[PATCH 1/4] gnutls: Backport certificate check fix

[PATCH 1/4] gnutls: Backport certificate check fix

[Jussi Kukkonen]

Previously the OCSP certificate check wouldn't verify the serial
length and could succeed in cases it shouldn't (CVE-2016-7444).

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 .../gnutls/gnutls/CVE-2016-7444.patch              | 35 ++++++++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.5.3.bb        |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch b/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch
new file mode 100644
index 0000000..215be5a
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch
@@ -0,0 +1,35 @@
+CVE: CVE-2016-7444
+Upstream-Status: Backport
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
+Upstream commit follows:
+
+
+From 964632f37dfdfb914ebc5e49db4fa29af35b1de9 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Sat, 27 Aug 2016 17:00:22 +0200
+Subject: [PATCH] ocsp: corrected the comparison of the serial size in OCSP response
+
+Previously the OCSP certificate check wouldn't verify the serial length
+and could succeed in cases it shouldn't.
+
+Reported by Stefan Buehler.
+---
+ lib/x509/ocsp.c | 1 +
+ 1 file changed, 1 insertion(+), 0 deletions(-)
+
+diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
+index 92db9b6..8181f2e 100644
+--- a/lib/x509/ocsp.c
++++ b/lib/x509/ocsp.c
+@@ -1318,6 +1318,7 @@ gnutls_ocsp_resp_check_crt(gnutls_ocsp_resp_t resp,
+ 		gnutls_assert();
+ 		goto cleanup;
+ 	}
++	cserial.size = t;
+ 
+ 	if (rserial.size != cserial.size
+ 	    || memcmp(cserial.data, rserial.data, rserial.size) != 0) {
+--
+libgit2 0.24.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.5.3.bb b/meta/recipes-support/gnutls/gnutls_3.5.3.bb
index 8317eb4..b2dbb07 100644
--- a/meta/recipes-support/gnutls/gnutls_3.5.3.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.5.3.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://correct_rpl_gettimeofday_signature.patch \
             file://0001-configure.ac-fix-sed-command.patch \
             file://use-pkg-config-to-locate-zlib.patch \
             file://0001-Use-correct-include-dir-with-minitasn.patch \
+            file://CVE-2016-7444.patch \
            "
 SRC_URI[md5sum] = "6c2c7f40ddf52933ee3ca474cb8cb63c"
 SRC_URI[sha256sum] = "92c4bc999a10a1b95299ebefaeea8333f19d8a98d957a35b5eae74881bdb1fef"
-- 
2.1.4

[PATCH 2/4] flex: Update upstream check uri

[Jussi Kukkonen]

Flex has moved to github, update UPSTREAM_CHECK_URI.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 meta/recipes-devtools/flex/flex_2.6.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/flex/flex_2.6.0.bb b/meta/recipes-devtools/flex/flex_2.6.0.bb
index db2cf1c..3a45752 100644
--- a/meta/recipes-devtools/flex/flex_2.6.0.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.0.bb
@@ -21,6 +21,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/flex/flex-${PV}.tar.bz2 \
 SRC_URI[md5sum] = "266270f13c48ed043d95648075084d59"
 SRC_URI[sha256sum] = "24e611ef5a4703a191012f80c1027dc9d12555183ce0ecd46f3636e587e9b8e9"
 
+# Flex has moved to github from 2.6.1 onwards
+UPSTREAM_CHECK_URI = "https://github.com/westes/flex/releases"
 UPSTREAM_CHECK_REGEX = "flex-(?P<pver>\d+(\.\d+)+)\.tar"
 
 inherit autotools gettext texinfo ptest
-- 
2.1.4

[PATCH 3/4] flex: Backport buffer overflow fix

[Jussi Kukkonen]

Fix a heap-based buffer overflow in yy_get_next_buffer()
(CVE-2016-6354).

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 .../recipes-devtools/flex/flex/CVE-2016-6354.patch | 59 ++++++++++++++++++++++
 meta/recipes-devtools/flex/flex_2.6.0.bb           |  1 +
 2 files changed, 60 insertions(+)
 create mode 100644 meta/recipes-devtools/flex/flex/CVE-2016-6354.patch

diff --git a/meta/recipes-devtools/flex/flex/CVE-2016-6354.patch b/meta/recipes-devtools/flex/flex/CVE-2016-6354.patch
new file mode 100644
index 0000000..216ac7a
--- /dev/null
+++ b/meta/recipes-devtools/flex/flex/CVE-2016-6354.patch
@@ -0,0 +1,59 @@
+From 3939eccdff598f47e5b37b05d58bf1b44d3796e7 Mon Sep 17 00:00:00 2001
+From: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Date: Fri, 7 Oct 2016 14:15:38 +0300
+Subject: [PATCH] Prevent buffer overflow in yy_get_next_buffer
+
+This is upstream commit a5cbe929ac3255d371e698f62dc256afe7006466
+with some additional backporting to make binutils build again.
+
+Upstream-Status: Backport
+CVE: CVE-2016-6354
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+---
+ src/flex.skl | 2 +-
+ src/scan.c   | 2 +-
+ src/skel.c   | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/flex.skl b/src/flex.skl
+index ed71627..814d562 100644
+--- a/src/flex.skl
++++ b/src/flex.skl
+@@ -1718,7 +1718,7 @@ int yyFlexLexer::yy_get_next_buffer()
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
+diff --git a/src/scan.c b/src/scan.c
+index f1dce75..1949872 100644
+--- a/src/scan.c
++++ b/src/scan.c
+@@ -4181,7 +4181,7 @@ static int yy_get_next_buffer (void)
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
+diff --git a/src/skel.c b/src/skel.c
+index 26cc889..0344d18 100644
+--- a/src/skel.c
++++ b/src/skel.c
+@@ -1929,7 +1929,7 @@ const char *skel[] = {
+   "",
+   "	else",
+   "		{",
+-  "			yy_size_t num_to_read =",
++  "			int num_to_read =",
+   "			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;",
+   "",
+   "		while ( num_to_read <= 0 )",
+-- 
+2.1.4
+
diff --git a/meta/recipes-devtools/flex/flex_2.6.0.bb b/meta/recipes-devtools/flex/flex_2.6.0.bb
index 3a45752..ab35b09 100644
--- a/meta/recipes-devtools/flex/flex_2.6.0.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.0.bb
@@ -15,6 +15,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/flex/flex-${PV}.tar.bz2 \
            file://do_not_create_pdf_doc.patch \
            file://0001-tests-add-a-target-for-building-tests-without-runnin.patch \
            file://0002-avoid-c-comments-in-c-code-fails-with-gcc-6.patch \
+           file://CVE-2016-6354.patch \
            ${@bb.utils.contains('PTEST_ENABLED', '1', '', 'file://disable-tests.patch', d)} \
            "
 
-- 
2.1.4

[PATCH 4/4] depexp: Close UI with error message on NoProvider event

[Jussi Kukkonen]

Without this the UI just sits there doing nothing. Showing an
infobar in-UI would be nicer but not much more useful since currently
user couldn't do anything in-UI to fix the situation. Implementation
is based on the one in knotty.

Fixes [YOCTO #9288]

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 bitbake/lib/bb/ui/depexp.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/bitbake/lib/bb/ui/depexp.py b/bitbake/lib/bb/ui/depexp.py
index 995703d..d879e04 100644
--- a/bitbake/lib/bb/ui/depexp.py
+++ b/bitbake/lib/bb/ui/depexp.py
@@ -301,6 +301,30 @@ def main(server, eventHandler, params):
             if isinstance(event, bb.command.CommandCompleted):
                 continue
 
+            if isinstance(event, bb.event.NoProvider):
+                if event._runtime:
+                    r = "R"
+                else:
+                    r = ""
+
+                extra = ''
+                if not event._reasons:
+                    if event._close_matches:
+                        extra = ". Close matches:\n  %s" % '\n  '.join(event._close_matches)
+
+                if event._dependees:
+                    print("Nothing %sPROVIDES '%s' (but %s %sDEPENDS on or otherwise requires it)%s" % r, event._item, ", ".join(event._dependees), r, extra)
+                else:
+                    print("Nothing %sPROVIDES '%s'%s" % (r, event._item, extra))
+                if event._reasons:
+                    for reason in event._reasons:
+                        print(reason)
+
+                _, error = server.runCommand(["stateShutdown"])
+                if error:
+                    print('Unable to cleanly shutdown: %s' % error)
+                break
+
             if isinstance(event, bb.command.CommandFailed):
                 print("Command execution failed: %s" % event.error)
                 return event.exitcode
-- 
2.1.4

[PATCH 0/4] flex & gnutls fixes

[Jussi Kukkonen]

Backported cve fixes for flex and gnutls.

Also minor improvement to error handling in depexp.

 - Jussi



The following changes since commit b9d6a7cc234f44e44e5421191924b7463e9c0a9d:

  bitbake: main: Check bitbake server-only port is a number (2016-10-09 12:33:26 +0100)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib jku/m4-fixes
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/m4-fixes

Jussi Kukkonen (4):
  gnutls: Backport certificate check fix
  flex: Update upstream check uri
  flex: Backport buffer overflow fix
  depexp: Close UI with error message on NoProvider event

 bitbake/lib/bb/ui/depexp.py                        | 24 +++++++++
 .../recipes-devtools/flex/flex/CVE-2016-6354.patch | 59 ++++++++++++++++++++++
 meta/recipes-devtools/flex/flex_2.6.0.bb           |  3 ++
 .../gnutls/gnutls/CVE-2016-7444.patch              | 35 +++++++++++++
 meta/recipes-support/gnutls/gnutls_3.5.3.bb        |  1 +
 5 files changed, 122 insertions(+)
 create mode 100644 meta/recipes-devtools/flex/flex/CVE-2016-6354.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2016-7444.patch

-- 
2.1.4