* [PATCH 0/8] [jethro] 8 patches for jethro
@ 2015-12-01 9:44 Robert Yang
2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang
` (7 more replies)
0 siblings, 8 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
Hello,
Here are 8 patches for jethro. There are still a few patches that are
requested but not included here because they have not been merged by
master by now.
All these patches have already been merged by master.
// Robert
The following changes since commit e44ed8c18e395b9c055aefee113b90708e8a8a2f:
build-appliance-image: Update to jethro head revision (2015-11-03 14:02:57 +0000)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib rbt/jethro-next
http://cgit.openembedded.org/cgit.cgi/openembedded-core-contrib/log/?h=rbt/HEAD
Alejandro del Castillo (1):
opkg: add cache filename length fixes
Armin Kuster (2):
libxslt: CVE-2015-7995
libxml2: fix CVE-2015-7942 and CVE-2015-8035
Mark Hatle (1):
binutils: Fix octeon3 disassembly patch
Maxin B. John (1):
libsndfile: fix CVE-2014-9756
Ross Burton (3):
libarchive: rename patch to reflect CVE
readline: rename patch to contain CVE reference
unzip: rename patch to reflect CVE fix
meta/recipes-core/libxml/libxml2.inc | 2 +
.../libxml/libxml2/CVE-2015-7942.patch | 55 +++++++++
.../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++
...ne63-003.patch => readline-cve-2014-2524.patch} | 0
meta/recipes-core/readline/readline_6.3.bb | 2 +-
.../binutils/binutils/binutils-octeon3.patch | 2 +-
...ng_util-New-file-with-bin_to_hex-function.patch | 122 ++++++++++++++++++++
.../opkg/0002-md5-Add-md5_to_string-function.patch | 110 ++++++++++++++++++
...0003-sha256-Add-sha256_to_string-function.patch | 110 ++++++++++++++++++
...4-opkg_download-Use-short-cache-file-name.patch | 85 ++++++++++++++
meta/recipes-devtools/opkg/opkg_0.3.0.bb | 4 +
...option.patch => libarchive-CVE-2015-2304.patch} | 0
.../libarchive/libarchive_3.1.2.bb | 2 +-
...nzip-6.0_overflow3.diff => cve-2014-9636.patch} | 0
meta/recipes-extended/unzip/unzip_6.0.bb | 2 +-
.../files/libsndfile-fix-CVE-2014-9756.patch | 24 ++++
.../libsndfile/libsndfile1_1.0.25.bb | 1 +
.../libxslt/libxslt/CVE-2015-7995.patch | 33 ++++++
meta/recipes-support/libxslt/libxslt_1.1.28.bb | 3 +-
19 files changed, 593 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
rename meta/recipes-core/readline/readline-6.3/{readline63-003.patch => readline-cve-2014-2524.patch} (100%)
create mode 100644 meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
rename meta/recipes-extended/libarchive/libarchive/{0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch => libarchive-CVE-2015-2304.patch} (100%)
rename meta/recipes-extended/unzip/unzip/{unzip-6.0_overflow3.diff => cve-2014-9636.patch} (100%)
create mode 100644 meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
--
1.7.9.5
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 1/8] opkg: add cache filename length fixes
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
2015-12-01 9:44 ` [PATCH 2/8] binutils: Fix octeon3 disassembly patch Robert Yang
` (6 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: Alejandro del Castillo <alejandro.delcastillo@ni.com>
(From OE-Core master rev: 8e53500a7c05204fc63759f456639545a022e82b)
Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
...ng_util-New-file-with-bin_to_hex-function.patch | 122 ++++++++++++++++++++
.../opkg/0002-md5-Add-md5_to_string-function.patch | 110 ++++++++++++++++++
...0003-sha256-Add-sha256_to_string-function.patch | 110 ++++++++++++++++++
...4-opkg_download-Use-short-cache-file-name.patch | 85 ++++++++++++++
meta/recipes-devtools/opkg/opkg_0.3.0.bb | 4 +
5 files changed, 431 insertions(+)
create mode 100644 meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
diff --git a/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch b/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
new file mode 100644
index 0000000..fb3ac46
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0001-string_util-New-file-with-bin_to_hex-function.patch
@@ -0,0 +1,122 @@
+From 646b80024567a6245c598be3374653fa1fa09a12 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:49 +0000
+Subject: [PATCH 1/4] string_util: New file with bin_to_hex function
+
+This function does very simple conversion from binary data to a hex string.
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/Makefile.am | 4 ++--
+ libopkg/string_util.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ libopkg/string_util.h | 24 ++++++++++++++++++++++++
+ 3 files changed, 68 insertions(+), 2 deletions(-)
+ create mode 100644 libopkg/string_util.c
+ create mode 100644 libopkg/string_util.h
+
+diff --git a/libopkg/Makefile.am b/libopkg/Makefile.am
+index ee3fbee..3e62c24 100644
+--- a/libopkg/Makefile.am
++++ b/libopkg/Makefile.am
+@@ -13,7 +13,7 @@ opkg_headers = active_list.h cksum_list.h conffile.h conffile_list.h \
+ pkg_depends.h pkg_dest.h pkg_dest_list.h pkg_extract.h pkg_hash.h \
+ pkg_parse.h pkg_src.h pkg_src_list.h pkg_vec.h release.h \
+ release_parse.h sha256.h sprintf_alloc.h str_list.h void_list.h \
+- xregex.h xsystem.h xfuncs.h opkg_verify.h
++ xregex.h xsystem.h xfuncs.h opkg_verify.h string_util.h
+
+ opkg_sources = opkg_cmd.c opkg_configure.c opkg_download.c \
+ opkg_install.c opkg_remove.c opkg_conf.c release.c \
+@@ -23,7 +23,7 @@ opkg_sources = opkg_cmd.c opkg_configure.c opkg_download.c \
+ pkg_src.c pkg_src_list.c str_list.c void_list.c active_list.c \
+ file_util.c opkg_message.c md5.c parse_util.c cksum_list.c \
+ sprintf_alloc.c xregex.c xsystem.c xfuncs.c opkg_archive.c \
+- opkg_verify.c
++ opkg_verify.c string_util.c
+
+ if HAVE_CURL
+ opkg_sources += opkg_download_curl.c
+diff --git a/libopkg/string_util.c b/libopkg/string_util.c
+new file mode 100644
+index 0000000..822cab6
+--- /dev/null
++++ b/libopkg/string_util.c
+@@ -0,0 +1,42 @@
++/* vi: set expandtab sw=4 sts=4: */
++/* string_util.c - convenience routines for common string operations
++
++ Copyright (C) 2015 Paul Barker
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License as
++ published by the Free Software Foundation; either version 2, or (at
++ your option) any later version.
++
++ This program is distributed in the hope that it will be useful, but
++ WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ General Public License for more details.
++*/
++
++#include "config.h"
++
++#include "string_util.h"
++#include "xfuncs.h"
++
++char *bin_to_hex(const void *bin_data, size_t len)
++{
++ const unsigned char *src = (const unsigned char *)bin_data;
++ char *buf = xmalloc(2 * len + 1);
++ int i;
++
++ static const unsigned char bin2hex[16] = {
++ '0', '1', '2', '3',
++ '4', '5', '6', '7',
++ '8', '9', 'a', 'b',
++ 'c', 'd', 'e', 'f'
++ };
++
++ for (i = 0; i < len; i++) {
++ buf[i * 2] = bin2hex[src[i] >> 4];
++ buf[i * 2 + 1] = bin2hex[src[i] & 0xf];
++ }
++
++ buf[len * 2] = '\0';
++ return buf;
++}
+diff --git a/libopkg/string_util.h b/libopkg/string_util.h
+new file mode 100644
+index 0000000..a920e2a
+--- /dev/null
++++ b/libopkg/string_util.h
+@@ -0,0 +1,24 @@
++/* vi: set expandtab sw=4 sts=4: */
++/* string_util.h - convenience routines for common file operations
++
++ Copyright (C) 2015 Paul Barker
++
++ This program is free software; you can redistribute it and/or
++ modify it under the terms of the GNU General Public License as
++ published by the Free Software Foundation; either version 2, or (at
++ your option) any later version.
++
++ This program is distributed in the hope that it will be useful, but
++ WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ General Public License for more details.
++*/
++
++#ifndef STRING_UTIL_H
++#define STRING_UTIL_H
++
++#include <stddef.h>
++
++char *bin_to_hex(const void *bin_data, size_t len);
++
++#endif /* STRING_UTIL_H */
+--
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch b/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
new file mode 100644
index 0000000..3b823c6
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0002-md5-Add-md5_to_string-function.patch
@@ -0,0 +1,110 @@
+From ecad8afab377d8be95eeaafc08afa228c8e030c3 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:50 +0000
+Subject: [PATCH 2/4] md5: Add md5_to_string function
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/file_util.c | 28 +++-------------------------
+ libopkg/md5.c | 7 +++++++
+ libopkg/md5.h | 3 +++
+ 3 files changed, 13 insertions(+), 25 deletions(-)
+
+diff --git a/libopkg/file_util.c b/libopkg/file_util.c
+index 5eff469..cb3dbf0 100644
+--- a/libopkg/file_util.c
++++ b/libopkg/file_util.c
+@@ -349,27 +349,13 @@ int file_mkdir_hier(const char *path, long mode)
+
+ char *file_md5sum_alloc(const char *file_name)
+ {
+- static const int md5sum_bin_len = 16;
+- static const int md5sum_hex_len = 32;
+-
+- static const unsigned char bin2hex[16] = {
+- '0', '1', '2', '3',
+- '4', '5', '6', '7',
+- '8', '9', 'a', 'b',
+- 'c', 'd', 'e', 'f'
+- };
+-
+- int i, err;
++ int err;
+ FILE *file;
+- char *md5sum_hex;
+- unsigned char md5sum_bin[md5sum_bin_len];
+-
+- md5sum_hex = xcalloc(1, md5sum_hex_len + 1);
++ unsigned char md5sum_bin[16];
+
+ file = fopen(file_name, "r");
+ if (file == NULL) {
+ opkg_perror(ERROR, "Failed to open file %s", file_name);
+- free(md5sum_hex);
+ return NULL;
+ }
+
+@@ -377,20 +363,12 @@ char *file_md5sum_alloc(const char *file_name)
+ if (err) {
+ opkg_msg(ERROR, "Could't compute md5sum for %s.\n", file_name);
+ fclose(file);
+- free(md5sum_hex);
+ return NULL;
+ }
+
+ fclose(file);
+
+- for (i = 0; i < md5sum_bin_len; i++) {
+- md5sum_hex[i * 2] = bin2hex[md5sum_bin[i] >> 4];
+- md5sum_hex[i * 2 + 1] = bin2hex[md5sum_bin[i] & 0xf];
+- }
+-
+- md5sum_hex[md5sum_hex_len] = '\0';
+-
+- return md5sum_hex;
++ return md5_to_string(md5sum_bin);
+ }
+
+ #ifdef HAVE_SHA256
+diff --git a/libopkg/md5.c b/libopkg/md5.c
+index d476b8b..bc2b229 100644
+--- a/libopkg/md5.c
++++ b/libopkg/md5.c
+@@ -30,6 +30,8 @@
+ #include <string.h>
+ #include <sys/types.h>
+
++#include "string_util.h"
++
+ #if USE_UNLOCKED_IO
+ #include "unlocked-io.h"
+ #endif
+@@ -431,3 +433,8 @@ void md5_process_block(const void *buffer, size_t len, struct md5_ctx *ctx)
+ ctx->C = C;
+ ctx->D = D;
+ }
++
++char *md5_to_string(const void *md5sum_bin)
++{
++ return bin_to_hex(md5sum_bin, 16);
++}
+diff --git a/libopkg/md5.h b/libopkg/md5.h
+index 01320f5..2a7274d 100644
+--- a/libopkg/md5.h
++++ b/libopkg/md5.h
+@@ -118,6 +118,9 @@ extern int __md5_stream(FILE * stream, void *resblock) __THROW;
+ extern void *__md5_buffer(const char *buffer, size_t len,
+ void *resblock) __THROW;
+
++/* Convert a binary md5sum value to an ASCII string. */
++char *md5_to_string(const void *md5sum_bin);
++
+ #ifdef __cplusplus
+ }
+ #endif
+--
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch b/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
new file mode 100644
index 0000000..16e82d7
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0003-sha256-Add-sha256_to_string-function.patch
@@ -0,0 +1,110 @@
+From 92e8378103bba3b91f2dec4e6fda3e1755a7c0fd Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:51 +0000
+Subject: [PATCH 3/4] sha256: Add sha256_to_string function
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/file_util.c | 28 +++-------------------------
+ libopkg/sha256.c | 7 +++++++
+ libopkg/sha256.h | 3 +++
+ 3 files changed, 13 insertions(+), 25 deletions(-)
+
+diff --git a/libopkg/file_util.c b/libopkg/file_util.c
+index cb3dbf0..864aedb 100644
+--- a/libopkg/file_util.c
++++ b/libopkg/file_util.c
+@@ -374,27 +374,13 @@ char *file_md5sum_alloc(const char *file_name)
+ #ifdef HAVE_SHA256
+ char *file_sha256sum_alloc(const char *file_name)
+ {
+- static const int sha256sum_bin_len = 32;
+- static const int sha256sum_hex_len = 64;
+-
+- static const unsigned char bin2hex[16] = {
+- '0', '1', '2', '3',
+- '4', '5', '6', '7',
+- '8', '9', 'a', 'b',
+- 'c', 'd', 'e', 'f'
+- };
+-
+- int i, err;
++ int err;
+ FILE *file;
+- char *sha256sum_hex;
+- unsigned char sha256sum_bin[sha256sum_bin_len];
+-
+- sha256sum_hex = xcalloc(1, sha256sum_hex_len + 1);
++ unsigned char sha256sum_bin[32];
+
+ file = fopen(file_name, "r");
+ if (file == NULL) {
+ opkg_perror(ERROR, "Failed to open file %s", file_name);
+- free(sha256sum_hex);
+ return NULL;
+ }
+
+@@ -402,20 +388,12 @@ char *file_sha256sum_alloc(const char *file_name)
+ if (err) {
+ opkg_msg(ERROR, "Could't compute sha256sum for %s.\n", file_name);
+ fclose(file);
+- free(sha256sum_hex);
+ return NULL;
+ }
+
+ fclose(file);
+
+- for (i = 0; i < sha256sum_bin_len; i++) {
+- sha256sum_hex[i * 2] = bin2hex[sha256sum_bin[i] >> 4];
+- sha256sum_hex[i * 2 + 1] = bin2hex[sha256sum_bin[i] & 0xf];
+- }
+-
+- sha256sum_hex[sha256sum_hex_len] = '\0';
+-
+- return sha256sum_hex;
++ return sha256_to_string(sha256sum_bin);
+ }
+
+ #endif
+diff --git a/libopkg/sha256.c b/libopkg/sha256.c
+index 0816858..bceed72 100644
+--- a/libopkg/sha256.c
++++ b/libopkg/sha256.c
+@@ -29,6 +29,8 @@
+ #include <stddef.h>
+ #include <string.h>
+
++#include "string_util.h"
++
+ #if USE_UNLOCKED_IO
+ #include "unlocked-io.h"
+ #endif
+@@ -517,3 +519,8 @@ void sha256_process_block(const void *buffer, size_t len,
+ h = ctx->state[7] += h;
+ }
+ }
++
++char *sha256_to_string(const void *sha256sum_bin)
++{
++ return bin_to_hex(sha256sum_bin, 32);
++}
+diff --git a/libopkg/sha256.h b/libopkg/sha256.h
+index 734ab54..0d1e9e5 100644
+--- a/libopkg/sha256.h
++++ b/libopkg/sha256.h
+@@ -85,6 +85,9 @@ extern int sha224_stream(FILE * stream, void *resblock);
+ extern void *sha256_buffer(const char *buffer, size_t len, void *resblock);
+ extern void *sha224_buffer(const char *buffer, size_t len, void *resblock);
+
++/* Convert a binary sha256sum value to an ASCII string. */
++char *sha256_to_string(const void *sha256sum_bin);
++
+ #ifdef __cplusplus
+ }
+ #endif
+--
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch b/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
new file mode 100644
index 0000000..7ea661d
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0004-opkg_download-Use-short-cache-file-name.patch
@@ -0,0 +1,85 @@
+From 61636f15718edc7ea17b91f22f1d97b905eaf951 Mon Sep 17 00:00:00 2001
+From: Paul Barker <paul@paulbarker.me.uk>
+Date: Sat, 7 Nov 2015 10:23:52 +0000
+Subject: [PATCH 4/4] opkg_download: Use short cache file name
+
+Source URIs can be very long. The cache directory itself may already have a very
+long path, especially if we're installing packages into an offline rootfs.
+Therefore it's not a good idea to simply tag the source URI onto the cache
+directory path to create a cache file name.
+
+To create shorter cache file names which are deterministic and very likely to be
+unique, we use the md5sum of the source URI along with the basename of the
+source URI. The basename is length limited to ensure that it the resulting
+filename length is always reasonable.
+
+Signed-off-by: Paul Barker <paul@paulbarker.me.uk>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+
+Upstream-Status: Accepted
+---
+ libopkg/opkg_download.c | 35 ++++++++++++++++++++++++++++-------
+ 1 file changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
+index e9b86a5..a37b10d 100644
+--- a/libopkg/opkg_download.c
++++ b/libopkg/opkg_download.c
+@@ -29,10 +29,18 @@
+ #include "opkg_verify.h"
+ #include "opkg_utils.h"
+
++#include "md5.h"
+ #include "sprintf_alloc.h"
+ #include "file_util.h"
+ #include "xfuncs.h"
+
++/* Limit the short file name used to generate cache file names to 90 characters
++ * so that when added to the md5sum (32 characters) and an underscore, the
++ * resulting length is below 128 characters. The maximum file name length
++ * differs between plaforms but 128 characters should be reasonable.
++ */
++#define MAX_SHORT_FILE_NAME_LENGTH 90
++
+ static int opkg_download_set_env()
+ {
+ int r;
+@@ -135,15 +143,28 @@ int opkg_download_internal(const char *src, const char *dest,
+ */
+ char *get_cache_location(const char *src)
+ {
+- char *cache_name = xstrdup(src);
+- char *cache_location, *p;
++ unsigned char md5sum_bin[16];
++ char *md5sum_hex;
++ char *cache_location;
++ char *short_file_name;
++ char *tmp = xstrdup(src);
+
+- for (p = cache_name; *p; p++)
+- if (*p == '/')
+- *p = '_';
++ md5_buffer(src, strlen(src), md5sum_bin);
++ md5sum_hex = md5_to_string(md5sum_bin);
+
+- sprintf_alloc(&cache_location, "%s/%s", opkg_config->cache_dir, cache_name);
+- free(cache_name);
++ /* Generate a short file name which will be used along with an md5sum of the
++ * full src URI in the cache file name. This short file name is limited to
++ * MAX_SHORT_FILE_NAME_LENGTH to ensure that the total cache file name
++ * length is reasonable.
++ */
++ short_file_name = basename(tmp);
++ if (strlen(short_file_name) > MAX_SHORT_FILE_NAME_LENGTH)
++ short_file_name[MAX_SHORT_FILE_NAME_LENGTH] = '\0';
++
++ sprintf_alloc(&cache_location, "%s/%s_%s", opkg_config->cache_dir,
++ md5sum_hex, short_file_name);
++ free(md5sum_hex);
++ free(tmp);
+ return cache_location;
+ }
+
+--
+1.9.1
+
diff --git a/meta/recipes-devtools/opkg/opkg_0.3.0.bb b/meta/recipes-devtools/opkg/opkg_0.3.0.bb
index 588250e..5ad3e92 100644
--- a/meta/recipes-devtools/opkg/opkg_0.3.0.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.3.0.bb
@@ -17,6 +17,10 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz
file://0001-opkg_archive-add-support-for-empty-compressed-files.patch \
file://0001-libopkg-include-stdio.h-for-getting-FILE-defined.patch \
file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
+ file://0001-string_util-New-file-with-bin_to_hex-function.patch \
+ file://0002-md5-Add-md5_to_string-function.patch \
+ file://0003-sha256-Add-sha256_to_string-function.patch \
+ file://0004-opkg_download-Use-short-cache-file-name.patch \
"
SRC_URI[md5sum] = "3412cdc71d78b98facc84b19331ec64e"
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 2/8] binutils: Fix octeon3 disassembly patch
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
2015-12-01 9:44 ` [PATCH 3/8] libarchive: rename patch to reflect CVE Robert Yang
` (5 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: Mark Hatle <mark.hatle@windriver.com>
The structure has apparently changed, and there was a missing
setting. This corrects a segfault when disassembling code.
(From OE-Core master rev: 2e8f1ffe3a8d7740b0ac68eefbba3fe28f7ba6d4)
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
.../binutils/binutils/binutils-octeon3.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch b/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch
index 6108c0d..4e8c69f 100644
--- a/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch
+++ b/meta/recipes-devtools/binutils/binutils/binutils-octeon3.patch
@@ -229,7 +229,7 @@ Index: git/opcodes/mips-dis.c
+ { "octeon3", 1, bfd_mach_mips_octeon3, CPU_OCTEON3,
+ ISA_MIPS64R2 | INSN_OCTEON3, ASE_VIRT | ASE_VIRT64,
+ mips_cp0_names_numeric,
-+ NULL, 0, mips_hwr_names_numeric },
++ NULL, 0, mips_cp1_names_mips3264, mips_hwr_names_numeric },
+
{ "xlr", 1, bfd_mach_mips_xlr, CPU_XLR,
ISA_MIPS64 | INSN_XLR, 0,
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 3/8] libarchive: rename patch to reflect CVE
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang
2015-12-01 9:44 ` [PATCH 2/8] binutils: Fix octeon3 disassembly patch Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
2015-12-01 9:44 ` [PATCH 4/8] readline: rename patch to contain CVE reference Robert Yang
` (4 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
This patch is a CVE fix, so rename it to help CVE detection tools identify it as
such.
(From OE-Core master rev: 3fd05ce1f709cbbd8fdeb1dbfdffbd39922eca6e)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
...option.patch => libarchive-CVE-2015-2304.patch} | 0
.../libarchive/libarchive_3.1.2.bb | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-extended/libarchive/libarchive/{0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch => libarchive-CVE-2015-2304.patch} (100%)
diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch b/meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2015-2304.patch
similarity index 100%
rename from meta/recipes-extended/libarchive/libarchive/0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch
rename to meta/recipes-extended/libarchive/libarchive/libarchive-CVE-2015-2304.patch
diff --git a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
index aaa3255..716db9a 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.1.2.bb
@@ -32,7 +32,7 @@ PACKAGECONFIG[nettle] = "--with-nettle,--without-nettle,nettle,"
SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://libarchive-CVE-2013-0211.patch \
file://pkgconfig.patch \
- file://0001-Add-ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS-option.patch \
+ file://libarchive-CVE-2015-2304.patch \
file://mkdir.patch \
"
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 4/8] readline: rename patch to contain CVE reference
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
` (2 preceding siblings ...)
2015-12-01 9:44 ` [PATCH 3/8] libarchive: rename patch to reflect CVE Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
2015-12-01 9:44 ` [PATCH 5/8] unzip: rename patch to reflect CVE fix Robert Yang
` (3 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
To help automated scanning of CVEs, put the CVE ID in the filename.
(From OE-Core master rev: 211bce4f23230c7898cccdb73b582420f830f977)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
...ne63-003.patch => readline-cve-2014-2524.patch} | 0
meta/recipes-core/readline/readline_6.3.bb | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-core/readline/readline-6.3/{readline63-003.patch => readline-cve-2014-2524.patch} (100%)
diff --git a/meta/recipes-core/readline/readline-6.3/readline63-003.patch b/meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch
similarity index 100%
rename from meta/recipes-core/readline/readline-6.3/readline63-003.patch
rename to meta/recipes-core/readline/readline-6.3/readline-cve-2014-2524.patch
diff --git a/meta/recipes-core/readline/readline_6.3.bb b/meta/recipes-core/readline/readline_6.3.bb
index 6ba1c18..fc362ae 100644
--- a/meta/recipes-core/readline/readline_6.3.bb
+++ b/meta/recipes-core/readline/readline_6.3.bb
@@ -1,6 +1,6 @@
require readline.inc
-SRC_URI += "file://readline63-003.patch;striplevel=0 \
+SRC_URI += "file://readline-cve-2014-2524.patch;striplevel=0 \
file://readline-dispatch-multikey.patch"
SRC_URI[archive.md5sum] = "33c8fb279e981274f485fd91da77e94a"
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 5/8] unzip: rename patch to reflect CVE fix
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
` (3 preceding siblings ...)
2015-12-01 9:44 ` [PATCH 4/8] readline: rename patch to contain CVE reference Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
2015-12-01 9:44 ` [PATCH 6/8] libxslt: CVE-2015-7995 Robert Yang
` (2 subsequent siblings)
7 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@intel.com>
(From OE-Core rev: e3d2974348bd830ec2fcf84ea08cbf38abbc0327)
(master rev: 78e05984b1ac48b1f25547ccd9740611cd5890a9)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
...nzip-6.0_overflow3.diff => cve-2014-9636.patch} | 0
meta/recipes-extended/unzip/unzip_6.0.bb | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-extended/unzip/unzip/{unzip-6.0_overflow3.diff => cve-2014-9636.patch} (100%)
diff --git a/meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff b/meta/recipes-extended/unzip/unzip/cve-2014-9636.patch
similarity index 100%
rename from meta/recipes-extended/unzip/unzip/unzip-6.0_overflow3.diff
rename to meta/recipes-extended/unzip/unzip/cve-2014-9636.patch
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 9e63d3a..b386323 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -10,7 +10,7 @@ SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/unzip60.tgz \
file://avoid-strip.patch \
file://define-ldflags.patch \
file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
- file://unzip-6.0_overflow3.diff \
+ file://cve-2014-9636.patch \
file://09-cve-2014-8139-crc-overflow.patch \
file://10-cve-2014-8140-test-compr-eb.patch \
file://11-cve-2014-8141-getzip64data.patch \
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 6/8] libxslt: CVE-2015-7995
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
` (4 preceding siblings ...)
2015-12-01 9:44 ` [PATCH 5/8] unzip: rename patch to reflect CVE fix Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang
2015-12-01 9:44 ` [PATCH 8/8] libsndfile: fix CVE-2014-9756 Robert Yang
7 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
This is a is being give a High rating so please consider it for
all 1.1.28 versions.
A type confusion error within the libxslt "xsltStylePreCompute()"
function in preproc.c can lead to a DoS. Confirmed in version 1.1.28,
other versions may also be affected.
(From OE-Core master rev: 0f89bbab6588a1171259801fa879516740030acb)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
.../libxslt/libxslt/CVE-2015-7995.patch | 33 ++++++++++++++++++++
meta/recipes-support/libxslt/libxslt_1.1.28.bb | 3 +-
2 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
new file mode 100644
index 0000000..e4d09c2
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2015-7995.patch
@@ -0,0 +1,33 @@
+From 7ca19df892ca22d9314e95d59ce2abdeff46b617 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Thu, 29 Oct 2015 19:33:23 +0800
+Subject: Fix for type confusion in preprocessing attributes
+
+CVE-2015-7995 http://www.openwall.com/lists/oss-security/2015/10/27/10
+We need to check that the parent node is an element before dereferencing
+its namespace
+
+Upstream-Status: Backport
+
+https://git.gnome.org/browse/libxslt/commit/?id=7ca19df892ca22d9314e95d59ce2abdeff46b617
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ libxslt/preproc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: libxslt-1.1.28/libxslt/preproc.c
+===================================================================
+--- libxslt-1.1.28.orig/libxslt/preproc.c
++++ libxslt-1.1.28/libxslt/preproc.c
+@@ -2245,7 +2245,8 @@ xsltStylePreCompute(xsltStylesheetPtr st
+ } else if (IS_XSLT_NAME(inst, "attribute")) {
+ xmlNodePtr parent = inst->parent;
+
+- if ((parent == NULL) || (parent->ns == NULL) ||
++ if ((parent == NULL) ||
++ (parent->type != XML_ELEMENT_NODE) || (parent->ns == NULL) ||
+ ((parent->ns != inst->ns) &&
+ (!xmlStrEqual(parent->ns->href, inst->ns->href))) ||
+ (!xmlStrEqual(parent->name, BAD_CAST "attribute-set"))) {
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.28.bb b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
index 166bcd8..87fabec 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.28.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.28.bb
@@ -10,7 +10,8 @@ DEPENDS = "libxml2"
SRC_URI = "ftp://xmlsoft.org/libxslt//libxslt-${PV}.tar.gz \
file://pkgconfig_fix.patch \
- file://pkgconfig.patch"
+ file://pkgconfig.patch \
+ file://CVE-2015-7995.patch"
SRC_URI[md5sum] = "9667bf6f9310b957254fdcf6596600b7"
SRC_URI[sha256sum] = "5fc7151a57b89c03d7b825df5a0fae0a8d5f05674c0e7cf2937ecec4d54a028c"
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
` (5 preceding siblings ...)
2015-12-01 9:44 ` [PATCH 6/8] libxslt: CVE-2015-7995 Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
2015-12-01 22:48 ` Andre McCurdy
2015-12-01 9:44 ` [PATCH 8/8] libsndfile: fix CVE-2014-9756 Robert Yang
7 siblings, 1 reply; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled
[YOCTO #8641]
(From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
meta/recipes-core/libxml/libxml2.inc | 2 +
.../libxml/libxml2/CVE-2015-7942.patch | 55 ++++++++++++++++++++
.../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++++++++++
3 files changed, 98 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
index 1c3c37d..6ada401 100644
--- a/meta/recipes-core/libxml/libxml2.inc
+++ b/meta/recipes-core/libxml/libxml2.inc
@@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
file://libxml-m4-use-pkgconfig.patch \
file://configure.ac-fix-cross-compiling-warning.patch \
file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
+ file://CVE-2015-7942.patch \
+ file://CVE-2015-8035.patch \
"
BINCONFIG = "${bindir}/xml2-config"
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
new file mode 100644
index 0000000..a5930ed
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
@@ -0,0 +1,55 @@
+libxml2: CVE-2015-7942
+
+From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 23 Feb 2015 11:29:20 +0800
+Subject: Cleanup conditional section error handling
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=744980
+
+The error handling of Conditional Section also need to be
+straightened as the structure of the document can't be
+guessed on a failure there and it's better to stop parsing
+as further errors are likely to be irrelevant.
+
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
+
+[YOCTO #8641]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ parser.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: libxml2-2.9.2/parser.c
+===================================================================
+--- libxml2-2.9.2.orig/parser.c
++++ libxml2-2.9.2/parser.c
+@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++ xmlStopParser(ctxt);
++ return;
+ } else {
+ if (ctxt->input->id != id) {
+ xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
+ SKIP_BLANKS;
+ if (RAW != '[') {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
++ xmlStopParser(ctxt);
++ return;
+ } else {
+ if (ctxt->input->id != id) {
+ xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
+
+ } else {
+ xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
++ xmlStopParser(ctxt);
++ return;
+ }
+
+ if (RAW == 0)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
new file mode 100644
index 0000000..d175f74
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
@@ -0,0 +1,41 @@
+libxml2: CVE-2015-8035
+
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+
+Upstream-Status: Backport
+https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
+
+[YOCTO #8641]
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f4..1fab546 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+ xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+ return -1;
+ }
++ if (ret == LZMA_PROG_ERROR) {
++ xz_error(state, LZMA_PROG_ERROR, "compression error");
++ return -1;
++ }
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
+
+ /* update available output and crc check value */
+--
+cgit v0.11.2
+
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 8/8] libsndfile: fix CVE-2014-9756
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
` (6 preceding siblings ...)
2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang
@ 2015-12-01 9:44 ` Robert Yang
7 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-01 9:44 UTC (permalink / raw)
To: openembedded-core
From: "Maxin B. John" <maxin.john@intel.com>
Fix divide by zero bug (CVE-2014-9756)
(From OE-Core master rev: f47cf07ab9d00ed7eddc8e867138481f7bd2bb7d)
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
.../files/libsndfile-fix-CVE-2014-9756.patch | 24 ++++++++++++++++++++
.../libsndfile/libsndfile1_1.0.25.bb | 1 +
2 files changed, 25 insertions(+)
create mode 100644 meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
diff --git a/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch b/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
new file mode 100644
index 0000000..b54b3ba
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/files/libsndfile-fix-CVE-2014-9756.patch
@@ -0,0 +1,24 @@
+src/file_io.c : Prevent potential divide-by-zero.
+
+Closes: https://github.com/erikd/libsndfile/issues/92
+
+Upstream-Status: Backport
+
+Fixes CVE-2014-9756
+
+Signed-off-by: Erik de Castro Lopo <erikd@mega-nerd.com>
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+diff -Naur libsndfile-1.0.25-orig/src/file_io.c libsndfile-1.0.25/src/file_io.c
+--- libsndfile-1.0.25-orig/src/file_io.c 2011-01-19 12:12:28.000000000 +0200
++++ libsndfile-1.0.25/src/file_io.c 2015-11-04 15:02:04.337395618 +0200
+@@ -358,6 +358,9 @@
+ { sf_count_t total = 0 ;
+ ssize_t count ;
+
++ if (bytes == 0 || items == 0)
++ return 0 ;
++
+ if (psf->virtual_io)
+ return psf->vio.write (ptr, bytes*items, psf->vio_user_data) / bytes ;
+
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
index 3e02f4e..be875c2 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.25.bb
@@ -9,6 +9,7 @@ PR = "r2"
SRC_URI = "http://www.mega-nerd.com/libsndfile/files/libsndfile-${PV}.tar.gz \
file://0001-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch \
file://0001-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch \
+ file://libsndfile-fix-CVE-2014-9756.patch \
"
SRC_URI[md5sum] = "e2b7bb637e01022c7d20f95f9c3990a2"
--
1.7.9.5
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035
2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang
@ 2015-12-01 22:48 ` Andre McCurdy
2015-12-03 2:43 ` Robert Yang
0 siblings, 1 reply; 11+ messages in thread
From: Andre McCurdy @ 2015-12-01 22:48 UTC (permalink / raw)
To: Robert Yang; +Cc: OE Core mailing list
On Tue, Dec 1, 2015 at 1:44 AM, Robert Yang <liezhi.yang@windriver.com> wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
> CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled
It looks like CVE-2015-7942 requires two separate patches, only one of
which made it to oe-core master, plus there were a lot of the other
CVE fixes committed upstream in October and November.
http://www.xmlsoft.org/news.html
https://git.gnome.org/browse/libxml2/log/?h=v2.9.3
> [YOCTO #8641]
>
> (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
> meta/recipes-core/libxml/libxml2.inc | 2 +
> .../libxml/libxml2/CVE-2015-7942.patch | 55 ++++++++++++++++++++
> .../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++++++++++
> 3 files changed, 98 insertions(+)
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>
> diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
> index 1c3c37d..6ada401 100644
> --- a/meta/recipes-core/libxml/libxml2.inc
> +++ b/meta/recipes-core/libxml/libxml2.inc
> @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
> file://libxml-m4-use-pkgconfig.patch \
> file://configure.ac-fix-cross-compiling-warning.patch \
> file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
> + file://CVE-2015-7942.patch \
> + file://CVE-2015-8035.patch \
> "
>
> BINCONFIG = "${bindir}/xml2-config"
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
> new file mode 100644
> index 0000000..a5930ed
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
> @@ -0,0 +1,55 @@
> +libxml2: CVE-2015-7942
> +
> +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Mon, 23 Feb 2015 11:29:20 +0800
> +Subject: Cleanup conditional section error handling
> +
> +For https://bugzilla.gnome.org/show_bug.cgi?id=744980
> +
> +The error handling of Conditional Section also need to be
> +straightened as the structure of the document can't be
> +guessed on a failure there and it's better to stop parsing
> +as further errors are likely to be irrelevant.
> +
> +Upstream-Status: Backport
> +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
> +
> +[YOCTO #8641]
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + parser.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +Index: libxml2-2.9.2/parser.c
> +===================================================================
> +--- libxml2-2.9.2.orig/parser.c
> ++++ libxml2-2.9.2/parser.c
> +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
> + SKIP_BLANKS;
> + if (RAW != '[') {
> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
> ++ xmlStopParser(ctxt);
> ++ return;
> + } else {
> + if (ctxt->input->id != id) {
> + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
> +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
> + SKIP_BLANKS;
> + if (RAW != '[') {
> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
> ++ xmlStopParser(ctxt);
> ++ return;
> + } else {
> + if (ctxt->input->id != id) {
> + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
> +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
> +
> + } else {
> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
> ++ xmlStopParser(ctxt);
> ++ return;
> + }
> +
> + if (RAW == 0)
> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
> new file mode 100644
> index 0000000..d175f74
> --- /dev/null
> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
> @@ -0,0 +1,41 @@
> +libxml2: CVE-2015-8035
> +
> +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
> +From: Daniel Veillard <veillard@redhat.com>
> +Date: Tue, 3 Nov 2015 15:31:25 +0800
> +Subject: CVE-2015-8035 Fix XZ compression support loop
> +
> +For https://bugzilla.gnome.org/show_bug.cgi?id=757466
> +DoS when parsing specially crafted XML document if XZ support
> +is compiled in (which wasn't the case for 2.9.2 and master since
> +Nov 2013, fixed in next commit !)
> +
> +Upstream-Status: Backport
> +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
> +
> +[YOCTO #8641]
> +
> +Signed-off-by: Armin Kuster <akuster@mvista.com>
> +
> +---
> + xzlib.c | 4 ++++
> + 1 file changed, 4 insertions(+)
> +
> +diff --git a/xzlib.c b/xzlib.c
> +index 0dcb9f4..1fab546 100644
> +--- a/xzlib.c
> ++++ b/xzlib.c
> +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
> + xz_error(state, LZMA_DATA_ERROR, "compressed data error");
> + return -1;
> + }
> ++ if (ret == LZMA_PROG_ERROR) {
> ++ xz_error(state, LZMA_PROG_ERROR, "compression error");
> ++ return -1;
> ++ }
> + } while (strm->avail_out && ret != LZMA_STREAM_END);
> +
> + /* update available output and crc check value */
> +--
> +cgit v0.11.2
> +
> --
> 1.7.9.5
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035
2015-12-01 22:48 ` Andre McCurdy
@ 2015-12-03 2:43 ` Robert Yang
0 siblings, 0 replies; 11+ messages in thread
From: Robert Yang @ 2015-12-03 2:43 UTC (permalink / raw)
To: Andre McCurdy, Armin Kuster; +Cc: OE Core mailing list
Hi Armin,
On 12/02/2015 06:48 AM, Andre McCurdy wrote:
> On Tue, Dec 1, 2015 at 1:44 AM, Robert Yang <liezhi.yang@windriver.com> wrote:
>> From: Armin Kuster <akuster@mvista.com>
>>
>> CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections()
>> CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled
>
> It looks like CVE-2015-7942 requires two separate patches, only one of
> which made it to oe-core master, plus there were a lot of the other
> CVE fixes committed upstream in October and November.
Do you have any comments on CVE-2015-7942, please ?
// Robert
>
> http://www.xmlsoft.org/news.html
> https://git.gnome.org/browse/libxml2/log/?h=v2.9.3
>
>
>> [YOCTO #8641]
>>
>> (From OE-Core master rev: 27de51f4ad21d9b896e7d48041e7cdf20c564a38)
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> Signed-off-by: Ross Burton <ross.burton@intel.com>
>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
>> ---
>> meta/recipes-core/libxml/libxml2.inc | 2 +
>> .../libxml/libxml2/CVE-2015-7942.patch | 55 ++++++++++++++++++++
>> .../libxml/libxml2/CVE-2015-8035.patch | 41 +++++++++++++++
>> 3 files changed, 98 insertions(+)
>> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>> create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>>
>> diff --git a/meta/recipes-core/libxml/libxml2.inc b/meta/recipes-core/libxml/libxml2.inc
>> index 1c3c37d..6ada401 100644
>> --- a/meta/recipes-core/libxml/libxml2.inc
>> +++ b/meta/recipes-core/libxml/libxml2.inc
>> @@ -21,6 +21,8 @@ SRC_URI = "ftp://xmlsoft.org/libxml2/libxml2-${PV}.tar.gz;name=libtar \
>> file://libxml-m4-use-pkgconfig.patch \
>> file://configure.ac-fix-cross-compiling-warning.patch \
>> file://0001-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-.patch \
>> + file://CVE-2015-7942.patch \
>> + file://CVE-2015-8035.patch \
>> "
>>
>> BINCONFIG = "${bindir}/xml2-config"
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>> new file mode 100644
>> index 0000000..a5930ed
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-7942.patch
>> @@ -0,0 +1,55 @@
>> +libxml2: CVE-2015-7942
>> +
>> +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001
>> +From: Daniel Veillard <veillard@redhat.com>
>> +Date: Mon, 23 Feb 2015 11:29:20 +0800
>> +Subject: Cleanup conditional section error handling
>> +
>> +For https://bugzilla.gnome.org/show_bug.cgi?id=744980
>> +
>> +The error handling of Conditional Section also need to be
>> +straightened as the structure of the document can't be
>> +guessed on a failure there and it's better to stop parsing
>> +as further errors are likely to be irrelevant.
>> +
>> +Upstream-Status: Backport
>> +https://git.gnome.org/browse/libxml2/patch/?id=9b8512337d14c8ddf662fcb98b0135f225a1c489
>> +
>> +[YOCTO #8641]
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + parser.c | 6 ++++++
>> + 1 file changed, 6 insertions(+)
>> +
>> +Index: libxml2-2.9.2/parser.c
>> +===================================================================
>> +--- libxml2-2.9.2.orig/parser.c
>> ++++ libxml2-2.9.2/parser.c
>> +@@ -6783,6 +6783,8 @@ xmlParseConditionalSections(xmlParserCtx
>> + SKIP_BLANKS;
>> + if (RAW != '[') {
>> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
>> ++ xmlStopParser(ctxt);
>> ++ return;
>> + } else {
>> + if (ctxt->input->id != id) {
>> + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
>> +@@ -6843,6 +6845,8 @@ xmlParseConditionalSections(xmlParserCtx
>> + SKIP_BLANKS;
>> + if (RAW != '[') {
>> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
>> ++ xmlStopParser(ctxt);
>> ++ return;
>> + } else {
>> + if (ctxt->input->id != id) {
>> + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY,
>> +@@ -6898,6 +6902,8 @@ xmlParseConditionalSections(xmlParserCtx
>> +
>> + } else {
>> + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
>> ++ xmlStopParser(ctxt);
>> ++ return;
>> + }
>> +
>> + if (RAW == 0)
>> diff --git a/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>> new file mode 100644
>> index 0000000..d175f74
>> --- /dev/null
>> +++ b/meta/recipes-core/libxml/libxml2/CVE-2015-8035.patch
>> @@ -0,0 +1,41 @@
>> +libxml2: CVE-2015-8035
>> +
>> +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
>> +From: Daniel Veillard <veillard@redhat.com>
>> +Date: Tue, 3 Nov 2015 15:31:25 +0800
>> +Subject: CVE-2015-8035 Fix XZ compression support loop
>> +
>> +For https://bugzilla.gnome.org/show_bug.cgi?id=757466
>> +DoS when parsing specially crafted XML document if XZ support
>> +is compiled in (which wasn't the case for 2.9.2 and master since
>> +Nov 2013, fixed in next commit !)
>> +
>> +Upstream-Status: Backport
>> +https://git.gnome.org/browse/libxml2/patch/?id=f0709e3ca8f8947f2d91ed34e92e38a4c23eae63
>> +
>> +[YOCTO #8641]
>> +
>> +Signed-off-by: Armin Kuster <akuster@mvista.com>
>> +
>> +---
>> + xzlib.c | 4 ++++
>> + 1 file changed, 4 insertions(+)
>> +
>> +diff --git a/xzlib.c b/xzlib.c
>> +index 0dcb9f4..1fab546 100644
>> +--- a/xzlib.c
>> ++++ b/xzlib.c
>> +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
>> + xz_error(state, LZMA_DATA_ERROR, "compressed data error");
>> + return -1;
>> + }
>> ++ if (ret == LZMA_PROG_ERROR) {
>> ++ xz_error(state, LZMA_PROG_ERROR, "compression error");
>> ++ return -1;
>> ++ }
>> + } while (strm->avail_out && ret != LZMA_STREAM_END);
>> +
>> + /* update available output and crc check value */
>> +--
>> +cgit v0.11.2
>> +
>> --
>> 1.7.9.5
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2015-12-03 2:43 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-01 9:44 [PATCH 0/8] [jethro] 8 patches for jethro Robert Yang
2015-12-01 9:44 ` [PATCH 1/8] opkg: add cache filename length fixes Robert Yang
2015-12-01 9:44 ` [PATCH 2/8] binutils: Fix octeon3 disassembly patch Robert Yang
2015-12-01 9:44 ` [PATCH 3/8] libarchive: rename patch to reflect CVE Robert Yang
2015-12-01 9:44 ` [PATCH 4/8] readline: rename patch to contain CVE reference Robert Yang
2015-12-01 9:44 ` [PATCH 5/8] unzip: rename patch to reflect CVE fix Robert Yang
2015-12-01 9:44 ` [PATCH 6/8] libxslt: CVE-2015-7995 Robert Yang
2015-12-01 9:44 ` [PATCH 7/8] libxml2: fix CVE-2015-7942 and CVE-2015-8035 Robert Yang
2015-12-01 22:48 ` Andre McCurdy
2015-12-03 2:43 ` Robert Yang
2015-12-01 9:44 ` [PATCH 8/8] libsndfile: fix CVE-2014-9756 Robert Yang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.