data
2bc75713434b bnxt: disable napi before canceling DIM
a9fb0f155980 bnxt: don't lock the tx queue from napi poll
1fe038030cc8 bpf: Clear zext_dst of dead insns
73a45f75a07b vhost: Fix the calculation in vhost_overflow()
b9a59636c4bf virtio: Protect vqs list access
b264e37b3517 dccp: add do-while-0 stubs for dccp_pr_debug macros
9112ebc2990a cpufreq: armada-37xx: forbid cpufreq for 1.2 GHz variant
cb9a9d5fe636 iommu: Check if group is NULL before remove device
911a8141efdd Bluetooth: hidp: use correct wait queue when removing ctrl_wait
5b14c1f16e2d drm/amd/display: Fix Dynamic bpp issue with 8K30 with Navi 1X
f92dc3a89dd8 net: usb: lan78xx: don't modify phy_device state concurrently
be7043679967 ARM: dts: nomadik: Fix up interrupt controller node names
69aa1a1a569f scsi: core: Fix capacity set to zero after offlinining device
935de7ec7a4d scsi: core: Avoid printing an error if target_alloc() returns -ENXIO
7a721a1e1885 scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach()
9900e06ae6e6 scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
e37cf26bd56d dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
12d1322d93a6 ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218
11145efd295b dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe()
9c97a0539288 dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers
fc566b5a21f5 USB: core: Avoid WARNings for 0-length descriptor requests
1bd505c814cc media: drivers/media/usb: fix memory leak in zr364xx_probe
705660a6d98d media: zr364xx: fix memory leaks in probe()
79dff2a3f41a media: zr364xx: propagate errors from zr364xx_start_readpipe()
7305d6d4078f mtd: cfi_cmdset_0002: fix crash when erasing/writing AMD cards
23f77ad13f81 ath9k: Postpone key cache entry deletion for TXQ frames reference it
c6feaf806da6 ath: Modify ath_key_delete() to not need full key entry
b7d593705eb4 ath: Export ath_hw_keysetmac()
add283e2517a ath9k: Clear key cache explicitly on disabling hardware
0c049ce432b3 ath: Use safer key clearing with key cache entries
172b91bbbb49 x86/fpu: Make init_fpstate correct with optimized XSAVE
81d152c8daf8 ext4: fix EXT4_MAX_LOGICAL_BLOCK macro
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 69958c5631..d4add9b262 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "b872fc896dcc555149f26c5dd683f7e6394852d6"
-SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
+SRCREV_machine ?= "f4f6c136157b70468cf54389034aeaa41bbc5538"
+SRCREV_meta ?= "70b2480497528245c948ec259c734d74ea4fa3f1"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.142"
+LINUX_VERSION ?= "5.4.143"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 0178d172f8..a2f212e2ef 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.142"
+LINUX_VERSION ?= "5.4.143"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "4addf3f9e4f68bc7c03ea19ad95f2a4836ac9873"
-SRCREV_machine ?= "964802684eb1495bd1c5f625307b6d41515a3e9a"
-SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
+SRCREV_machine_qemuarm ?= "83b75c59c277ba3f87759cf558f9f230c1ed3bf7"
+SRCREV_machine ?= "1f981e60c9f6162337d2a65c891f2e29d8e1c862"
+SRCREV_meta ?= "70b2480497528245c948ec259c734d74ea4fa3f1"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 7e35e082fb..93cf312954 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "9b1b66b01c88cf5035d148f37c70b8215c8fde15"
-SRCREV_machine_qemuarm64 ?= "e91700bf8d8130226679954a8137c5f3fd54b81d"
-SRCREV_machine_qemumips ?= "332bc089f06636156b9d5b2a04228c03c680c6d0"
-SRCREV_machine_qemuppc ?= "1bf103767b96923aa6ca76e9e095b04c13ce93cd"
-SRCREV_machine_qemuriscv64 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_machine_qemux86 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_machine_qemux86-64 ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_machine_qemumips64 ?= "7b31f99f9e245d029de7fb9e3480f7b00f846b8f"
-SRCREV_machine ?= "108b8b822e7bbba492deafe60ee86839291c3250"
-SRCREV_meta ?= "719be4bd6c3c7575e7942dc016e3c3bb028f163d"
+SRCREV_machine_qemuarm ?= "a5fb40d66dcf9b95e82a06724fe8b33a03295af4"
+SRCREV_machine_qemuarm64 ?= "bffde671f5262afb5139ef58b10be043de1d368a"
+SRCREV_machine_qemumips ?= "ac8adae0a4a582e9593b527a14f3a7e407a22e6e"
+SRCREV_machine_qemuppc ?= "022718ee2b3805d465613f05813fd6313cbb988f"
+SRCREV_machine_qemuriscv64 ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
+SRCREV_machine_qemux86 ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
+SRCREV_machine_qemux86-64 ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
+SRCREV_machine_qemumips64 ?= "46871b96c7f3f1658f4b9875d6645ff7996e98f1"
+SRCREV_machine ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
+SRCREV_meta ?= "70b2480497528245c948ec259c734d74ea4fa3f1"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.142"
+LINUX_VERSION ?= "5.4.143"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 16/25] linux-yocto/5.4: update to v5.4.144
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (14 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 15/25] linux-yocto/5.4: update to v5.4.143 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 17/25] rpm: Handle proper return value to avoid major issues Steve Sakoman
` (8 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/5.4 to the latest korg -stable release that comprises
the following commits:
c6bf0ed9d1a7 Linux 5.4.144
0634c0f91995 audit: move put_tree() to avoid trim_trees refcount underflow and UAF
cab0003311a0 net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
6752b3b0628e Revert "parisc: Add assembly implementations for memset, strlen, strcpy, strncpy and strcat"
67871ada3a53 Revert "floppy: reintroduce O_NDELAY fix"
d7f7eca72ecc btrfs: fix NULL pointer dereference when deleting device by invalid id
e644da7ace0f arm64: dts: qcom: msm8994-angler: Fix gpio-reserved-ranges 85-88
4f76285f6df8 KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs
620681d7201a net: dsa: mt7530: fix VLAN traffic leaks again
38adbf21f37e bpf: Fix cast to pointer from integer of different size warning
812ee47ad76e bpf: Track contents of read-only maps as scalars
f4418015201b vt_kdsetmode: extend console locking
8a19e0045086 btrfs: fix race between marking inode needs to be logged and log syncing
f3a1ac258ebc net/rds: dma_map_sg is entitled to merge entries
ad6a2bc7588a drm/nouveau/disp: power down unused DP links during init
689179c462d8 drm: Copy drm_wait_vblank to user before returning
18ceb99f8483 qed: Fix null-pointer dereference in qed_rdma_create_qp()
f1a0db49abd5 qed: qed ll2 race condition fixes
73ba9e4ece4b vringh: Use wiov->used to check for read/write desc order
ee52acae6fb5 virtio_pci: Support surprise removal of virtio pci device
be9b79e84154 virtio: Improve vq->broken access to avoid any compiler optimization
0d4ba693db48 opp: remove WARN when no valid OPPs remain
baf56a1d8199 perf/x86/intel/uncore: Fix integer overflow on 23 bit left shift of a u32
0ad96094ab90 usb: gadget: u_audio: fix race condition on endpoint stop
c5c2b4ca5035 drm/i915: Fix syncmap memory leak
2f3cefa6abf0 net: hns3: fix get wrong pfc_en when query PFC configuration
6f0c0b35e277 net: hns3: fix duplicate node in VLAN list
951805c23dff net: hns3: clear hardware resource when loading driver
08162f65642c rtnetlink: Return correct error on changing device netns
f58e42d1928c net: marvell: fix MVNETA_TX_IN_PRGRS bit number
45454400a647 xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()'
53b480e68c1c ip_gre: add validation for csum_start
bb8ca7e2e67e RDMA/efa: Free IRQ vectors on error flow
e29565b4515e e1000e: Fix the max snoop/no-snoop latency for 10M
8a21e84334ec IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs()
944a50f56f1b RDMA/bnxt_re: Add missing spin lock initialization
28b189541027 scsi: core: Fix hang of freezing queue between blocking and running device
628c582854d3 usb: dwc3: gadget: Stop EP0 transfers during pullup disable
d9da281c8f9e usb: dwc3: gadget: Fix dwc3_calc_trbs_left()
21880abf19ba USB: serial: option: add new VID/PID to support Fibocom FG150
2e098e91eeec Revert "USB: serial: ch341: fix character loss at high transfer rates"
16b281a70a10 can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters
765437d1f078 mm, oom: make the calculation of oom badness more accurate
1cccf5c03077 mmc: sdhci-msm: Update the software timeout value for sdhc
aec1e470d906 ovl: fix uninitialized pointer read in ovl_lookup_real_one()
57bd5b59f1ce once: Fix panic when module unload
5892f910f401 netfilter: conntrack: collect all entries in one cycle
7c95c89b6929 ARC: Fix CONFIG_STACKDEPOT
a6b049aeefa8 net: qrtr: fix another OOB Read in qrtr_endpoint_post
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index d4add9b262..b6c84d0f1c 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "f4f6c136157b70468cf54389034aeaa41bbc5538"
-SRCREV_meta ?= "70b2480497528245c948ec259c734d74ea4fa3f1"
+SRCREV_machine ?= "7f67141bca949eff8953f965c26475286d1a20cf"
+SRCREV_meta ?= "e4ccb53f204f722583178a9249fbf5d745f0d56a"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.143"
+LINUX_VERSION ?= "5.4.144"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index a2f212e2ef..5ee1d359b2 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.143"
+LINUX_VERSION ?= "5.4.144"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "83b75c59c277ba3f87759cf558f9f230c1ed3bf7"
-SRCREV_machine ?= "1f981e60c9f6162337d2a65c891f2e29d8e1c862"
-SRCREV_meta ?= "70b2480497528245c948ec259c734d74ea4fa3f1"
+SRCREV_machine_qemuarm ?= "08336ce8b4ebc2b21c28488c85098c6816f3d99f"
+SRCREV_machine ?= "8220749d3e8643091b118d93a857333e2c91a1eb"
+SRCREV_meta ?= "e4ccb53f204f722583178a9249fbf5d745f0d56a"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 93cf312954..ac0a72605d 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "a5fb40d66dcf9b95e82a06724fe8b33a03295af4"
-SRCREV_machine_qemuarm64 ?= "bffde671f5262afb5139ef58b10be043de1d368a"
-SRCREV_machine_qemumips ?= "ac8adae0a4a582e9593b527a14f3a7e407a22e6e"
-SRCREV_machine_qemuppc ?= "022718ee2b3805d465613f05813fd6313cbb988f"
-SRCREV_machine_qemuriscv64 ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
-SRCREV_machine_qemux86 ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
-SRCREV_machine_qemux86-64 ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
-SRCREV_machine_qemumips64 ?= "46871b96c7f3f1658f4b9875d6645ff7996e98f1"
-SRCREV_machine ?= "484eb3a36ef32d910da9a38a3f67ff2b2d1f7aa2"
-SRCREV_meta ?= "70b2480497528245c948ec259c734d74ea4fa3f1"
+SRCREV_machine_qemuarm ?= "78a2f9d323a755a34cdc96af4bcf61ffd32a3db0"
+SRCREV_machine_qemuarm64 ?= "aa6ec6934e35c8b0948f6b7c9bdbdef45d72be35"
+SRCREV_machine_qemumips ?= "a892524441b30e5e8c491e22e36e3473fc6a0fe0"
+SRCREV_machine_qemuppc ?= "784ca7c7837811123b5bd97cde964e45fbf5179b"
+SRCREV_machine_qemuriscv64 ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_machine_qemux86 ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_machine_qemux86-64 ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_machine_qemumips64 ?= "d765ea7455bf978a9a86e8e90e032336b0baf887"
+SRCREV_machine ?= "e3134debcf01f0aa20103e22fe2ef5fc7c201120"
+SRCREV_meta ?= "e4ccb53f204f722583178a9249fbf5d745f0d56a"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.143"
+LINUX_VERSION ?= "5.4.144"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 17/25] rpm: Handle proper return value to avoid major issues
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (15 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 16/25] linux-yocto/5.4: update to v5.4.144 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 18/25] useradd: Ensure preinst data is expanded correctly in pkgdata Steve Sakoman
` (7 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch changed
to avoid critical issues
Handled return values of getrlimit() and lzma_cputhreads() functions
to avoid unexpected behaviours like devide by zero and potential read
of uninitialized variable 'virtual_memory'
Upstream-Status: Pending [merge of multithreading patches to upstream]
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5aae9c2cb464350bc443a0f60fd6602942e61f46)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...rict-virtual-memory-usage-if-limit-s.patch | 25 +++++++++++--------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
index 6454785254..dc3f74fecd 100644
--- a/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
+++ b/meta/recipes-devtools/rpm/files/0001-rpm-rpmio.c-restrict-virtual-memory-usage-if-limit-s.patch
@@ -11,36 +11,39 @@ CPU thread.
Upstream-Status: Pending [merge of multithreading patches to upstream]
Signed-off-by: Peter Bergin <peter@berginkonsult.se>
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
---
- rpmio/rpmio.c | 34 ++++++++++++++++++++++++++++++++++
- 1 file changed, 34 insertions(+)
+ rpmio/rpmio.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
diff --git a/rpmio/rpmio.c b/rpmio/rpmio.c
index e051c98..b3c56b6 100644
--- a/rpmio/rpmio.c
+++ b/rpmio/rpmio.c
-@@ -845,6 +845,40 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
+@@ -845,6 +845,42 @@ static LZFILE *lzopen_internal(const char *mode, int fd, int xz)
}
#endif
-+ struct rlimit virtual_memory;
-+ getrlimit(RLIMIT_AS, &virtual_memory);
-+ if (virtual_memory.rlim_cur != RLIM_INFINITY) {
++ struct rlimit virtual_memory = {RLIM_INFINITY , RLIM_INFINITY};
++ int status = getrlimit(RLIMIT_AS, &virtual_memory);
++ if ((status != -1) && (virtual_memory.rlim_cur != RLIM_INFINITY)) {
+ const uint64_t virtual_memlimit = virtual_memory.rlim_cur;
++ uint32_t threads_max = lzma_cputhreads();
+ const uint64_t virtual_memlimit_per_cpu_thread =
-+ virtual_memlimit / lzma_cputhreads();
-+ uint64_t memory_usage_virt;
++ virtual_memlimit / ((threads_max == 0) ? 1 : threads_max);
+ rpmlog(RPMLOG_NOTICE, "XZ: virtual memory restricted to %lu and "
+ "per CPU thread %lu\n", virtual_memlimit, virtual_memlimit_per_cpu_thread);
++ uint64_t memory_usage_virt;
+ /* keep reducing the number of compression threads until memory
+ usage falls below the limit per CPU thread*/
+ while ((memory_usage_virt = lzma_stream_encoder_mt_memusage(&mt_options)) >
+ virtual_memlimit_per_cpu_thread) {
-+ /* If number of threads goes down to zero lzma_stream_encoder will
-+ * will return UINT64_MAX. We must check here to avoid an infinite loop.
++ /* If number of threads goes down to zero or in case of any other error
++ * lzma_stream_encoder_mt_memusage will return UINT64_MAX. We must check
++ * for both the cases here to avoid an infinite loop.
+ * If we get into situation that one thread requires more virtual memory
+ * than available we set one thread, print error message and try anyway. */
-+ if (--mt_options.threads == 0) {
++ if ((--mt_options.threads == 0) || (memory_usage_virt == UINT64_MAX)) {
+ mt_options.threads = 1;
+ rpmlog(RPMLOG_WARNING,
+ "XZ: Could not adjust number of threads to get below "
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 18/25] useradd: Ensure preinst data is expanded correctly in pkgdata
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (16 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 17/25] rpm: Handle proper return value to avoid major issues Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 19/25] bash: Ensure deterministic build Steve Sakoman
` (6 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
The preinst data in pkgdata will not expand out the ${XXX_PARAM} variables
since they don't use a package suffix. It happens that the final expansion
used for the packages is corrected by a second trip through the datastore.
The first version is used for calculation of the task output hash and
recent improvements in hash reuse showed this data wasn't using included
in the hashes, meaning for example builds with dynamic IDs were mixing
sstate with builds using static IDs. The result was a mess.
Fix this by expanding the data in the preinst correctly to use the
package specific _PARAM values.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 375430f249e7e0b6622e566e2478b40ba7e606ab)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/useradd.bbclass | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/classes/useradd.bbclass b/meta/classes/useradd.bbclass
index e5f3ba24f9..0f0ed3446d 100644
--- a/meta/classes/useradd.bbclass
+++ b/meta/classes/useradd.bbclass
@@ -230,6 +230,10 @@ fakeroot python populate_packages_prepend () {
preinst += 'perform_useradd () {\n%s}\n' % d.getVar('perform_useradd')
preinst += 'perform_groupmems () {\n%s}\n' % d.getVar('perform_groupmems')
preinst += d.getVar('useradd_preinst')
+ # Expand out the *_PARAM variables to the package specific versions
+ for rep in ["GROUPADD_PARAM", "USERADD_PARAM", "GROUPMEMS_PARAM"]:
+ val = d.getVar(rep + "_" + pkg) or ""
+ preinst = preinst.replace("${" + rep + "}", val)
d.setVar('pkg_preinst_%s' % pkg, preinst)
# RDEPENDS setup
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 19/25] bash: Ensure deterministic build
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (17 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 18/25] useradd: Ensure preinst data is expanded correctly in pkgdata Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 20/25] Update mailing list address Steve Sakoman
` (5 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Bash keeps a count of the number of times make was invoked on a directory
and changes the output versioning accordingly. We want deterministic output
so disable this behaviour.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13a039e03195a47c750d5901e96fe81cf523481f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/bash/bash.inc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/recipes-extended/bash/bash.inc b/meta/recipes-extended/bash/bash.inc
index c7cf8cddd3..4e6176d2e6 100644
--- a/meta/recipes-extended/bash/bash.inc
+++ b/meta/recipes-extended/bash/bash.inc
@@ -49,6 +49,11 @@ do_compile_ptest () {
oe_runmake buildtest
}
+do_install_prepend () {
+ # Ensure determinism as this counter increases for each make call
+ rm -f ${B}/.build
+}
+
do_install_append () {
# Move /usr/bin/bash to /bin/bash, if need
if [ "${base_bindir}" != "${bindir}" ]; then
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 20/25] Update mailing list address
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (18 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 19/25] bash: Ensure deterministic build Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 21/25] core-image-sato: Fix runqemu error for qemuarmv5 Steve Sakoman
` (4 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 83169c33f7585da25560784f79eaad2c6f029f3c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/conf/distro/include/maintainers.inc | 2 +-
meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index ef1e7fe2f4..895cf89487 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -4,7 +4,7 @@
#
# Please submit any patches against recipes in meta to the
# OE-Core mail list (openembedded-core@lists.openembedded.org)
-# For recipes in meta-yocto please use the Poky list (poky@yoctoproject.org)
+# For recipes in meta-yocto please use the Poky list (poky@lists.yoctoproject.org)
#
# If you have problems with or questions about a particular recipe, feel
# free to contact the maintainer directly (cc:ing the appropriate mailing list
diff --git a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
index 52986e61c7..d1835c7a10 100644
--- a/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
+++ b/meta/recipes-core/glibc/ldconfig-native-2.12.1/ldconfig.patch
@@ -400,7 +400,7 @@ Index: ldconfig-native-2.12.1/ldconfig.c
return 0;
}
-+#define REPORT_BUGS_TO "mailing list : poky@yoctoproject.org"
++#define REPORT_BUGS_TO "mailing list : poky@lists.yoctoproject.org"
/* Print bug-reporting information in the help message. */
static char *
more_help (int key, const char *text, void *input)
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 21/25] core-image-sato: Fix runqemu error for qemuarmv5
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (19 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 20/25] Update mailing list address Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 22/25] wic: keep rootfs_size as integer Steve Sakoman
` (3 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Jon Mason <jdmason@kudzu.us>
When attempting to execute runqemu on qemuarmv5, the following error is
encountered:
runqemu - ERROR - Failed to run qemu: qemu-system-arm: versatilepb: memory size must not exceed 256MB
To work around this, limit the QB_MEM size for qemuarmv5, similar to
what is being done for qemumips.
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6450138afebffcc55ab32afadd5fb979274fff2b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-sato/images/core-image-sato.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-sato/images/core-image-sato.bb b/meta/recipes-sato/images/core-image-sato.bb
index e50b24a476..300d8e0d43 100644
--- a/meta/recipes-sato/images/core-image-sato.bb
+++ b/meta/recipes-sato/images/core-image-sato.bb
@@ -13,4 +13,5 @@ TOOLCHAIN_HOST_TASK_append = " nativesdk-intltool nativesdk-glib-2.0"
TOOLCHAIN_HOST_TASK_remove_task-populate-sdk-ext = " nativesdk-intltool nativesdk-glib-2.0"
QB_MEM = '${@bb.utils.contains("DISTRO_FEATURES", "opengl", "-m 512", "-m 256", d)}'
+QB_MEM_qemuarmv5 = "-m 256"
QB_MEM_qemumips = "-m 256"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 22/25] wic: keep rootfs_size as integer
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (20 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 21/25] core-image-sato: Fix runqemu error for qemuarmv5 Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 23/25] testimage: symlink the task log and qemu console log to tmp/log/oeqa Steve Sakoman
` (2 subsequent siblings)
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
The corrected line accidentally converted it to float,
which causes problems later on with python 3.10:
| File "/home/alex/development/poky/scripts/lib/wic/partition.py", line 278, in prepare_rootfs_ext
| os.ftruncate(sparse.fileno(), rootfs_size * 1024)
| TypeError: 'float' object cannot be interpreted as an integer
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d1d260dd2d196d10379ed9e238bcb34f39f3a3b7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/lib/wic/partition.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py
index 85f9847047..792bb3dcd3 100644
--- a/scripts/lib/wic/partition.py
+++ b/scripts/lib/wic/partition.py
@@ -104,7 +104,7 @@ class Partition():
extra_blocks = self.extra_space
rootfs_size = actual_rootfs_size + extra_blocks
- rootfs_size *= self.overhead_factor
+ rootfs_size = int(rootfs_size * self.overhead_factor)
logger.debug("Added %d extra blocks to %s to get to %d total blocks",
extra_blocks, self.mountpoint, rootfs_size)
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 23/25] testimage: symlink the task log and qemu console log to tmp/log/oeqa
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (21 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 22/25] wic: keep rootfs_size as integer Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 24/25] libsoup-2.4: remove obsolete intltool dependency Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 25/25] connman: add CVE_PRODUCT Steve Sakoman
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex.kanavin@gmail.com>
This makes it easier for the AB scripts (particularly, collect-results)
to access and archive these items, as they can contain useful information
when ptests or other qemu tests fail (and also if they don't fail).
[YOCTO #14518]
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1965b344abcff0ba584136f929b4a14645f1585e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/testimage.bbclass | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/meta/classes/testimage.bbclass b/meta/classes/testimage.bbclass
index c709384b91..db1d54e5cb 100644
--- a/meta/classes/testimage.bbclass
+++ b/meta/classes/testimage.bbclass
@@ -193,6 +193,7 @@ def testimage_main(d):
import json
import signal
import logging
+ import shutil
from bb.utils import export_proxies
from oeqa.core.utils.misc import updateTestData
@@ -397,10 +398,17 @@ def testimage_main(d):
get_testimage_result_id(configuration),
dump_streams=d.getVar('TESTREPORT_FULLLOGS'))
results.logSummary(pn)
+
+ # Copy additional logs to tmp/log/oeqa so it's easier to find them
+ targetdir = os.path.join(get_testimage_json_result_dir(d), d.getVar("PN"))
+ os.makedirs(targetdir, exist_ok=True)
+ os.symlink(bootlog, os.path.join(targetdir, os.path.basename(bootlog)))
+ os.symlink(d.getVar("BB_LOGFILE"), os.path.join(targetdir, os.path.basename(d.getVar("BB_LOGFILE") + "." + d.getVar('DATETIME'))))
+
if not results or not complete:
- bb.fatal('%s - FAILED - tests were interrupted during execution' % pn, forcelog=True)
+ bb.fatal('%s - FAILED - tests were interrupted during execution, check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
if not results.wasSuccessful():
- bb.fatal('%s - FAILED - check the task log and the ssh log' % pn, forcelog=True)
+ bb.fatal('%s - FAILED - also check the logs in %s' % (pn, d.getVar("LOG_DIR")), forcelog=True)
def get_runtime_paths(d):
"""
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 24/25] libsoup-2.4: remove obsolete intltool dependency
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (22 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 23/25] testimage: symlink the task log and qemu console log to tmp/log/oeqa Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 25/25] connman: add CVE_PRODUCT Steve Sakoman
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross@burtonini.com>
This hasn't been needed since libsoup 2.65.2.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 250a3f9a804917c8a9427d0209365d27b1b8fa4a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
index 65b32557e7..e42ac30bf2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.68.4.bb
@@ -7,7 +7,7 @@ SECTION = "x11/gnome/libs"
LICENSE = "LGPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
-DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 intltool-native libpsl"
+DEPENDS = "glib-2.0 glib-2.0-native libxml2 sqlite3 libpsl"
SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
* [OE-core][dunfell 25/25] connman: add CVE_PRODUCT
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
` (23 preceding siblings ...)
2021-09-24 14:15 ` [OE-core][dunfell 24/25] libsoup-2.4: remove obsolete intltool dependency Steve Sakoman
@ 2021-09-24 14:15 ` Steve Sakoman
24 siblings, 0 replies; 26+ messages in thread
From: Steve Sakoman @ 2021-09-24 14:15 UTC (permalink / raw)
To: openembedded-core
Upstream database uses both "connman" and "connection_manager" to report CVEs
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-connectivity/connman/connman.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 55e5bf97c7..c495ae29ad 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
inherit autotools pkgconfig systemd update-rc.d update-alternatives
+CVE_PRODUCT = "connman connection_manager"
+
DEPENDS = "dbus glib-2.0 ppp"
INC_PR = "r20"
--
2.25.1
^ permalink raw reply related [flat|nested] 26+ messages in thread
end of thread, other threads:[~2021-09-24 14:16 UTC | newest]
Thread overview: 26+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-24 14:15 [OE-core][dunfell 00/25] Patch review Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 01/25] libgcrypt: Security fix CVE-2021-33560 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 02/25] apr: Security fix for CVE-2021-35940 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 03/25] libsndfile: Security fix for CVE-2021-3246 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 04/25] qemu: Security fix CVE-2020-12829 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 05/25] qemu: Security fix for CVE-2020-27617 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 06/25] qemu: Security fix for CVE-2020-28916 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 07/25] qemu: fix CVE-2021-3682 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 08/25] nettle: Security fix for CVE-2021-3580 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 09/25] curl: Fix CVE-2021-22946 and CVE-2021-22947, whitelist CVE-2021-22945 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 10/25] nettle: Security fix for CVE-2021-20305 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 11/25] squashfs-tools: fix CVE-2021-40153 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 12/25] tar: ignore node-tar CVEs Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 13/25] vim: Backport fix for CVE-2021-3770 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 14/25] iputils: Fix regression of arp table update Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 15/25] linux-yocto/5.4: update to v5.4.143 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 16/25] linux-yocto/5.4: update to v5.4.144 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 17/25] rpm: Handle proper return value to avoid major issues Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 18/25] useradd: Ensure preinst data is expanded correctly in pkgdata Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 19/25] bash: Ensure deterministic build Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 20/25] Update mailing list address Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 21/25] core-image-sato: Fix runqemu error for qemuarmv5 Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 22/25] wic: keep rootfs_size as integer Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 23/25] testimage: symlink the task log and qemu console log to tmp/log/oeqa Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 24/25] libsoup-2.4: remove obsolete intltool dependency Steve Sakoman
2021-09-24 14:15 ` [OE-core][dunfell 25/25] connman: add CVE_PRODUCT Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.