* [Hardknott 0/5] Patch review June 13th
@ 2021-06-13 23:32 Armin Kuster
2021-06-13 23:32 ` [Hardknott 1/5] squid: upgrade 4.14 -> 4.15 Armin Kuster
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Armin Kuster @ 2021-06-13 23:32 UTC (permalink / raw)
To: openembedded-devel
Please have comments back by Tuesday
The following changes since commit 9ee0e08ba2395b9cb93f2273bb1018adb3630407:
libgtop: fix do_compile error (2021-05-23 08:29:00 -0700)
are available in the Git repository at:
git://git.openembedded.org/meta-openembedded-contrib stable/hardknott-nut
http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/hardknott-nut
Andrej Kozemcak (1):
squid: upgrade 4.14 -> 4.15
Khem Raj (2):
mongodb: Update to 4.4.6-rc0
mongodb: Change PV to 4.4.6
Marek Vasut (1):
nss: Fix build on Centos 7
Stefan Ghinea (1):
thunar: fix CVE-2021-32563
...0001-Fix-build-on-Fedora-Rawhide-772.patch | 25 +-
.../squid/{squid_4.14.bb => squid_4.15.bb} | 2 +-
...essage-bump-libmongocrypto-to-v1.0.4.patch | 714 ------------------
.../recipes-dbs/mongodb/mongodb_git.bb | 7 +-
meta-oe/recipes-support/nss/nss_3.64.bb | 2 +
.../thunar/thunar/CVE-2021-32563-1.patch | 97 +++
.../thunar/thunar/CVE-2021-32563-2.patch | 208 +++++
.../recipes-xfce/thunar/thunar_4.16.6.bb | 4 +
8 files changed, 316 insertions(+), 743 deletions(-)
rename meta-networking/recipes-daemons/squid/{squid_4.14.bb => squid_4.15.bb} (98%)
delete mode 100644 meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
--
2.17.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Hardknott 1/5] squid: upgrade 4.14 -> 4.15
2021-06-13 23:32 [Hardknott 0/5] Patch review June 13th Armin Kuster
@ 2021-06-13 23:32 ` Armin Kuster
2021-06-13 23:32 ` [Hardknott 2/5] nss: Fix build on Centos 7 Armin Kuster
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2021-06-13 23:32 UTC (permalink / raw)
To: openembedded-devel
From: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Changes are found at: http://www.squid-cache.org/Versions/v4/changesets
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 77e614754553e64c4bc554ae802dc09e56eb6209)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...0001-Fix-build-on-Fedora-Rawhide-772.patch | 25 +------------------
.../squid/{squid_4.14.bb => squid_4.15.bb} | 2 +-
2 files changed, 2 insertions(+), 25 deletions(-)
rename meta-networking/recipes-daemons/squid/{squid_4.14.bb => squid_4.15.bb} (98%)
diff --git a/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch b/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch
index 28a410c26f..ff51f53448 100644
--- a/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch
+++ b/meta-networking/recipes-daemons/squid/files/0001-Fix-build-on-Fedora-Rawhide-772.patch
@@ -11,10 +11,8 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634
src/Makefile.am | 4 ++++
src/ip/QosConfig.cc | 1 +
src/ipc/mem/PageStack.cc | 1 +
- src/proxyp/Parser.cc | 1 +
- src/security/ServerOptions.cc | 2 ++
src/ssl/helper.cc | 2 ++
- 6 files changed, 11 insertions(+)
+ 4 files changed, 8 insertions(+)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -70,17 +68,6 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634
/// used to mark a stack slot available for storing free page offsets
const Ipc::Mem::PageStack::Value Writable = 0;
---- a/src/security/ServerOptions.cc
-+++ b/src/security/ServerOptions.cc
-@@ -24,6 +24,8 @@
- #endif
- #endif
-
-+#include <limits>
-+
- Security::ServerOptions &
- Security::ServerOptions::operator =(const Security::ServerOptions &old) {
- if (this != &old) {
--- a/src/ssl/helper.cc
+++ b/src/ssl/helper.cc
@@ -19,6 +19,8 @@
@@ -92,14 +79,4 @@ Upstream-Status: Backport [https://github.com/kraj/squid/commit/1f8b5f0e1cc27634
Ssl::CertValidationHelper::LruCache *Ssl::CertValidationHelper::HelperCache = nullptr;
#if USE_SSL_CRTD
---- a/src/acl/ConnMark.cc
-+++ b/src/acl/ConnMark.cc
-@@ -16,6 +16,8 @@
- #include "http/Stream.h"
- #include "sbuf/Stream.h"
-+#include <limits>
-+
- bool
- Acl::ConnMark::empty() const
- {
diff --git a/meta-networking/recipes-daemons/squid/squid_4.14.bb b/meta-networking/recipes-daemons/squid/squid_4.15.bb
similarity index 98%
rename from meta-networking/recipes-daemons/squid/squid_4.14.bb
rename to meta-networking/recipes-daemons/squid/squid_4.15.bb
index 6d154c87e0..8ba10674c9 100644
--- a/meta-networking/recipes-daemons/squid/squid_4.14.bb
+++ b/meta-networking/recipes-daemons/squid/squid_4.15.bb
@@ -29,7 +29,7 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${BPN}-${PV}.tar.bz2
SRC_URI_remove_toolchain-clang = "file://0001-configure-Check-for-Wno-error-format-truncation-comp.patch"
-SRC_URI[sha256sum] = "4ad08884f065f8e1dac166aa13db6a872cde419a1717dff4c82c2c5337ee5756"
+SRC_URI[sha256sum] = "71635811e766ce8b155225a9e3c7757cfc7ff93df26b28d82e5e6fc021b9a605"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
file://errors/COPYRIGHT;md5=0e03cd976052c45697ad5d96e7dff8dc \
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Hardknott 2/5] nss: Fix build on Centos 7
2021-06-13 23:32 [Hardknott 0/5] Patch review June 13th Armin Kuster
2021-06-13 23:32 ` [Hardknott 1/5] squid: upgrade 4.14 -> 4.15 Armin Kuster
@ 2021-06-13 23:32 ` Armin Kuster
2021-06-13 23:32 ` [Hardknott 3/5] mongodb: Update to 4.4.6-rc0 Armin Kuster
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2021-06-13 23:32 UTC (permalink / raw)
To: openembedded-devel
From: Marek Vasut <marex@denx.de>
Centos 7 has glibc 2.18 and nss-native build fails due to implicit
declaration of function putenv during build. This is because of the
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
putenv(): _XOPEN_SOURCE
|| /* Glibc since 2.19: */ _DEFAULT_SOURCE
|| /* Glibc versions <= 2.19: */ _SVID_SOURCE
and because nss coreconf/Linux.mk only defines
-D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE
So on such system with glibc 2.18, neither macro makes putenv()
available. Add -D_XOPEN_SOURCE for the Centos 7 and glibc 2.18
native build case.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Armin Kuster <akuster808@gmail.com>
Cc: Armin Kuster <akuster@mvista.com>
Cc: Khem Raj <raj.khem@gmail.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 30148b33b5d750702d7749ac59d8d740d8cb7024)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-oe/recipes-support/nss/nss_3.64.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-oe/recipes-support/nss/nss_3.64.bb b/meta-oe/recipes-support/nss/nss_3.64.bb
index 1863db131b..9c4c03df99 100644
--- a/meta-oe/recipes-support/nss/nss_3.64.bb
+++ b/meta-oe/recipes-support/nss/nss_3.64.bb
@@ -49,6 +49,8 @@ TUNE_CCARGS_remove = "-mcpu=cortex-a55+crc -mcpu=cortex-a55 -mcpu=cortex-a55+crc
TARGET_CC_ARCH += "${LDFLAGS}"
+CFLAGS_append_class-native = " -D_XOPEN_SOURCE "
+
do_configure_prepend_libc-musl () {
sed -i -e '/-DHAVE_SYS_CDEFS_H/d' ${S}/nss/lib/dbm/config/config.mk
}
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Hardknott 3/5] mongodb: Update to 4.4.6-rc0
2021-06-13 23:32 [Hardknott 0/5] Patch review June 13th Armin Kuster
2021-06-13 23:32 ` [Hardknott 1/5] squid: upgrade 4.14 -> 4.15 Armin Kuster
2021-06-13 23:32 ` [Hardknott 2/5] nss: Fix build on Centos 7 Armin Kuster
@ 2021-06-13 23:32 ` Armin Kuster
2021-06-13 23:32 ` [Hardknott 4/5] mongodb: Change PV to 4.4.6 Armin Kuster
2021-06-13 23:32 ` [Hardknott 5/5] thunar: fix CVE-2021-32563 Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2021-06-13 23:32 UTC (permalink / raw)
To: openembedded-devel
From: Khem Raj <raj.khem@gmail.com>
Drop upstreamed patch
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 44664a2d66ea848d927164685c283f0ea8d3d12f)
[Bug fix only update:
Issues fixed:
SERVER-55298: Reproduce and Investigate BSONObjectTooLarge error
SERVER-53566: Investigate and reproduce "opCtx != nullptr && _opCtx == nullptr" invariant
SERVER-51281: mongod live locked
SERVER-46686: Explain does not respect maxTimeMS
SERVER-45836: Provide more LDAP details (like server IP) at default log level
All JIRA issues closed in 4.4.5
4.4.5 Changelog]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...essage-bump-libmongocrypto-to-v1.0.4.patch | 714 ------------------
.../recipes-dbs/mongodb/mongodb_git.bb | 7 +-
2 files changed, 3 insertions(+), 718 deletions(-)
delete mode 100644 meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch
deleted file mode 100644
index df4cee2b42..0000000000
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb/0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch
+++ /dev/null
@@ -1,714 +0,0 @@
-From 44272ce47e768e090263df5cb9cb7ce17e544ad3 Mon Sep 17 00:00:00 2001
-From: Vincent Prince <vincent.prince.external@saftbatteries.com>
-Date: Tue, 15 Sep 2020 11:40:15 +0200
-Subject: [PATCH] kms-message: bump libmongocrypto to v1.0.4
-
-This fixes compilation with alpinelinux
-see https://github.com/mongodb/libmongocrypt/pull/89
-
-Upstream-Status: Pending
-
-Signed-off-by: Vincent Prince <vincent.prince.fr@gmail.com>
----
- .../kms-message/THIRD_PARTY_NOTICES | 2 +-
- src/third_party/kms-message/src/hexlify.c | 21 +----
- src/third_party/kms-message/src/hexlify.h | 2 -
- .../kms-message/src/kms_crypto_apple.c | 5 +
- .../kms-message/src/kms_crypto_libcrypto.c | 94 +++++++++++++++++++
- .../kms-message/src/kms_crypto_none.c | 4 +
- .../kms-message/src/kms_crypto_windows.c | 4 +
- .../kms-message/src/kms_decrypt_request.c | 2 +-
- .../kms-message/src/kms_encrypt_request.c | 2 +-
- src/third_party/kms-message/src/kms_kv_list.c | 11 ++-
- .../kms-message/src/kms_message/kms_message.h | 2 +
- .../src/kms_message/kms_message_defines.h | 10 ++
- src/third_party/kms-message/src/kms_port.c | 33 +++++++
- src/third_party/kms-message/src/kms_port.h | 27 +++---
- src/third_party/kms-message/src/kms_request.c | 41 +++++---
- .../kms-message/src/kms_request_str.c | 13 ++-
- .../kms-message/src/kms_request_str.h | 5 -
- .../kms-message/src/kms_response_parser.c | 26 ++++-
- .../scripts/kms_message_get_sources.sh | 2 +-
- 19 files changed, 244 insertions(+), 62 deletions(-)
- create mode 100644 src/third_party/kms-message/src/kms_crypto_libcrypto.c
- create mode 100644 src/third_party/kms-message/src/kms_port.c
-
-diff --git a/src/third_party/kms-message/THIRD_PARTY_NOTICES b/src/third_party/kms-message/THIRD_PARTY_NOTICES
-index 3fc095170c..4110c1b91e 100644
---- a/src/third_party/kms-message/THIRD_PARTY_NOTICES
-+++ b/src/third_party/kms-message/THIRD_PARTY_NOTICES
-@@ -1,4 +1,4 @@
--License notice for common-b64.c
-+License notice for kms_b64.c
- -------------------------------------------------------------------------------
-
- ISC License
-diff --git a/src/third_party/kms-message/src/hexlify.c b/src/third_party/kms-message/src/hexlify.c
-index be9ee030b9..941fc93d1b 100644
---- a/src/third_party/kms-message/src/hexlify.c
-+++ b/src/third_party/kms-message/src/hexlify.c
-@@ -24,6 +24,8 @@ char *
- hexlify (const uint8_t *buf, size_t len)
- {
- char *hex_chars = malloc (len * 2 + 1);
-+ KMS_ASSERT (hex_chars);
-+
- char *p = hex_chars;
- size_t i;
-
-@@ -35,22 +37,3 @@ hexlify (const uint8_t *buf, size_t len)
-
- return hex_chars;
- }
--
--uint8_t *
--unhexlify (const char *hex_chars, size_t *len)
--{
-- uint8_t *buf;
-- uint8_t *pos;
--
-- *len = strlen (hex_chars) / 2;
-- buf = malloc (*len);
-- pos = buf;
--
-- while (*hex_chars) {
-- KMS_ASSERT (1 == sscanf (hex_chars, "%2hhx", pos));
-- pos++;
-- hex_chars += 2;
-- }
--
-- return buf;
--}
-diff --git a/src/third_party/kms-message/src/hexlify.h b/src/third_party/kms-message/src/hexlify.h
-index e0096eb6ca..a6a504ebe8 100644
---- a/src/third_party/kms-message/src/hexlify.h
-+++ b/src/third_party/kms-message/src/hexlify.h
-@@ -19,5 +19,3 @@
-
- char *
- hexlify (const uint8_t *buf, size_t len);
--uint8_t *
--unhexlify (const char *hex_chars, size_t *len);
-diff --git a/src/third_party/kms-message/src/kms_crypto_apple.c b/src/third_party/kms-message/src/kms_crypto_apple.c
-index 61da0a6288..a26e0d65e8 100644
---- a/src/third_party/kms-message/src/kms_crypto_apple.c
-+++ b/src/third_party/kms-message/src/kms_crypto_apple.c
-@@ -16,9 +16,12 @@
-
- #include "kms_crypto.h"
-
-+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO
-+
- #include <CommonCrypto/CommonDigest.h>
- #include <CommonCrypto/CommonHMAC.h>
-
-+
- int
- kms_crypto_init ()
- {
-@@ -54,3 +57,5 @@ kms_sha256_hmac (void *unused_ctx,
- CCHmac (kCCHmacAlgSHA256, key_input, key_len, input, len, hash_out);
- return true;
- }
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_COMMON_CRYPTO */
-diff --git a/src/third_party/kms-message/src/kms_crypto_libcrypto.c b/src/third_party/kms-message/src/kms_crypto_libcrypto.c
-new file mode 100644
-index 0000000000..6f25657fdd
---- /dev/null
-+++ b/src/third_party/kms-message/src/kms_crypto_libcrypto.c
-@@ -0,0 +1,94 @@
-+/*
-+ * Copyright 2018-present MongoDB, Inc.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+#include "kms_crypto.h"
-+
-+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO
-+
-+#include <openssl/sha.h>
-+#include <openssl/evp.h>
-+#include <openssl/hmac.h>
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
-+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
-+static EVP_MD_CTX *
-+EVP_MD_CTX_new (void)
-+{
-+ return calloc (sizeof (EVP_MD_CTX), 1);
-+}
-+
-+static void
-+EVP_MD_CTX_free (EVP_MD_CTX *ctx)
-+{
-+ EVP_MD_CTX_cleanup (ctx);
-+ free (ctx);
-+}
-+#endif
-+
-+int
-+kms_crypto_init ()
-+{
-+ return 0;
-+}
-+
-+void
-+kms_crypto_cleanup ()
-+{
-+}
-+
-+bool
-+kms_sha256 (void *unused_ctx,
-+ const char *input,
-+ size_t len,
-+ unsigned char *hash_out)
-+{
-+ EVP_MD_CTX *digest_ctxp = EVP_MD_CTX_new ();
-+ bool rval = false;
-+
-+ if (1 != EVP_DigestInit_ex (digest_ctxp, EVP_sha256 (), NULL)) {
-+ goto cleanup;
-+ }
-+
-+ if (1 != EVP_DigestUpdate (digest_ctxp, input, len)) {
-+ goto cleanup;
-+ }
-+
-+ rval = (1 == EVP_DigestFinal_ex (digest_ctxp, hash_out, NULL));
-+
-+cleanup:
-+ EVP_MD_CTX_free (digest_ctxp);
-+
-+ return rval;
-+}
-+
-+bool
-+kms_sha256_hmac (void *unused_ctx,
-+ const char *key_input,
-+ size_t key_len,
-+ const char *input,
-+ size_t len,
-+ unsigned char *hash_out)
-+{
-+ return HMAC (EVP_sha256 (),
-+ key_input,
-+ key_len,
-+ (unsigned char *) input,
-+ len,
-+ hash_out,
-+ NULL) != NULL;
-+}
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_LIBCRYPTO */
-diff --git a/src/third_party/kms-message/src/kms_crypto_none.c b/src/third_party/kms-message/src/kms_crypto_none.c
-index 9ef2147687..94da5abd88 100644
---- a/src/third_party/kms-message/src/kms_crypto_none.c
-+++ b/src/third_party/kms-message/src/kms_crypto_none.c
-@@ -16,6 +16,8 @@
-
- #include "kms_crypto.h"
-
-+#ifndef KMS_MESSAGE_ENABLE_CRYPTO
-+
- int
- kms_crypto_init ()
- {
-@@ -48,3 +50,5 @@ kms_sha256_hmac (void *unused_ctx,
- /* only gets called if hooks were mistakenly not set */
- return false;
- }
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO */
-diff --git a/src/third_party/kms-message/src/kms_crypto_windows.c b/src/third_party/kms-message/src/kms_crypto_windows.c
-index ccdc7e095d..8177b0ddc0 100644
---- a/src/third_party/kms-message/src/kms_crypto_windows.c
-+++ b/src/third_party/kms-message/src/kms_crypto_windows.c
-@@ -16,6 +16,8 @@
-
- #include "kms_crypto.h"
-
-+#ifdef KMS_MESSAGE_ENABLE_CRYPTO_CNG
-+
- // tell windows.h not to include a bunch of headers we don't need:
- #define WIN32_LEAN_AND_MEAN
-
-@@ -130,3 +132,5 @@ cleanup:
-
- return status == STATUS_SUCCESS ? 1 : 0;
- }
-+
-+#endif /* KMS_MESSAGE_ENABLE_CRYPTO_CNG */
-diff --git a/src/third_party/kms-message/src/kms_decrypt_request.c b/src/third_party/kms-message/src/kms_decrypt_request.c
-index 06faa43119..f1ca282768 100644
---- a/src/third_party/kms-message/src/kms_decrypt_request.c
-+++ b/src/third_party/kms-message/src/kms_decrypt_request.c
-@@ -48,7 +48,7 @@ kms_decrypt_request_new (const uint8_t *ciphertext_blob,
- if (!(b64 = malloc (b64_len))) {
- KMS_ERROR (request,
- "Could not allocate %d bytes for base64-encoding payload",
-- b64_len);
-+ (int) b64_len);
- goto done;
- }
-
-diff --git a/src/third_party/kms-message/src/kms_encrypt_request.c b/src/third_party/kms-message/src/kms_encrypt_request.c
-index b5f4d6436e..24b064d95f 100644
---- a/src/third_party/kms-message/src/kms_encrypt_request.c
-+++ b/src/third_party/kms-message/src/kms_encrypt_request.c
-@@ -47,7 +47,7 @@ kms_encrypt_request_new (const uint8_t *plaintext,
- if (!(b64 = malloc (b64_len))) {
- KMS_ERROR (request,
- "Could not allocate %d bytes for base64-encoding payload",
-- b64_len);
-+ (int) b64_len);
- goto done;
- }
-
-diff --git a/src/third_party/kms-message/src/kms_kv_list.c b/src/third_party/kms-message/src/kms_kv_list.c
-index 2d6845a1aa..0cff3dc2c6 100644
---- a/src/third_party/kms-message/src/kms_kv_list.c
-+++ b/src/third_party/kms-message/src/kms_kv_list.c
-@@ -17,6 +17,7 @@
-
- #include "kms_kv_list.h"
- #include "kms_message/kms_message.h"
-+#include "kms_message_private.h"
- #include "kms_request_str.h"
- #include "kms_port.h"
- #include "sort.h"
-@@ -39,9 +40,12 @@ kms_kv_list_t *
- kms_kv_list_new (void)
- {
- kms_kv_list_t *lst = malloc (sizeof (kms_kv_list_t));
-+ KMS_ASSERT (lst);
-
- lst->size = 16;
- lst->kvs = malloc (lst->size * sizeof (kms_kv_t));
-+ KMS_ASSERT (lst->kvs);
-+
- lst->len = 0;
-
- return lst;
-@@ -72,6 +76,7 @@ kms_kv_list_add (kms_kv_list_t *lst,
- if (lst->len == lst->size) {
- lst->size *= 2;
- lst->kvs = realloc (lst->kvs, lst->size * sizeof (kms_kv_t));
-+ KMS_ASSERT (lst->kvs);
- }
-
- kv_init (&lst->kvs[lst->len], key, value);
-@@ -84,7 +89,7 @@ kms_kv_list_find (const kms_kv_list_t *lst, const char *key)
- size_t i;
-
- for (i = 0; i < lst->len; i++) {
-- if (0 == strcasecmp (lst->kvs[i].key->str, key)) {
-+ if (0 == kms_strcasecmp (lst->kvs[i].key->str, key)) {
- return &lst->kvs[i];
- }
- }
-@@ -119,8 +124,12 @@ kms_kv_list_dup (const kms_kv_list_t *lst)
- }
-
- dup = malloc (sizeof (kms_kv_list_t));
-+ KMS_ASSERT (dup);
-+
- dup->size = dup->len = lst->len;
- dup->kvs = malloc (lst->len * sizeof (kms_kv_t));
-+ KMS_ASSERT (dup->kvs);
-+
-
- for (i = 0; i < lst->len; i++) {
- kv_init (&dup->kvs[i], lst->kvs[i].key, lst->kvs[i].value);
-diff --git a/src/third_party/kms-message/src/kms_message/kms_message.h b/src/third_party/kms-message/src/kms_message/kms_message.h
-index 6ea95dd04c..8048528f2e 100644
---- a/src/third_party/kms-message/src/kms_message/kms_message.h
-+++ b/src/third_party/kms-message/src/kms_message/kms_message.h
-@@ -17,6 +17,8 @@
- #ifndef KMS_MESSAGE_H
- #define KMS_MESSAGE_H
-
-+#include <sys/types.h>
-+
- #include "kms_message_defines.h"
- #include "kms_request_opt.h"
- #include "kms_request.h"
-diff --git a/src/third_party/kms-message/src/kms_message/kms_message_defines.h b/src/third_party/kms-message/src/kms_message/kms_message_defines.h
-index a4d019bd77..a539d531ef 100644
---- a/src/third_party/kms-message/src/kms_message/kms_message_defines.h
-+++ b/src/third_party/kms-message/src/kms_message/kms_message_defines.h
-@@ -53,4 +53,14 @@ kms_message_cleanup (void);
- } /* extern "C" */
- #endif
-
-+#ifdef _MSC_VER
-+#include <basetsd.h>
-+#pragma warning(disable : 4142)
-+#ifndef _SSIZE_T_DEFINED
-+#define _SSIZE_T_DEFINED
-+typedef SSIZE_T ssize_t;
-+#endif
-+#pragma warning(default : 4142)
-+#endif
-+
- #endif /* KMS_MESSAGE_DEFINES_H */
-diff --git a/src/third_party/kms-message/src/kms_port.c b/src/third_party/kms-message/src/kms_port.c
-new file mode 100644
-index 0000000000..ee9e6ed9c9
---- /dev/null
-+++ b/src/third_party/kms-message/src/kms_port.c
-@@ -0,0 +1,33 @@
-+/*
-+ * Copyright 2020-present MongoDB, Inc.
-+ *
-+ * Licensed under the Apache License, Version 2.0 (the "License");
-+ * you may not use this file except in compliance with the License.
-+ * You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ */
-+
-+#include "kms_port.h"
-+#if defined(_WIN32)
-+#include <stdlib.h>
-+#include <string.h>
-+char * kms_strndup (const char *src, size_t len)
-+{
-+ char *dst = (char *) malloc (len + 1);
-+ if (!dst) {
-+ return 0;
-+ }
-+
-+ memcpy (dst, src, len);
-+ dst[len] = '\0';
-+
-+ return dst;
-+}
-+#endif
-\ No newline at end of file
-diff --git a/src/third_party/kms-message/src/kms_port.h b/src/third_party/kms-message/src/kms_port.h
-index c3cbbac369..2123a99dc9 100644
---- a/src/third_party/kms-message/src/kms_port.h
-+++ b/src/third_party/kms-message/src/kms_port.h
-@@ -15,21 +15,18 @@
- * limitations under the License.
- */
-
--#if defined(_WIN32)
--#define strcasecmp _stricmp
--
--inline char *
--strndup (const char *src, size_t len)
--{
-- char *dst = (char *) malloc (len + 1);
-- if (!dst) {
-- return 0;
-- }
--
-- memcpy (dst, src, len);
-- dst[len] = '\0';
-+#ifndef KMS_PORT_H
-+#define KMS_PORT_H
-
-- return dst;
--}
-+#include <stddef.h>
-
-+#if defined(_WIN32)
-+#define kms_strcasecmp _stricmp
-+char *
-+kms_strndup (const char *src, size_t len);
-+#else
-+#define kms_strndup strndup
-+#define kms_strcasecmp strcasecmp
- #endif
-+
-+#endif /* KMS_PORT_H */
-\ No newline at end of file
-diff --git a/src/third_party/kms-message/src/kms_request.c b/src/third_party/kms-message/src/kms_request.c
-index fa2d487123..ac2b07ea6b 100644
---- a/src/third_party/kms-message/src/kms_request.c
-+++ b/src/third_party/kms-message/src/kms_request.c
-@@ -61,6 +61,7 @@ kms_request_new (const char *method,
- kms_request_t *request = calloc (1, sizeof (kms_request_t));
- const char *question_mark;
-
-+ KMS_ASSERT (request);
- /* parsing may set failed to true */
- request->failed = false;
-
-@@ -92,10 +93,14 @@ kms_request_new (const char *method,
- request->header_fields = kms_kv_list_new ();
- request->auto_content_length = true;
-
-- kms_request_set_date (request, NULL);
-+ if (!kms_request_set_date (request, NULL)) {
-+ return request;
-+ }
-
- if (opt && opt->connection_close) {
-- kms_request_add_header_field (request, "Connection", "close");
-+ if (!kms_request_add_header_field (request, "Connection", "close")) {
-+ return request;
-+ }
- }
-
- if (opt && opt->crypto.sha256) {
-@@ -164,7 +169,9 @@ kms_request_set_date (kms_request_t *request, const struct tm *tm)
- kms_request_str_set_chars (request->date, buf, sizeof "YYYYmmDD" - 1);
- kms_request_str_set_chars (request->datetime, buf, sizeof AMZ_DT_FORMAT - 1);
- kms_kv_list_del (request->header_fields, "X-Amz-Date");
-- kms_request_add_header_field (request, "X-Amz-Date", buf);
-+ if (!kms_request_add_header_field (request, "X-Amz-Date", buf)) {
-+ return false;
-+ }
-
- return true;
- }
-@@ -309,7 +316,8 @@ append_canonical_headers (kms_kv_list_t *lst, kms_request_str_t *str)
- * values in headers that have multiple values." */
- for (i = 0; i < lst->len; i++) {
- kv = &lst->kvs[i];
-- if (previous_key && 0 == strcasecmp (previous_key->str, kv->key->str)) {
-+ if (previous_key &&
-+ 0 == kms_strcasecmp (previous_key->str, kv->key->str)) {
- /* duplicate header */
- kms_request_str_append_char (str, ',');
- kms_request_str_append_stripped (str, kv->value);
-@@ -339,12 +347,13 @@ append_signed_headers (kms_kv_list_t *lst, kms_request_str_t *str)
-
- for (i = 0; i < lst->len; i++) {
- kv = &lst->kvs[i];
-- if (previous_key && 0 == strcasecmp (previous_key->str, kv->key->str)) {
-+ if (previous_key &&
-+ 0 == kms_strcasecmp (previous_key->str, kv->key->str)) {
- /* duplicate header */
- continue;
- }
-
-- if (0 == strcasecmp (kv->key->str, "connection")) {
-+ if (0 == kms_strcasecmp (kv->key->str, "connection")) {
- continue;
- }
-
-@@ -412,7 +421,8 @@ finalize (kms_request_t *request)
- static int
- cmp_header_field_names (const void *a, const void *b)
- {
-- return strcasecmp (((kms_kv_t *) a)->key->str, ((kms_kv_t *) b)->key->str);
-+ return kms_strcasecmp (((kms_kv_t *) a)->key->str,
-+ ((kms_kv_t *) b)->key->str);
- }
-
- static kms_kv_list_t *
-@@ -447,6 +457,7 @@ kms_request_get_canonical (kms_request_t *request)
- kms_request_str_append_newline (canonical);
- normalized = kms_request_str_path_normalized (request->path);
- kms_request_str_append_escaped (canonical, normalized, false);
-+ kms_request_str_destroy (normalized);
- kms_request_str_append_newline (canonical);
- append_canonical_query (request, canonical);
- kms_request_str_append_newline (canonical);
-@@ -454,12 +465,14 @@ kms_request_get_canonical (kms_request_t *request)
- append_canonical_headers (lst, canonical);
- kms_request_str_append_newline (canonical);
- append_signed_headers (lst, canonical);
-- kms_request_str_append_newline (canonical);
-- kms_request_str_append_hashed (
-- &request->crypto, canonical, request->payload);
--
-- kms_request_str_destroy (normalized);
- kms_kv_list_destroy (lst);
-+ kms_request_str_append_newline (canonical);
-+ if (!kms_request_str_append_hashed (
-+ &request->crypto, canonical, request->payload)) {
-+ KMS_ERROR (request, "could not generate hash");
-+ kms_request_str_destroy (canonical);
-+ return NULL;
-+ }
-
- return kms_request_str_detach (canonical);
- }
-@@ -514,6 +527,10 @@ kms_request_get_string_to_sign (kms_request_t *request)
- kms_request_str_append_chars (sts, "/aws4_request\n", -1);
-
- creq = kms_request_str_wrap (kms_request_get_canonical (request), -1);
-+ if (!creq) {
-+ goto done;
-+ }
-+
- if (!kms_request_str_append_hashed (&request->crypto, sts, creq)) {
- goto done;
- }
-diff --git a/src/third_party/kms-message/src/kms_request_str.c b/src/third_party/kms-message/src/kms_request_str.c
-index 0f7c19c972..65207d2f4f 100644
---- a/src/third_party/kms-message/src/kms_request_str.c
-+++ b/src/third_party/kms-message/src/kms_request_str.c
-@@ -51,10 +51,13 @@ kms_request_str_t *
- kms_request_str_new (void)
- {
- kms_request_str_t *s = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (s);
-
- s->len = 0;
- s->size = 16;
- s->str = malloc (s->size);
-+ KMS_ASSERT (s->str);
-+
- s->str[0] = '\0';
-
- return s;
-@@ -64,11 +67,15 @@ kms_request_str_t *
- kms_request_str_new_from_chars (const char *chars, ssize_t len)
- {
- kms_request_str_t *s = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (s);
-+
- size_t actual_len;
-
- actual_len = len < 0 ? strlen (chars) : (size_t) len;
- s->size = actual_len + 1;
- s->str = malloc (s->size);
-+ KMS_ASSERT (s->str);
-+
- memcpy (s->str, chars, actual_len);
- s->str[actual_len] = '\0';
- s->len = actual_len;
-@@ -86,6 +93,8 @@ kms_request_str_wrap (char *chars, ssize_t len)
- }
-
- s = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (s);
-+
-
- s->str = chars;
- s->len = len < 0 ? strlen (chars) : (size_t) len;
-@@ -148,8 +157,10 @@ kms_request_str_t *
- kms_request_str_dup (kms_request_str_t *str)
- {
- kms_request_str_t *dup = malloc (sizeof (kms_request_str_t));
-+ KMS_ASSERT (dup);
-+
-
-- dup->str = strndup (str->str, str->len);
-+ dup->str = kms_strndup (str->str, str->len);
- dup->len = str->len;
- dup->size = str->len + 1;
-
-diff --git a/src/third_party/kms-message/src/kms_request_str.h b/src/third_party/kms-message/src/kms_request_str.h
-index f053a595aa..0898f59067 100644
---- a/src/third_party/kms-message/src/kms_request_str.h
-+++ b/src/third_party/kms-message/src/kms_request_str.h
-@@ -25,11 +25,6 @@
- #include <stdint.h>
- #include <string.h>
-
--#if defined(_WIN32)
--#include <basetsd.h>
--typedef SSIZE_T ssize_t;
--#endif // _WIN32
--
- typedef struct {
- char *str;
- size_t len;
-diff --git a/src/third_party/kms-message/src/kms_response_parser.c b/src/third_party/kms-message/src/kms_response_parser.c
-index 31e4868a68..6f86fac854 100644
---- a/src/third_party/kms-message/src/kms_response_parser.c
-+++ b/src/third_party/kms-message/src/kms_response_parser.c
-@@ -1,7 +1,7 @@
- #include "kms_message/kms_response_parser.h"
- #include "kms_message_private.h"
-
--#include "kms_message_private.h"
-+#include <errno.h>
- #include <limits.h>
- #include <stdio.h>
- #include <stdlib.h>
-@@ -24,6 +24,7 @@ _parser_init (kms_response_parser_t *parser)
- parser->raw_response = kms_request_str_new ();
- parser->content_length = -1;
- parser->response = calloc (1, sizeof (kms_response_t));
-+ KMS_ASSERT (parser->response);
- parser->response->headers = kms_kv_list_new ();
- parser->state = PARSING_STATUS_LINE;
- parser->start = 0;
-@@ -34,6 +35,8 @@ kms_response_parser_t *
- kms_response_parser_new (void)
- {
- kms_response_parser_t *parser = malloc (sizeof (kms_response_parser_t));
-+ KMS_ASSERT (parser);
-+
- _parser_init (parser);
- return parser;
- }
-@@ -59,11 +62,26 @@ static bool
- _parse_int (const char *str, int *result)
- {
- char *endptr = NULL;
-+ int64_t long_result;
-
-- *result = (int) strtol (str, &endptr, 10);
-- if (*endptr) {
-+ errno = 0;
-+ long_result = strtol (str, &endptr, 10);
-+ if (endptr == str) {
-+ /* No digits were parsed. Consider this an error */
-+ return false;
-+ }
-+ if (endptr != NULL && *endptr != '\0') {
-+ /* endptr points to the first invalid character. */
-+ return false;
-+ }
-+ if (errno == EINVAL || errno == ERANGE) {
-+ return false;
-+ }
-+ if (long_result > INT32_MAX || long_result < INT32_MIN) {
- return false;
- }
-+ *result = (int) long_result;
-+
- return true;
- }
-
-@@ -72,6 +90,8 @@ static bool
- _parse_int_from_view (const char *str, int start, int end, int *result)
- {
- char *num_str = malloc (end - start + 1);
-+ KMS_ASSERT (num_str);
-+
- bool ret;
-
- strncpy (num_str, str + start, end - start);
-diff --git a/src/third_party/scripts/kms_message_get_sources.sh b/src/third_party/scripts/kms_message_get_sources.sh
-index 6ad2fbb0e6..52ce21b9dd 100755
---- a/src/third_party/scripts/kms_message_get_sources.sh
-+++ b/src/third_party/scripts/kms_message_get_sources.sh
-@@ -18,7 +18,7 @@ if grep -q Microsoft /proc/version; then
- fi
-
- NAME=libmongocrypt
--REVISION=59c8c17bbdfa1cf0fdec60cfdde73a437a868221
-+REVISION=052f7fc610f0cea83a2adf3dd263a5ff04833371
-
- if grep -q Microsoft /proc/version; then
- SRC_ROOT=$(wslpath -u $(powershell.exe -Command "Get-ChildItem Env:TEMP | Get-Content | Write-Host"))
---
-2.24.0
-
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index b78255a049..54178bf75a 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -11,11 +11,10 @@ DEPENDS = "openssl libpcap zlib boost curl python3 \
inherit scons dos2unix siteinfo python3native systemd useradd
-PV = "4.4.4"
-#v4.4.4
-SRCREV = "8db30a63db1a9d84bdcad0c83369623f708e0397"
+PV = "4.4.5+4.4.6-rc0"
+#v4.4.6-rc0
+SRCREV = "72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7"
SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.4 \
- file://0001-kms-message-bump-libmongocrypto-to-v1.0.4.patch \
file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \
file://0001-Use-long-long-instead-of-int64_t.patch \
file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Hardknott 4/5] mongodb: Change PV to 4.4.6
2021-06-13 23:32 [Hardknott 0/5] Patch review June 13th Armin Kuster
` (2 preceding siblings ...)
2021-06-13 23:32 ` [Hardknott 3/5] mongodb: Update to 4.4.6-rc0 Armin Kuster
@ 2021-06-13 23:32 ` Armin Kuster
2021-06-13 23:32 ` [Hardknott 5/5] thunar: fix CVE-2021-32563 Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2021-06-13 23:32 UTC (permalink / raw)
To: openembedded-devel
From: Khem Raj <raj.khem@gmail.com>
4.4.6 has been released from same SHA which was used for rc0
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e17fc085c025550be08353319983f9b89b11831b)
[Bug fix only updates:
Issues fixed:
SERVER-53604: Include original aws iam arn in authenticate audit logs
SERVER-52564: Deadlock between step down and MongoDOperationContextSession
WT-7442: RTS to open dhandle only when the dhandle has unstable updates
WT-7426: Set write generation number when the page image gets created
WT-7373: Improve slow random cursor operations on oplog]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../meta-python/recipes-dbs/mongodb/mongodb_git.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
index 54178bf75a..fcabf81327 100644
--- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
+++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
@@ -11,8 +11,8 @@ DEPENDS = "openssl libpcap zlib boost curl python3 \
inherit scons dos2unix siteinfo python3native systemd useradd
-PV = "4.4.5+4.4.6-rc0"
-#v4.4.6-rc0
+PV = "4.4.6"
+#v4.4.6
SRCREV = "72e66213c2c3eab37d9358d5e78ad7f5c1d0d0d7"
SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.4 \
file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Hardknott 5/5] thunar: fix CVE-2021-32563
2021-06-13 23:32 [Hardknott 0/5] Patch review June 13th Armin Kuster
` (3 preceding siblings ...)
2021-06-13 23:32 ` [Hardknott 4/5] mongodb: Change PV to 4.4.6 Armin Kuster
@ 2021-06-13 23:32 ` Armin Kuster
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2021-06-13 23:32 UTC (permalink / raw)
To: openembedded-devel
From: Stefan Ghinea <stefan.ghinea@windriver.com>
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2.
When called with a regular file as a command-line argument, it delegates
to a different program (based on the file type) without user confirmation.
This could be used to achieve code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-32563
Upstream patches:
https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b
https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit baa9453d57aa06554c823b5c7bd9c029e1858f89)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../thunar/thunar/CVE-2021-32563-1.patch | 97 ++++++++
.../thunar/thunar/CVE-2021-32563-2.patch | 208 ++++++++++++++++++
.../recipes-xfce/thunar/thunar_4.16.6.bb | 4 +
3 files changed, 309 insertions(+)
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
create mode 100644 meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
new file mode 100644
index 0000000000..f942f990bd
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-1.patch
@@ -0,0 +1,97 @@
+From 9165a61f95e43cc0b5abf9b98eee2818a0191e0b Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Sat, 1 May 2021 00:40:44 +0200
+Subject: [PATCH 1/2] Dont execute files, passed via command line due to
+ security risks
+
+Instead open the containing folder and select the file.
+
+Fixes #121
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 25 +++++++++++++++++++++++--
+ thunar/thunar-window.c | 4 +---
+ thunar/thunar-window.h | 2 ++
+ 3 files changed, 26 insertions(+), 5 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index df862fd..1243940 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -1512,8 +1512,29 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- /* try to open the file or directory */
+- thunar_file_launch (target_file, screen, startup_id, &error);
++ if (thunar_file_is_directory (file))
++ {
++ thunar_application_open_window (application, file, screen, startup_id, FALSE);
++ }
++ else
++ {
++ /* Note that for security reasons we do not execute files passed via command line */
++ /* Lets rather open the containing directory and select the file */
++ ThunarFile *parent = thunar_file_get_parent (file, NULL);
++
++ if (G_LIKELY (parent != NULL))
++ {
++ GList* files = NULL;
++ GtkWidget *window;
++
++ window = thunar_application_open_window (application, parent, screen, startup_id, FALSE);
++ g_object_unref (parent);
++
++ files = g_list_append (files, thunar_file_get_file (file));
++ thunar_window_select_files (THUNAR_WINDOW (window), files);
++ g_list_free (files);
++ }
++ }
+
+ /* remove the file from the list */
+ application->files_to_launch = g_list_delete_link (application->files_to_launch,
+diff --git a/thunar/thunar-window.c b/thunar/thunar-window.c
+index b330a87..b234fd3 100644
+--- a/thunar/thunar-window.c
++++ b/thunar/thunar-window.c
+@@ -243,8 +243,6 @@ static void thunar_window_update_go_menu (ThunarWindow
+ GtkWidget *menu);
+ static void thunar_window_update_help_menu (ThunarWindow *window,
+ GtkWidget *menu);
+-static void thunar_window_select_files (ThunarWindow *window,
+- GList *path_list);
+ static void thunar_window_binding_create (ThunarWindow *window,
+ gpointer src_object,
+ const gchar *src_prop,
+@@ -891,7 +889,7 @@ thunar_window_screen_changed (GtkWidget *widget,
+ *
+ * Visually selects the files, given by the list
+ **/
+-static void
++void
+ thunar_window_select_files (ThunarWindow *window,
+ GList *files_to_selected)
+ {
+diff --git a/thunar/thunar-window.h b/thunar/thunar-window.h
+index 9cbcc85..3c1aad2 100644
+--- a/thunar/thunar-window.h
++++ b/thunar/thunar-window.h
+@@ -126,6 +126,8 @@ void thunar_window_redirect_menu_tooltips_to_statusbar (Thu
+ GtkMenu *menu);
+ const XfceGtkActionEntry* thunar_window_get_action_entry (ThunarWindow *window,
+ ThunarWindowAction action);
++ void thunar_window_select_files (ThunarWindow *window,
++ GList *path_list);
+ G_END_DECLS;
+
+ #endif /* !__THUNAR_WINDOW_H__ */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
new file mode 100644
index 0000000000..a22cdc6d8d
--- /dev/null
+++ b/meta-xfce/recipes-xfce/thunar/thunar/CVE-2021-32563-2.patch
@@ -0,0 +1,208 @@
+From 3b54d9d7dbd7fd16235e2141c43a7f18718f5664 Mon Sep 17 00:00:00 2001
+From: Alexander Schwinn <alexxcons@xfce.org>
+Date: Fri, 7 May 2021 15:21:27 +0200
+Subject: [PATCH 2/2] Regression: Activating Desktop Icon does not Use Default
+ Application (Issue #575)
+
+- Introduced by 9165a61f (Dont execute files, passed via command line
+due to security risks)
+- Now via DBus files are executed, and via CLI, files are just selected
+
+Fixes #575
+
+Upstream-Status: Backport
+CVE: CVE-2021-32563
+
+Reference to upstream patch:
+[https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664]
+
+Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
+---
+ thunar/thunar-application.c | 68 +++++++++++++++++++++---------------
+ thunar/thunar-application.h | 9 ++++-
+ thunar/thunar-dbus-service.c | 2 +-
+ 3 files changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/thunar/thunar-application.c b/thunar/thunar-application.c
+index 1243940..53d0b23 100644
+--- a/thunar/thunar-application.c
++++ b/thunar/thunar-application.c
+@@ -182,37 +182,38 @@ struct _ThunarApplicationClass
+
+ struct _ThunarApplication
+ {
+- GtkApplication __parent__;
++ GtkApplication __parent__;
+
+- ThunarSessionClient *session_client;
++ ThunarSessionClient *session_client;
+
+- ThunarPreferences *preferences;
+- GtkWidget *progress_dialog;
++ ThunarPreferences *preferences;
++ GtkWidget *progress_dialog;
+
+- ThunarThumbnailCache *thumbnail_cache;
+- ThunarThumbnailer *thumbnailer;
++ ThunarThumbnailCache *thumbnail_cache;
++ ThunarThumbnailer *thumbnailer;
+
+- ThunarDBusService *dbus_service;
++ ThunarDBusService *dbus_service;
+
+- gboolean daemon;
++ gboolean daemon;
+
+- guint accel_map_save_id;
+- GtkAccelMap *accel_map;
++ guint accel_map_save_id;
++ GtkAccelMap *accel_map;
+
+- guint show_dialogs_timer_id;
++ guint show_dialogs_timer_id;
+
+ #ifdef HAVE_GUDEV
+- GUdevClient *udev_client;
++ GUdevClient *udev_client;
+
+- GSList *volman_udis;
+- guint volman_idle_id;
+- guint volman_watch_id;
++ GSList *volman_udis;
++ guint volman_idle_id;
++ guint volman_watch_id;
+ #endif
+
+- GList *files_to_launch;
++ GList *files_to_launch;
++ ThunarApplicationProcessAction process_file_action;
+
+- guint dbus_owner_id_xfce;
+- guint dbus_owner_id_fdo;
++ guint dbus_owner_id_xfce;
++ guint dbus_owner_id_fdo;
+ };
+
+
+@@ -279,6 +280,7 @@ thunar_application_init (ThunarApplication *application)
+ * in the primary instance anyways */
+
+ application->files_to_launch = NULL;
++ application->process_file_action = THUNAR_APPLICATION_SELECT_FILES;
+ application->progress_dialog = NULL;
+ application->preferences = NULL;
+
+@@ -531,7 +533,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (filenames != NULL)
+ {
+- if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, filenames, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -539,7 +541,7 @@ thunar_application_command_line (GApplication *gapp,
+ }
+ else if (!daemon)
+ {
+- if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error))
++ if (!thunar_application_process_filenames (application, cwd, cwd_list, NULL, NULL, &error, THUNAR_APPLICATION_SELECT_FILES))
+ {
+ /* we failed to process the filenames or the bulk rename failed */
+ g_application_command_line_printerr (command_line, "Thunar: %s\n", error->message);
+@@ -1512,7 +1514,12 @@ thunar_application_process_files_finish (ThunarBrowser *browser,
+ }
+ else
+ {
+- if (thunar_file_is_directory (file))
++ if (application->process_file_action == THUNAR_APPLICATION_LAUNCH_FILES)
++ {
++ /* try to launch the file / open the directory */
++ thunar_file_launch (target_file, screen, startup_id, &error);
++ }
++ else if (thunar_file_is_directory (file))
+ {
+ thunar_application_open_window (application, file, screen, startup_id, FALSE);
+ }
+@@ -1603,18 +1610,20 @@ thunar_application_process_files (ThunarApplication *application)
+ * @startup_id : startup id to finish startup notification and properly focus the
+ * window when focus stealing is enabled or %NULL.
+ * @error : return location for errors or %NULL.
++ * @action : action to invoke on the files
+ *
+ * Tells @application to process the given @filenames and launch them appropriately.
+ *
+ * Return value: %TRUE on success, %FALSE if @error is set.
+ **/
+ gboolean
+-thunar_application_process_filenames (ThunarApplication *application,
+- const gchar *working_directory,
+- gchar **filenames,
+- GdkScreen *screen,
+- const gchar *startup_id,
+- GError **error)
++thunar_application_process_filenames (ThunarApplication *application,
++ const gchar *working_directory,
++ gchar **filenames,
++ GdkScreen *screen,
++ const gchar *startup_id,
++ GError **error,
++ ThunarApplicationProcessAction action)
+ {
+ ThunarFile *file;
+ GError *derror = NULL;
+@@ -1686,7 +1695,10 @@ thunar_application_process_filenames (ThunarApplication *application,
+
+ /* start processing files if we have any to launch */
+ if (application->files_to_launch != NULL)
+- thunar_application_process_files (application);
++ {
++ application->process_file_action = action;
++ thunar_application_process_files (application);
++ }
+
+ /* free the file list */
+ g_list_free (file_list);
+diff --git a/thunar/thunar-application.h b/thunar/thunar-application.h
+index 547cb70..8c180e8 100644
+--- a/thunar/thunar-application.h
++++ b/thunar/thunar-application.h
+@@ -31,6 +31,12 @@ G_BEGIN_DECLS;
+ typedef struct _ThunarApplicationClass ThunarApplicationClass;
+ typedef struct _ThunarApplication ThunarApplication;
+
++typedef enum
++{
++ THUNAR_APPLICATION_LAUNCH_FILES,
++ THUNAR_APPLICATION_SELECT_FILES
++} ThunarApplicationProcessAction;
++
+ #define THUNAR_TYPE_APPLICATION (thunar_application_get_type ())
+ #define THUNAR_APPLICATION(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THUNAR_TYPE_APPLICATION, ThunarApplication))
+ #define THUNAR_APPLICATION_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), THUNAR_TYPE_APPLICATION, ThunarApplicationClass))
+@@ -74,7 +80,8 @@ gboolean thunar_application_process_filenames (ThunarAppli
+ gchar **filenames,
+ GdkScreen *screen,
+ const gchar *startup_id,
+- GError **error);
++ GError **error,
++ ThunarApplicationProcessAction action);
+
+ void thunar_application_rename_file (ThunarApplication *application,
+ ThunarFile *file,
+diff --git a/thunar/thunar-dbus-service.c b/thunar/thunar-dbus-service.c
+index 2d27642..4205a2b 100644
+--- a/thunar/thunar-dbus-service.c
++++ b/thunar/thunar-dbus-service.c
+@@ -991,7 +991,7 @@ thunar_dbus_service_launch_files (ThunarDBusFileManager *object,
+ {
+ /* let the application process the filenames */
+ application = thunar_application_get ();
+- thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error);
++ thunar_application_process_filenames (application, working_directory, filenames, screen, startup_id, &error, THUNAR_APPLICATION_LAUNCH_FILES);
+ g_object_unref (G_OBJECT (application));
+
+ /* release the screen */
+--
+2.17.1
+
diff --git a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
index 128043d19b..7bef08ed95 100644
--- a/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
+++ b/meta-xfce/recipes-xfce/thunar/thunar_4.16.6.bb
@@ -8,6 +8,10 @@ inherit xfce gobject-introspection features_check mime-xdg
REQUIRED_DISTRO_FEATURES = "x11"
+SRC_URI += "file://CVE-2021-32563-1.patch \
+ file://CVE-2021-32563-2.patch \
+ "
+
SRC_URI[sha256sum] = "cb531d3fe67196a43ca04979ef271ece7858bbc80c15b0ee4323c1252a1a02b7"
PACKAGECONFIG ??= ""
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-06-13 23:32 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-13 23:32 [Hardknott 0/5] Patch review June 13th Armin Kuster
2021-06-13 23:32 ` [Hardknott 1/5] squid: upgrade 4.14 -> 4.15 Armin Kuster
2021-06-13 23:32 ` [Hardknott 2/5] nss: Fix build on Centos 7 Armin Kuster
2021-06-13 23:32 ` [Hardknott 3/5] mongodb: Update to 4.4.6-rc0 Armin Kuster
2021-06-13 23:32 ` [Hardknott 4/5] mongodb: Change PV to 4.4.6 Armin Kuster
2021-06-13 23:32 ` [Hardknott 5/5] thunar: fix CVE-2021-32563 Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.