* [PATCH 0/7][fido] Pull request
@ 2016-02-07 21:11 Armin Kuster
2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster
` (6 more replies)
0 siblings, 7 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Armin Kuster <akuster@mvista.com>
Please consider these few Security and build fixes for fido-next
The following changes since commit 220b31d536cf15e68c11980e0c721a7050313db1:
ntp: upgrade 4.2.8p2 -> 4.2.8p3 (2015-10-26 21:43:09 +0100)
are available in the git repository at:
git://github.com/akuster/meta-openembedded akuster/fido-next
https://github.com//tree/akuster/fido-next
Armin Kuster (5):
squid: serveral missing security fixes
php: Security fix CVE-2015-7803
php: Security fix CVE-2015-7804
php: Security fix CVE-2016-1903
krb5: Fix warning.
Qi.Chen@windriver.com (1):
ntp: fix rpath QA issue
Wenzong Fan (1):
ntp: upgrade 4.2.8p3 -> 4.2.8p4
.../squid/files/CVE-2014-6270.patch | 61 +++++
.../squid/files/CVE-2014-7141_CVE-2014-7142.patch | 282 ++++++++++++++++++++
.../squid/files/CVE-2015-3455.patch | 53 ++++
.../squid/files/CVE-2015-5400.patch | 292 +++++++++++++++++++++
.../recipes-daemons/squid/squid_3.4.7.bb | 4 +
.../ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} | 5 +-
meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +-
.../recipes-devtools/php/php/CVE-2015-7803.patch | 82 ++++++
.../recipes-devtools/php/php/CVE-2015-7804.patch | 62 +++++
.../recipes-devtools/php/php/CVE-2016-1903.patch | 28 ++
meta-oe/recipes-devtools/php/php_5.5.21.bb | 3 +
11 files changed, 871 insertions(+), 3 deletions(-)
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch
rename meta-networking/recipes-support/ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} (97%)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch
--
2.3.5
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/7] squid: serveral missing security fixes
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
@ 2016-02-07 21:11 ` Armin Kuster
2016-02-07 21:11 ` [PATCH 2/7] ntp: fix rpath QA issue Armin Kuster
` (5 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Armin Kuster <akuster@mvista.com>
SQUID-2015:2 - Does not affect Squid-3.4 and older versions are not vulnerable.
CVE-2015-5400
CVE-2015-3455
CVE-2014-7142
CVE-2014-7141
CVE-2014-6270
see http://www.squid-cache.org/Advisories/
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../squid/files/CVE-2014-6270.patch | 61 +++++
.../squid/files/CVE-2014-7141_CVE-2014-7142.patch | 282 ++++++++++++++++++++
.../squid/files/CVE-2015-3455.patch | 53 ++++
.../squid/files/CVE-2015-5400.patch | 292 +++++++++++++++++++++
.../recipes-daemons/squid/squid_3.4.7.bb | 4 +
5 files changed, 692 insertions(+)
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch
create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch b/meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch
new file mode 100644
index 0000000..8f87634
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2014-6270.patch
@@ -0,0 +1,61 @@
+Fix: CVE-2014-3609
+
+revno: 13172
+revision-id: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt
+parent: squid3@treenet.co.nz-20140827142207-n6y0r0iuv4sq6hvg
+author: Sebastian Krahmer <krahmer@suse.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Sun 2014-09-14 22:58:34 -0600
+message:
+ Fix off by one in SNMP subsystem
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: 72ffc18d9c25a0412efc813dc5cde1c63e8ebe46
+# timestamp: 2014-09-15 11:08:17 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20140827142207-\
+# n6y0r0iuv4sq6hvg
+#
+# Begin patch
+
+Upstream-Status: Backport
+
+http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13172.patch
+
+Signed-of-by: Armin Kuster <akuster@mvista.com>
+
+=== modified file 'src/snmp_core.cc'
+--- a/src/snmp_core.cc 2014-02-18 08:46:49 +0000
++++ b/src/snmp_core.cc 2014-09-15 04:58:34 +0000
+@@ -362,7 +362,7 @@
+ void
+ snmpHandleUdp(int sock, void *not_used)
+ {
+- LOCAL_ARRAY(char, buf, SNMP_REQUEST_SIZE);
++ static char buf[SNMP_REQUEST_SIZE];
+ Ip::Address from;
+ SnmpRequest *snmp_rq;
+ int len;
+@@ -371,16 +371,11 @@
+
+ Comm::SetSelect(sock, COMM_SELECT_READ, snmpHandleUdp, NULL, 0);
+
+- memset(buf, '\0', SNMP_REQUEST_SIZE);
++ memset(buf, '\0', sizeof(buf));
+
+- len = comm_udp_recvfrom(sock,
+- buf,
+- SNMP_REQUEST_SIZE,
+- 0,
+- from);
++ len = comm_udp_recvfrom(sock, buf, sizeof(buf)-1, 0, from);
+
+ if (len > 0) {
+- buf[len] = '\0';
+ debugs(49, 3, "snmpHandleUdp: FD " << sock << ": received " << len << " bytes from " << from << ".");
+
+ snmp_rq = (SnmpRequest *)xcalloc(1, sizeof(SnmpRequest));
+
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
new file mode 100644
index 0000000..5d4c620
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2014-7141_CVE-2014-7142.patch
@@ -0,0 +1,282 @@
+Fix: CVE-2014-7141 CVE-2014-7142
+
+revno: 13173
+revision-id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw
+parent: squid3@treenet.co.nz-20140915045834-qo85nnsinp9wu4gt
+author: Amos Jeffries <squid3@treenet.co.nz>, Sebastian Krahmer <krahmer@suse.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Sun 2014-09-14 23:06:14 -0600
+message:
+ Fix various ICMP handling issues in Squid pinger
+
+ * ICMP code type logging display could over-read the registered type
+ string arrays.
+
+ * Malformed ICMP packets were accepted into processing with undefined
+ and potentially nasty results.
+
+ Both sets of flaws can result in pinger segmentation fault and halting
+ the Squid functionality relying on pinger for correct operation.
+
+ Thanks to the OpenSUSE project for analysis and resolution of these.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20140915050614-6uo8tfwrpbrd47kw
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: 234c1592673c5317e1b323018226e04941cc61a8
+# timestamp: 2014-09-15 11:08:18 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20140915045834-\
+# qo85nnsinp9wu4gt
+#
+# Begin patch
+
+Upstream-Status: Backport
+
+http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13173.patch
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+=== modified file 'src/icmp/Icmp4.cc'
+--- a/src/icmp/Icmp4.cc 2013-06-03 14:05:16 +0000
++++ b/src/icmp/Icmp4.cc 2014-09-15 05:06:14 +0000
+@@ -41,26 +41,38 @@
+ #include "IcmpPinger.h"
+ #include "Debug.h"
+
+-const char *icmpPktStr[] = {
+- "Echo Reply",
+- "ICMP 1",
+- "ICMP 2",
+- "Destination Unreachable",
+- "Source Quench",
+- "Redirect",
+- "ICMP 6",
+- "ICMP 7",
+- "Echo",
+- "ICMP 9",
+- "ICMP 10",
+- "Time Exceeded",
+- "Parameter Problem",
+- "Timestamp",
+- "Timestamp Reply",
+- "Info Request",
+- "Info Reply",
+- "Out of Range Type"
+-};
++static const char *
++IcmpPacketType(uint8_t v)
++{
++ static const char *icmpPktStr[] = {
++ "Echo Reply",
++ "ICMP 1",
++ "ICMP 2",
++ "Destination Unreachable",
++ "Source Quench",
++ "Redirect",
++ "ICMP 6",
++ "ICMP 7",
++ "Echo",
++ "ICMP 9",
++ "ICMP 10",
++ "Time Exceeded",
++ "Parameter Problem",
++ "Timestamp",
++ "Timestamp Reply",
++ "Info Request",
++ "Info Reply",
++ "Out of Range Type"
++ };
++
++ if (v > 17) {
++ static char buf[50];
++ snprintf(buf, sizeof(buf), "ICMP %u (invalid)", v);
++ return buf;
++ }
++
++ return icmpPktStr[v];
++}
+
+ Icmp4::Icmp4() : Icmp()
+ {
+@@ -187,6 +199,12 @@
+ from->ai_addr,
+ &from->ai_addrlen);
+
++ if (n <= 0) {
++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMP socket.");
++ Ip::Address::FreeAddrInfo(from);
++ return;
++ }
++
+ preply.from = *from;
+
+ #if GETTIMEOFDAY_NO_TZP
+@@ -243,9 +261,15 @@
+
+ preply.psize = n - iphdrlen - (sizeof(icmpEchoData) - MAX_PKT4_SZ);
+
++ if (preply.psize < 0) {
++ debugs(42, DBG_CRITICAL, HERE << "Malformed ICMP packet.");
++ Ip::Address::FreeAddrInfo(from);
++ return;
++ }
++
+ control.SendResult(preply, (sizeof(pingerReplyData) - MAX_PKT4_SZ + preply.psize) );
+
+- Log(preply.from, icmp->icmp_type, icmpPktStr[icmp->icmp_type], preply.rtt, preply.hops);
++ Log(preply.from, icmp->icmp_type, IcmpPacketType(icmp->icmp_type), preply.rtt, preply.hops);
+ Ip::Address::FreeAddrInfo(from);
+ }
+
+
+=== modified file 'src/icmp/Icmp6.cc'
+--- a/src/icmp/Icmp6.cc 2013-06-03 14:05:16 +0000
++++ b/src/icmp/Icmp6.cc 2014-09-15 05:06:14 +0000
+@@ -50,57 +50,61 @@
+
+ // Icmp6 OP-Codes
+ // see http://www.iana.org/assignments/icmpv6-parameters
+-// NP: LowPktStr is for codes 0-127
+-static const char *icmp6LowPktStr[] = {
+- "ICMP 0", // 0
+- "Destination Unreachable", // 1 - RFC2463
+- "Packet Too Big", // 2 - RFC2463
+- "Time Exceeded", // 3 - RFC2463
+- "Parameter Problem", // 4 - RFC2463
+- "ICMP 5", // 5
+- "ICMP 6", // 6
+- "ICMP 7", // 7
+- "ICMP 8", // 8
+- "ICMP 9", // 9
+- "ICMP 10" // 10
+-};
+-
+-// NP: HighPktStr is for codes 128-255
+-static const char *icmp6HighPktStr[] = {
+- "Echo Request", // 128 - RFC2463
+- "Echo Reply", // 129 - RFC2463
+- "Multicast Listener Query", // 130 - RFC2710
+- "Multicast Listener Report", // 131 - RFC2710
+- "Multicast Listener Done", // 132 - RFC2710
+- "Router Solicitation", // 133 - RFC4861
+- "Router Advertisement", // 134 - RFC4861
+- "Neighbor Solicitation", // 135 - RFC4861
+- "Neighbor Advertisement", // 136 - RFC4861
+- "Redirect Message", // 137 - RFC4861
+- "Router Renumbering", // 138 - Crawford
+- "ICMP Node Information Query", // 139 - RFC4620
+- "ICMP Node Information Response", // 140 - RFC4620
+- "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
+- "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122
+- "Version 2 Multicast Listener Report", // 143 - RFC3810
+- "Home Agent Address Discovery Request", // 144 - RFC3775
+- "Home Agent Address Discovery Reply", // 145 - RFC3775
+- "Mobile Prefix Solicitation", // 146 - RFC3775
+- "Mobile Prefix Advertisement", // 147 - RFC3775
+- "Certification Path Solicitation", // 148 - RFC3971
+- "Certification Path Advertisement", // 149 - RFC3971
+- "ICMP Experimental (150)", // 150 - RFC4065
+- "Multicast Router Advertisement", // 151 - RFC4286
+- "Multicast Router Solicitation", // 152 - RFC4286
+- "Multicast Router Termination", // 153 - [RFC4286]
+- "ICMP 154",
+- "ICMP 155",
+- "ICMP 156",
+- "ICMP 157",
+- "ICMP 158",
+- "ICMP 159",
+- "ICMP 160"
+-};
++static const char *
++IcmpPacketType(uint8_t v)
++{
++ // NP: LowPktStr is for codes 0-127
++ static const char *icmp6LowPktStr[] = {
++ "ICMPv6 0", // 0
++ "Destination Unreachable", // 1 - RFC2463
++ "Packet Too Big", // 2 - RFC2463
++ "Time Exceeded", // 3 - RFC2463
++ "Parameter Problem", // 4 - RFC2463
++ };
++
++ // low codes 1-4 registered
++ if (0 < v && v < 5)
++ return icmp6LowPktStr[(int)(v&0x7f)];
++
++ // NP: HighPktStr is for codes 128-255
++ static const char *icmp6HighPktStr[] = {
++ "Echo Request", // 128 - RFC2463
++ "Echo Reply", // 129 - RFC2463
++ "Multicast Listener Query", // 130 - RFC2710
++ "Multicast Listener Report", // 131 - RFC2710
++ "Multicast Listener Done", // 132 - RFC2710
++ "Router Solicitation", // 133 - RFC4861
++ "Router Advertisement", // 134 - RFC4861
++ "Neighbor Solicitation", // 135 - RFC4861
++ "Neighbor Advertisement", // 136 - RFC4861
++ "Redirect Message", // 137 - RFC4861
++ "Router Renumbering", // 138 - Crawford
++ "ICMP Node Information Query", // 139 - RFC4620
++ "ICMP Node Information Response", // 140 - RFC4620
++ "Inverse Neighbor Discovery Solicitation", // 141 - RFC3122
++ "Inverse Neighbor Discovery Advertisement", // 142 - RFC3122
++ "Version 2 Multicast Listener Report", // 143 - RFC3810
++ "Home Agent Address Discovery Request", // 144 - RFC3775
++ "Home Agent Address Discovery Reply", // 145 - RFC3775
++ "Mobile Prefix Solicitation", // 146 - RFC3775
++ "Mobile Prefix Advertisement", // 147 - RFC3775
++ "Certification Path Solicitation", // 148 - RFC3971
++ "Certification Path Advertisement", // 149 - RFC3971
++ "ICMP Experimental (150)", // 150 - RFC4065
++ "Multicast Router Advertisement", // 151 - RFC4286
++ "Multicast Router Solicitation", // 152 - RFC4286
++ "Multicast Router Termination", // 153 - [RFC4286]
++ };
++
++ // high codes 127-153 registered
++ if (127 < v && v < 154)
++ return icmp6HighPktStr[(int)(v&0x7f)];
++
++ // give all others a generic display
++ static char buf[50];
++ snprintf(buf, sizeof(buf), "ICMPv6 %u", v);
++ return buf;
++}
+
+ Icmp6::Icmp6() : Icmp()
+ {
+@@ -236,6 +240,12 @@
+ from->ai_addr,
+ &from->ai_addrlen);
+
++ if (n <= 0) {
++ debugs(42, DBG_CRITICAL, HERE << "Error when calling recvfrom() on ICMPv6 socket.");
++ Ip::Address::FreeAddrInfo(from);
++ return;
++ }
++
+ preply.from = *from;
+
+ #if GETTIMEOFDAY_NO_TZP
+@@ -291,8 +301,7 @@
+
+ default:
+ debugs(42, 8, HERE << preply.from << " said: " << icmp6header->icmp6_type << "/" << (int)icmp6header->icmp6_code << " " <<
+- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] )
+- );
++ IcmpPacketType(icmp6header->icmp6_type));
+ }
+ Ip::Address::FreeAddrInfo(from);
+ return;
+@@ -331,7 +340,7 @@
+
+ Log(preply.from,
+ icmp6header->icmp6_type,
+- ( icmp6header->icmp6_type&0x80 ? icmp6HighPktStr[(int)(icmp6header->icmp6_type&0x7f)] : icmp6LowPktStr[(int)(icmp6header->icmp6_type&0x7f)] ),
++ IcmpPacketType(icmp6header->icmp6_type),
+ preply.rtt,
+ preply.hops);
+
+
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch b/meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch
new file mode 100644
index 0000000..409f9a7
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2015-3455.patch
@@ -0,0 +1,53 @@
+Fix: CVE-2015-3455
+
+------------------------------------------------------------
+revno: 13222
+revision-id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz
+parent: squid3@treenet.co.nz-20150501071104-vd21fu43lvmqoqwa
+author: Amos Jeffries <amosjeffries@squid-cache.org>, Christos Tsantilas <chtsanti@users.sourceforge.net>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Fri 2015-05-01 00:16:51 -0700
+message:
+ Fix X509 server certificate domain matching
+
+ The X509 certificate domain fields may contain non-ASCII encodings.
+ Ensure the domain match algorithm is only passed UTF-8 ASCII-compatible
+ strings.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20150501071651-songz1j26frb2ytz
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: e38694c3e222c506740510557d2a7a122786225c
+# timestamp: 2015-05-01 07:17:25 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20150501071104-\
+# vd21fu43lvmqoqwa
+#
+# Begin patch
+
+Upstream-Status: Backport
+
+http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13222.patch
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+=== modified file 'src/ssl/support.cc'
+--- a/src/ssl/support.cc 2015-01-24 05:07:58 +0000
++++ b/src/ssl/support.cc 2015-05-01 07:16:51 +0000
+@@ -209,7 +209,13 @@
+ if (cn_data->length > (int)sizeof(cn) - 1) {
+ return 1; //if does not fit our buffer just ignore
+ }
+- memcpy(cn, cn_data->data, cn_data->length);
++ char *s = reinterpret_cast<char*>(cn_data->data);
++ char *d = cn;
++ for (int i = 0; i < cn_data->length; ++i, ++d, ++s) {
++ if (*s == '\0')
++ return 1; // always a domain mismatch. contains 0x00
++ *d = *s;
++ }
+ cn[cn_data->length] = '\0';
+ debugs(83, 4, "Verifying server domain " << server << " to certificate name/subjectAltName " << cn);
+ return matchDomainName(server, cn[0] == '*' ? cn + 1 : cn);
+
diff --git a/meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch b/meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch
new file mode 100644
index 0000000..41af2b1
--- /dev/null
+++ b/meta-networking/recipes-daemons/squid/files/CVE-2015-5400.patch
@@ -0,0 +1,292 @@
+Fix: CVE-2015-5400
+
+------------------------------------------------------------
+revno: 13225
+revision-id: squid3@treenet.co.nz-20150709032133-qg1patn5zngt4o4h
+parent: squid3@treenet.co.nz-20150501100500-3utkhrao1yrd8ig6
+author: Alex Rousskov <rousskov@measurement-factory.com>
+committer: Amos Jeffries <squid3@treenet.co.nz>
+branch nick: 3.4
+timestamp: Wed 2015-07-08 20:21:33 -0700
+message:
+ Do not blindly forward cache peer CONNECT responses.
+
+ Squid blindly forwards cache peer CONNECT responses to clients. This
+ may break things if the peer responds with something like HTTP 403
+ (Forbidden) and keeps the connection with Squid open:
+ - The client application issues a CONNECT request.
+ - Squid forwards this request to a cache peer.
+ - Cache peer correctly responds back with a "403 Forbidden".
+ - Squid does not parse cache peer response and
+ just forwards it as if it was a Squid response to the client.
+ - The TCP connections are not closed.
+
+ At this stage, Squid is unaware that the CONNECT request has failed. All
+ subsequent requests on the user agent TCP connection are treated as
+ tunnelled traffic. Squid is forwarding these requests to the peer on the
+ TCP connection previously used for the 403-ed CONNECT request, without
+ proper processing. The additional headers which should have been applied
+ by Squid to these requests are not applied, and the requests are being
+ forwarded to the cache peer even though the Squid configuration may
+ state that these requests must go directly to the origin server.
+
+ This fixes Squid to parse cache peer responses, and if an error response
+ found, respond with "502 Bad Gateway" to the client and close the
+ connections.
+------------------------------------------------------------
+# Bazaar merge directive format 2 (Bazaar 0.90)
+# revision_id: squid3@treenet.co.nz-20150709032133-qg1patn5zngt4o4h
+# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# testament_sha1: 6cbce093f30c8a09173eb610eaa423c7c305ff23
+# timestamp: 2015-07-09 03:40:35 +0000
+# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.4
+# base_revision_id: squid3@treenet.co.nz-20150501100500-\
+# 3utkhrao1yrd8ig6
+#
+# Begin patch
+
+Upstream-Status: Backport
+http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+=== modified file 'src/tunnel.cc'
+--- a/src/tunnel.cc 2014-04-26 10:58:22 +0000
++++ b/src/tunnel.cc 2015-07-09 03:21:33 +0000
+@@ -122,6 +122,10 @@
+ (request->flags.interceptTproxy || request->flags.intercepted));
+ }
+
++ /// Sends "502 Bad Gateway" error response to the client,
++ /// if it is waiting for Squid CONNECT response, closing connections.
++ void informUserOfPeerError(const char *errMsg);
++
+ class Connection
+ {
+
+@@ -139,13 +143,14 @@
+
+ void error(int const xerrno);
+ int debugLevelForError(int const xerrno) const;
+- /// handles a non-I/O error associated with this Connection
+- void logicError(const char *errMsg);
+ void closeIfOpen();
+ void dataSent (size_t amount);
++ /// writes 'b' buffer, setting the 'writer' member to 'callback'.
++ void write(const char *b, int size, AsyncCall::Pointer &callback, FREE * free_func);
+ int len;
+ char *buf;
+ int64_t *size_ptr; /* pointer to size in an ConnStateData for logging */
++ AsyncCall::Pointer writer; ///< pending Comm::Write callback
+
+ Comm::ConnectionPointer conn; ///< The currently connected connection.
+
+@@ -195,13 +200,14 @@
+ TunnelStateData *tunnelState = (TunnelStateData *)params.data;
+ debugs(26, 3, HERE << tunnelState->server.conn);
+ tunnelState->server.conn = NULL;
++ tunnelState->server.writer = NULL;
+
+ if (tunnelState->noConnections()) {
+ delete tunnelState;
+ return;
+ }
+
+- if (!tunnelState->server.len) {
++ if (!tunnelState->client.writer) {
+ tunnelState->client.conn->close();
+ return;
+ }
+@@ -213,13 +219,14 @@
+ TunnelStateData *tunnelState = (TunnelStateData *)params.data;
+ debugs(26, 3, HERE << tunnelState->client.conn);
+ tunnelState->client.conn = NULL;
++ tunnelState->client.writer = NULL;
+
+ if (tunnelState->noConnections()) {
+ delete tunnelState;
+ return;
+ }
+
+- if (!tunnelState->client.len) {
++ if (!tunnelState->server.writer) {
+ tunnelState->server.conn->close();
+ return;
+ }
+@@ -343,6 +350,23 @@
+ handleConnectResponse(len);
+ }
+
++void
++TunnelStateData::informUserOfPeerError(const char *errMsg)
++{
++ server.len = 0;
++ if (!clientExpectsConnectResponse()) {
++ // closing the connection is the best we can do here
++ debugs(50, 3, server.conn << " closing on error: " << errMsg);
++ server.conn->close();
++ return;
++ }
++ ErrorState *err = new ErrorState(ERR_CONNECT_FAIL, Http::scBadGateway, request.getRaw());
++ err->callback = tunnelErrorComplete;
++ err->callback_data = this;
++ *status_ptr = Http::scBadGateway;
++ errorSend(http->getConn()->clientConnection, err);
++}
++
+ /* Read from client side and queue it for writing to the server */
+ void
+ TunnelStateData::ReadConnectResponseDone(const Comm::ConnectionPointer &, char *buf, size_t len, comm_err_t errcode, int xerrno, void *data)
+@@ -374,7 +398,7 @@
+ const bool parsed = rep.parse(connectRespBuf, eof, &parseErr);
+ if (!parsed) {
+ if (parseErr > 0) { // unrecoverable parsing error
+- server.logicError("malformed CONNECT response from peer");
++ informUserOfPeerError("malformed CONNECT response from peer");
+ return;
+ }
+
+@@ -383,7 +407,7 @@
+ assert(!parseErr);
+
+ if (!connectRespBuf->hasSpace()) {
+- server.logicError("huge CONNECT response from peer");
++ informUserOfPeerError("huge CONNECT response from peer");
+ return;
+ }
+
+@@ -397,7 +421,8 @@
+
+ // bail if we did not get an HTTP 200 (Connection Established) response
+ if (rep.sline.status() != Http::scOkay) {
+- server.logicError("unsupported CONNECT response status code");
++ // if we ever decide to reuse the peer connection, we must extract the error response first
++ informUserOfPeerError("unsupported CONNECT response status code");
+ return;
+ }
+
+@@ -416,13 +441,6 @@
+ }
+
+ void
+-TunnelStateData::Connection::logicError(const char *errMsg)
+-{
+- debugs(50, 3, conn << " closing on error: " << errMsg);
+- conn->close();
+-}
+-
+-void
+ TunnelStateData::Connection::error(int const xerrno)
+ {
+ /* XXX fixme xstrerror and xerrno... */
+@@ -517,7 +535,7 @@
+ debugs(26, 3, HERE << "Schedule Write");
+ AsyncCall::Pointer call = commCbCall(5,5, "TunnelBlindCopyWriteHandler",
+ CommIoCbPtrFun(completion, this));
+- Comm::Write(to.conn, from.buf, len, call, NULL);
++ to.write(from.buf, len, call, NULL);
+ }
+
+ /* Writes data from the client buffer to the server side */
+@@ -526,6 +544,7 @@
+ {
+ TunnelStateData *tunnelState = (TunnelStateData *)data;
+ assert (cbdataReferenceValid (tunnelState));
++ tunnelState->server.writer = NULL;
+
+ tunnelState->writeServerDone(buf, len, flag, xerrno);
+ }
+@@ -575,6 +594,7 @@
+ {
+ TunnelStateData *tunnelState = (TunnelStateData *)data;
+ assert (cbdataReferenceValid (tunnelState));
++ tunnelState->client.writer = NULL;
+
+ tunnelState->writeClientDone(buf, len, flag, xerrno);
+ }
+@@ -592,7 +612,14 @@
+ }
+
+ void
+-TunnelStateData::writeClientDone(char *buf, size_t len, comm_err_t flag, int xerrno)
++TunnelStateData::Connection::write(const char *b, int size, AsyncCall::Pointer &callback, FREE * free_func)
++{
++ writer = callback;
++ Comm::Write(conn, b, size, callback, free_func);
++}
++
++void
++TunnelStateData::writeClientDone(char *, size_t len, comm_err_t flag, int xerrno)
+ {
+ debugs(26, 3, HERE << client.conn << ", " << len << " bytes written, flag=" << flag);
+
+@@ -712,6 +739,7 @@
+ {
+ TunnelStateData *tunnelState = (TunnelStateData *)data;
+ debugs(26, 3, HERE << conn << ", flag=" << flag);
++ tunnelState->client.writer = NULL;
+
+ if (flag != COMM_OK) {
+ *tunnelState->status_ptr = Http::scInternalServerError;
+@@ -728,6 +756,7 @@
+ {
+ TunnelStateData *tunnelState = (TunnelStateData *)data;
+ debugs(26, 3, conn << ", flag=" << flag);
++ tunnelState->server.writer = NULL;
+ assert(tunnelState->waitingForConnectRequest());
+
+ if (flag != COMM_OK) {
+@@ -768,7 +797,7 @@
+ else {
+ AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone",
+ CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState));
+- Comm::Write(tunnelState->client.conn, conn_established, strlen(conn_established), call, NULL);
++ tunnelState->client.write(conn_established, strlen(conn_established), call, NULL);
+ }
+ }
+
+@@ -955,29 +984,20 @@
+ debugs(11, 2, "Tunnel Server REQUEST: " << tunnelState->server.conn << ":\n----------\n" <<
+ Raw("tunnelRelayConnectRequest", mb.content(), mb.contentSize()) << "\n----------");
+
+- if (tunnelState->clientExpectsConnectResponse()) {
+- // hack: blindly tunnel peer response (to our CONNECT request) to the client as ours.
+- AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectedWriteDone",
+- CommIoCbPtrFun(tunnelConnectedWriteDone, tunnelState));
+- Comm::Write(srv, &mb, writeCall);
+- } else {
+- // we have to eat the connect response from the peer (so that the client
+- // does not see it) and only then start shoveling data to the client
+- AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectReqWriteDone",
+- CommIoCbPtrFun(tunnelConnectReqWriteDone,
+- tunnelState));
+- Comm::Write(srv, &mb, writeCall);
+- tunnelState->connectReqWriting = true;
+-
+- tunnelState->connectRespBuf = new MemBuf;
+- // SQUID_TCP_SO_RCVBUF: we should not accumulate more than regular I/O buffer
+- // can hold since any CONNECT response leftovers have to fit into server.buf.
+- // 2*SQUID_TCP_SO_RCVBUF: HttpMsg::parse() zero-terminates, which uses space.
+- tunnelState->connectRespBuf->init(SQUID_TCP_SO_RCVBUF, 2*SQUID_TCP_SO_RCVBUF);
+- tunnelState->readConnectResponse();
+-
+- assert(tunnelState->waitingForConnectExchange());
+- }
++ AsyncCall::Pointer writeCall = commCbCall(5,5, "tunnelConnectReqWriteDone",
++ CommIoCbPtrFun(tunnelConnectReqWriteDone, tunnelState));
++
++ tunnelState->server.write(mb.buf, mb.size, writeCall, mb.freeFunc());
++ tunnelState->connectReqWriting = true;
++
++ tunnelState->connectRespBuf = new MemBuf;
++ // SQUID_TCP_SO_RCVBUF: we should not accumulate more than regular I/O buffer
++ // can hold since any CONNECT response leftovers have to fit into server.buf.
++ // 2*SQUID_TCP_SO_RCVBUF: HttpMsg::parse() zero-terminates, which uses space.
++ tunnelState->connectRespBuf->init(SQUID_TCP_SO_RCVBUF, 2*SQUID_TCP_SO_RCVBUF);
++ tunnelState->readConnectResponse();
++
++ assert(tunnelState->waitingForConnectExchange());
+
+ AsyncCall::Pointer timeoutCall = commCbCall(5, 4, "tunnelTimeout",
+ CommTimeoutCbPtrFun(tunnelTimeout, tunnelState));
+
diff --git a/meta-networking/recipes-daemons/squid/squid_3.4.7.bb b/meta-networking/recipes-daemons/squid/squid_3.4.7.bb
index c5f616d..25940f7 100644
--- a/meta-networking/recipes-daemons/squid/squid_3.4.7.bb
+++ b/meta-networking/recipes-daemons/squid/squid_3.4.7.bb
@@ -20,6 +20,10 @@ SRC_URI = "http://www.squid-cache.org/Versions/v${MAJ_VER}/${MIN_VER}/${BPN}-${P
file://squid-use-serial-tests-config-needed-by-ptest.patch \
file://run-ptest \
file://volatiles.03_squid \
+ file://CVE-2014-6270.patch \
+ file://CVE-2014-7141_CVE-2014-7142.patch \
+ file://CVE-2015-3455.patch \
+ file://CVE-2015-5400.patch \
"
LIC_FILES_CHKSUM = "file://COPYING;md5=c492e2d6d32ec5c1aad0e0609a141ce9 \
--
2.3.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/7] ntp: fix rpath QA issue
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster
@ 2016-02-07 21:11 ` Armin Kuster
2016-02-07 21:11 ` [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4 Armin Kuster
` (4 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: "Qi.Chen@windriver.com" <Qi.Chen@windriver.com>
When ntp could be correctly built with openssh and libcrypto, we would meet
the following QA issue.
WARNING: QA Issue: package ntp contains bad RPATH ... [rpath]
Fix this problem by adding '--disable-rpath' to EXTRA_OECONF.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb
index 2c1345a..0a7a39e 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb
@@ -35,6 +35,7 @@ EXTRA_OECONF += "--with-net-snmp-config=no \
ac_cv_header_readline_history_h=no \
--with-yielding_select=yes \
--with-locfile=redhat \
+ --without-rpath \
"
CFLAGS_append = " -DPTYS_ARE_GETPT -DPTYS_ARE_SEARCHED"
--
2.3.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster
2016-02-07 21:11 ` [PATCH 2/7] ntp: fix rpath QA issue Armin Kuster
@ 2016-02-07 21:11 ` Armin Kuster
2016-02-07 21:11 ` [PATCH 4/7] php: Security fix CVE-2015-7803 Armin Kuster
` (3 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Wenzong Fan <wenzong.fan@windriver.com>
4.2.8p4 fixed following 13 low- and medium-severity vulnerabilities:
* Bug 2941 CVE-2015-7871
* Bug 2922 CVE-2015-7855
* Bug 2921 CVE-2015-7854
* Bug 2920 CVE-2015-7853
* Bug 2919 CVE-2015-7852
* Bug 2918 CVE-2015-7851
* Bug 2917 CVE-2015-7850
* Bug 2916 CVE-2015-7849
* Bug 2913 CVE-2015-7848
* Bug 2909 CVE-2015-7701
* Bug 2902 CVE-2015-7703
* Bug 2901 CVE-2015-7704, CVE-2015-7705
* Bug 2899 CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
And three bugs: Bug 2382, 1774, 1593
Details at:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../recipes-support/ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta-networking/recipes-support/ntp/{ntp_4.2.8p3.bb => ntp_4.2.8p4.bb} (97%)
diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p4.bb
similarity index 97%
rename from meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb
rename to meta-networking/recipes-support/ntp/ntp_4.2.8p4.bb
index 0a7a39e..4fe2ed5 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p3.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p4.bb
@@ -23,8 +23,8 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
file://ntpd.list \
"
-SRC_URI[md5sum] = "b98b0cbb72f6df04608e1dd5f313808b"
-SRC_URI[sha256sum] = "818ca4f2ed6ca845b1c5ec43f5e6ad905eaa0fc0aab2d509ed6b962a37fbf38f"
+SRC_URI[md5sum] = "6af96862b09324a8ef965ca76b759c8b"
+SRC_URI[sha256sum] = "0d6961572548d2c4af96f58f763e22ac620f5afef717384ddc317a0e365cfdb9"
inherit autotools update-rc.d useradd systemd pkgconfig
--
2.3.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 4/7] php: Security fix CVE-2015-7803
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
` (2 preceding siblings ...)
2016-02-07 21:11 ` [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4 Armin Kuster
@ 2016-02-07 21:11 ` Armin Kuster
2016-02-07 21:11 ` [PATCH 5/7] php: Security fix CVE-2015-7804 Armin Kuster
` (2 subsequent siblings)
6 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Armin Kuster <akuster@mvista.com>
CVE-2015-7803 php: NULL pointer dereference in phar_get_fp_offset()
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../recipes-devtools/php/php/CVE-2015-7803.patch | 82 ++++++++++++++++++++++
meta-oe/recipes-devtools/php/php_5.5.21.bb | 1 +
2 files changed, 83 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch b/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch
new file mode 100644
index 0000000..5636f25
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2015-7803.patch
@@ -0,0 +1,82 @@
+From d698f0ae51f67c9cce870b09c59df3d6ba959244 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Sep 2015 15:51:59 -0700
+Subject: [PATCH] Fix bug #69720: Null pointer dereference in
+ phar_get_fp_offset()
+
+Upsteam-Status: Backport
+https://git.php.net/?p=php-src.git;a=patch;h=d698f0ae51f67c9cce870b09c59df3d6ba959244
+
+CVE: CVE-2015-7803
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ext/phar/tests/bug69720.phar | Bin 0 -> 8192 bytes
+ ext/phar/tests/bug69720.phpt | 40 ++++++++++++++++++++++++++++++++++++++++
+ ext/phar/util.c | 6 +++++-
+ 3 files changed, 45 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug69720.phar
+ create mode 100644 ext/phar/tests/bug69720.phpt
+
+Index: php-5.5.21/ext/phar/tests/bug69720.phpt
+===================================================================
+--- /dev/null
++++ php-5.5.21/ext/phar/tests/bug69720.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset()
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++ // open an existing phar
++ $p = new Phar(__DIR__."/bug69720.phar",0);
++ // Phar extends SPL's DirectoryIterator class
++ echo $p->getMetadata();
++ foreach (new RecursiveIteratorIterator($p) as $file) {
++ // $file is a PharFileInfo class, and inherits from SplFileInfo
++ $temp="";
++ $temp= $file->getFileName() . "\n";
++ $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents
++ var_dump($file->getMetadata());
++ }
++}
++ catch (Exception $e) {
++ echo 'Could not open Phar: ', $e;
++}
++?>
++--EXPECTF--
++
++MY_METADATA_NULL
++
++Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d
++array(1) {
++ ["whatever"]=>
++ int(123)
++}
++object(DateTime)#2 (3) {
++ ["date"]=>
++ string(26) "2000-01-01 00:00:00.000000"
++ ["timezone_type"]=>
++ int(3)
++ ["timezone"]=>
++ string(3) "UTC"
++}
+Index: php-5.5.21/ext/phar/util.c
+===================================================================
+--- php-5.5.21.orig/ext/phar/util.c
++++ php-5.5.21/ext/phar/util.c
+@@ -494,7 +494,11 @@ really_get_entry:
+ (*ret)->is_tar = entry->is_tar;
+ (*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC);
+ if (entry->link) {
+- (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);
++ phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC);
++ if(!link) {
++ return FAILURE;
++ }
++ (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC);
+ } else {
+ (*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC);
+ }
diff --git a/meta-oe/recipes-devtools/php/php_5.5.21.bb b/meta-oe/recipes-devtools/php/php_5.5.21.bb
index 4ad198a..3582b45 100644
--- a/meta-oe/recipes-devtools/php/php_5.5.21.bb
+++ b/meta-oe/recipes-devtools/php/php_5.5.21.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
file://acinclude-xml2-config.patch \
file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \
file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
+ file://CVE-2015-7803.patch \
"
SRC_URI_append_class-target += " \
--
2.3.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 5/7] php: Security fix CVE-2015-7804
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
` (3 preceding siblings ...)
2016-02-07 21:11 ` [PATCH 4/7] php: Security fix CVE-2015-7803 Armin Kuster
@ 2016-02-07 21:11 ` Armin Kuster
2016-02-07 21:11 ` [PATCH 6/7] php: Security fix CVE-2016-1903 Armin Kuster
2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster
6 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Armin Kuster <akuster@mvista.com>
CVE-2015-7804 php: uninitialized pointer in phar_make_dirstream()
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../recipes-devtools/php/php/CVE-2015-7804.patch | 62 ++++++++++++++++++++++
meta-oe/recipes-devtools/php/php_5.5.21.bb | 1 +
2 files changed, 63 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch b/meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch
new file mode 100644
index 0000000..ad211a3
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2015-7804.patch
@@ -0,0 +1,62 @@
+From e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Sep 2015 17:12:35 -0700
+Subject: [PATCH] FIx bug #70433 - Uninitialized pointer in phar_make_dirstream
+ when zip entry filename is "/"
+
+Upstream-status: Backport
+
+https://git.php.net/?p=php-src.git;a=patch;h=e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183
+
+CVE: CVE-2015-7804
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ext/phar/dirstream.c | 2 +-
+ ext/phar/tests/bug70433.phpt | 23 +++++++++++++++++++++++
+ ext/phar/tests/bug70433.zip | Bin 0 -> 264 bytes
+ 3 files changed, 24 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug70433.phpt
+ create mode 100755 ext/phar/tests/bug70433.zip
+
+Index: php-5.5.21/ext/phar/dirstream.c
+===================================================================
+--- php-5.5.21.orig/ext/phar/dirstream.c
++++ php-5.5.21/ext/phar/dirstream.c
+@@ -207,7 +207,7 @@ static php_stream *phar_make_dirstream(c
+ zend_hash_internal_pointer_reset(manifest);
+
+ while (FAILURE != zend_hash_has_more_elements(manifest)) {
+- if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
++ if (HASH_KEY_IS_STRING != zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
+ break;
+ }
+
+Index: php-5.5.21/ext/phar/tests/bug70433.phpt
+===================================================================
+--- /dev/null
++++ php-5.5.21/ext/phar/tests/bug70433.phpt
+@@ -0,0 +1,23 @@
++--TEST--
++Phar - bug #70433 - Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++$phar = new PharData(__DIR__."/bug70433.zip");
++var_dump($phar);
++$meta = $phar->getMetadata();
++var_dump($meta);
++?>
++DONE
++--EXPECTF--
++object(PharData)#1 (3) {
++ ["pathName":"SplFileInfo":private]=>
++ string(0) ""
++ ["glob":"DirectoryIterator":private]=>
++ bool(false)
++ ["subPathName":"RecursiveDirectoryIterator":private]=>
++ string(0) ""
++}
++NULL
++DONE
diff --git a/meta-oe/recipes-devtools/php/php_5.5.21.bb b/meta-oe/recipes-devtools/php/php_5.5.21.bb
index 3582b45..ed286d6 100644
--- a/meta-oe/recipes-devtools/php/php_5.5.21.bb
+++ b/meta-oe/recipes-devtools/php/php_5.5.21.bb
@@ -15,6 +15,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \
file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
file://CVE-2015-7803.patch \
+ file://CVE-2015-7804.patch \
"
SRC_URI_append_class-target += " \
--
2.3.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 6/7] php: Security fix CVE-2016-1903
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
` (4 preceding siblings ...)
2016-02-07 21:11 ` [PATCH 5/7] php: Security fix CVE-2015-7804 Armin Kuster
@ 2016-02-07 21:11 ` Armin Kuster
2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster
6 siblings, 0 replies; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Armin Kuster <akuster@mvista.com>
CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../recipes-devtools/php/php/CVE-2016-1903.patch | 28 ++++++++++++++++++++++
meta-oe/recipes-devtools/php/php_5.5.21.bb | 1 +
2 files changed, 29 insertions(+)
create mode 100644 meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch b/meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch
new file mode 100644
index 0000000..46c9a24
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2016-1903.patch
@@ -0,0 +1,28 @@
+From aa8d3a8cc612ba87c0497275f58a2317a90fb1c4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 12 Jan 2016 13:52:27 +0100
+Subject: [PATCH] fix the fix for bug #70976 (imagerotate)
+
+Upstream-Status: Backport
+https://github.com/php/php-src/commit/aa8d3a8cc612ba87c0497275f58a2317a90fb1c4
+
+CVE: CVE-2016-1903
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ext/gd/libgd/gd_interpolation.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+Index: php-5.5.21/ext/gd/libgd/gd_interpolation.c
+===================================================================
+--- php-5.5.21.orig/ext/gd/libgd/gd_interpolation.c
++++ php-5.5.21/ext/gd/libgd/gd_interpolation.c
+@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(con
+ images can be done at a later point.
+ */
+ if (src->trueColor == 0) {
+- if (bgcolor >= 0) {
++ if (bgcolor < gdMaxColors) {
+ bgcolor = gdTrueColorAlpha(src->red[bgcolor], src->green[bgcolor], src->blue[bgcolor], src->alpha[bgcolor]);
+ }
+ gdImagePaletteToTrueColor(src);
diff --git a/meta-oe/recipes-devtools/php/php_5.5.21.bb b/meta-oe/recipes-devtools/php/php_5.5.21.bb
index ed286d6..6bdd1c5 100644
--- a/meta-oe/recipes-devtools/php/php_5.5.21.bb
+++ b/meta-oe/recipes-devtools/php/php_5.5.21.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
file://CVE-2015-7803.patch \
file://CVE-2015-7804.patch \
+ file://CVE-2016-1903.patch \
"
SRC_URI_append_class-target += " \
--
2.3.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 7/7] krb5: Fix warning.
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
` (5 preceding siblings ...)
2016-02-07 21:11 ` [PATCH 6/7] php: Security fix CVE-2016-1903 Armin Kuster
@ 2016-02-07 21:11 ` Armin Kuster
2016-02-09 18:08 ` Martin Jansa
6 siblings, 1 reply; 12+ messages in thread
From: Armin Kuster @ 2016-02-07 21:11 UTC (permalink / raw)
To: otavio, openembedded-devel, akuster808
From: Armin Kuster <akuster@mvista.com>
WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value
remove extra "/"
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
index c492496..c19fffb 100644
--- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
+++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
@@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
-S = "${WORKDIR}/${BP}/src/"
+S = "${WORKDIR}/${BP}/src"
PACKAGECONFIG ??= "openssl"
PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
--
2.3.5
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning.
2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster
@ 2016-02-09 18:08 ` Martin Jansa
2016-02-09 20:27 ` akuster808
0 siblings, 1 reply; 12+ messages in thread
From: Martin Jansa @ 2016-02-09 18:08 UTC (permalink / raw)
To: openembedded-devel; +Cc: otavio
[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]
On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote:
> From: Armin Kuster <akuster@mvista.com>
>
> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value
>
> remove extra "/"
This patch isn't in master and master still has trailing /, why is this
needed for fido only?
>
> Signed-off-by: Armin Kuster <akuster@mvista.com>
> ---
> meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
> index c492496..c19fffb 100644
> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
> @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
> SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
> SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
>
> -S = "${WORKDIR}/${BP}/src/"
> +S = "${WORKDIR}/${BP}/src"
>
> PACKAGECONFIG ??= "openssl"
> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
> --
> 2.3.5
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning.
2016-02-09 18:08 ` Martin Jansa
@ 2016-02-09 20:27 ` akuster808
2016-02-09 21:41 ` Khem Raj
0 siblings, 1 reply; 12+ messages in thread
From: akuster808 @ 2016-02-09 20:27 UTC (permalink / raw)
To: Martin Jansa, openembedded-devel; +Cc: otavio
On 02/09/2016 10:08 AM, Martin Jansa wrote:
> On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote:
>> From: Armin Kuster <akuster@mvista.com>
>>
>> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value
>>
>> remove extra "/"
>
> This patch isn't in master and master still has trailing /, why is this
> needed for fido only?
I only saw it occur in fido.
- armin
>
>>
>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>> ---
>> meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>> index c492496..c19fffb 100644
>> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>> @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
>> SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
>> SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
>>
>> -S = "${WORKDIR}/${BP}/src/"
>> +S = "${WORKDIR}/${BP}/src"
>>
>> PACKAGECONFIG ??= "openssl"
>> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
>> --
>> 2.3.5
>>
>> --
>> _______________________________________________
>> Openembedded-devel mailing list
>> Openembedded-devel@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning.
2016-02-09 20:27 ` akuster808
@ 2016-02-09 21:41 ` Khem Raj
2016-02-09 23:33 ` akuster808
0 siblings, 1 reply; 12+ messages in thread
From: Khem Raj @ 2016-02-09 21:41 UTC (permalink / raw)
To: openembedded-devel; +Cc: otavio
[-- Attachment #1: Type: text/plain, Size: 2071 bytes --]
> On Feb 9, 2016, at 12:27 PM, akuster808 <akuster808@gmail.com> wrote:
>
>
>
> On 02/09/2016 10:08 AM, Martin Jansa wrote:
>> On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote:
>>> From: Armin Kuster <akuster@mvista.com>
>>>
>>> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value
>>>
>>> remove extra "/"
>>
>> This patch isn't in master and master still has trailing /, why is this
>> needed for fido only?
>
> I only saw it occur in fido.
it doesnt change any functionality if its included in master too moreover makes back port easier.
so lets apply it to master as well.
>
> - armin
>>
>>>
>>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>>> ---
>>> meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>>> index c492496..c19fffb 100644
>>> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>>> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>>> @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
>>> SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
>>> SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
>>>
>>> -S = "${WORKDIR}/${BP}/src/"
>>> +S = "${WORKDIR}/${BP}/src"
>>>
>>> PACKAGECONFIG ??= "openssl"
>>> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
>>> --
>>> 2.3.5
>>>
>>> --
>>> _______________________________________________
>>> Openembedded-devel mailing list
>>> Openembedded-devel@lists.openembedded.org
>>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 7/7] krb5: Fix warning.
2016-02-09 21:41 ` Khem Raj
@ 2016-02-09 23:33 ` akuster808
0 siblings, 0 replies; 12+ messages in thread
From: akuster808 @ 2016-02-09 23:33 UTC (permalink / raw)
To: openembedded-devel; +Cc: otavio
On 02/09/2016 01:41 PM, Khem Raj wrote:
>
>> On Feb 9, 2016, at 12:27 PM, akuster808 <akuster808@gmail.com> wrote:
>>
>>
>>
>> On 02/09/2016 10:08 AM, Martin Jansa wrote:
>>> On Sun, Feb 07, 2016 at 01:11:59PM -0800, Armin Kuster wrote:
>>>> From: Armin Kuster <akuster@mvista.com>
>>>>
>>>> WARNING: /tmp/work/armv5e-poky-linux-gnueabi/krb5/1.12.2-r0/krb5-1.12.2/src/ ('S') doesn't exist, please set 'S' to a proper value
>>>>
>>>> remove extra "/"
>>>
>>> This patch isn't in master and master still has trailing /, why is this
>>> needed for fido only?
>>
>> I only saw it occur in fido.
>
> it doesnt change any functionality if its included in master too moreover makes back port easier.
> so lets apply it to master as well.
sending patches
- armin
>
>>
>> - armin
>>>
>>>>
>>>> Signed-off-by: Armin Kuster <akuster@mvista.com>
>>>> ---
>>>> meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>>>> index c492496..c19fffb 100644
>>>> --- a/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>>>> +++ b/meta-oe/recipes-connectivity/krb5/krb5_1.12.2.bb
>>>> @@ -33,7 +33,7 @@ SRC_URI = "http://web.mit.edu/kerberos/dist/${BPN}/${SHRT_VER}/${BP}-signed.tar
>>>> SRC_URI[md5sum] = "357f1312b7720a0a591e22db0f7829fe"
>>>> SRC_URI[sha256sum] = "09bd180107b5c2b3b7378c57c023fb02a103d4cac39d6f2dd600275d7a4f3744"
>>>>
>>>> -S = "${WORKDIR}/${BP}/src/"
>>>> +S = "${WORKDIR}/${BP}/src"
>>>>
>>>> PACKAGECONFIG ??= "openssl"
>>>> PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit"
>>>> --
>>>> 2.3.5
>>>>
>>>> --
>>>> _______________________________________________
>>>> Openembedded-devel mailing list
>>>> Openembedded-devel@lists.openembedded.org
>>>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>>>
>> --
>> _______________________________________________
>> Openembedded-devel mailing list
>> Openembedded-devel@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2016-02-09 23:33 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-02-07 21:11 [PATCH 0/7][fido] Pull request Armin Kuster
2016-02-07 21:11 ` [PATCH 1/7] squid: serveral missing security fixes Armin Kuster
2016-02-07 21:11 ` [PATCH 2/7] ntp: fix rpath QA issue Armin Kuster
2016-02-07 21:11 ` [PATCH 3/7] ntp: upgrade 4.2.8p3 -> 4.2.8p4 Armin Kuster
2016-02-07 21:11 ` [PATCH 4/7] php: Security fix CVE-2015-7803 Armin Kuster
2016-02-07 21:11 ` [PATCH 5/7] php: Security fix CVE-2015-7804 Armin Kuster
2016-02-07 21:11 ` [PATCH 6/7] php: Security fix CVE-2016-1903 Armin Kuster
2016-02-07 21:11 ` [PATCH 7/7] krb5: Fix warning Armin Kuster
2016-02-09 18:08 ` Martin Jansa
2016-02-09 20:27 ` akuster808
2016-02-09 21:41 ` Khem Raj
2016-02-09 23:33 ` akuster808
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.