* [OE-core][dunfell 01/22] ruby/cgi-gem: CVE-2021-33621 HTTP response splitting in CGI
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 02/22] python3: ignore CVE-2023-36632 Steve Sakoman
` (20 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Upstream-Status: Backport from https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../ruby/ruby/CVE-2021-33621.patch | 139 ++++++++++++++++++
meta/recipes-devtools/ruby/ruby_2.7.6.bb | 1 +
2 files changed, 140 insertions(+)
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
new file mode 100644
index 0000000000..cc2f9853db
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2021-33621.patch
@@ -0,0 +1,139 @@
+From 64c5045c0a6b84fdb938a8465a0890e5f7162708 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 22 Nov 2022 10:49:27 +0900
+Subject: [PATCH] Prevent CRLF injection
+
+Throw a RuntimeError if the HTTP response header contains CR or LF to
+prevent HTTP response splitting.
+
+https://hackerone.com/reports/1204695
+
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/64c5045c0a6b84fdb938a8465a0890e5f7162708]
+CVE: CVE-2021-33621
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ lib/cgi/core.rb | 45 +++++++++++++++++++++++--------------
+ test/cgi/test_cgi_header.rb | 8 +++++++
+ 2 files changed, 36 insertions(+), 17 deletions(-)
+
+diff --git a/lib/cgi/core.rb b/lib/cgi/core.rb
+index bec76e0..62e6068 100644
+--- a/lib/cgi/core.rb
++++ b/lib/cgi/core.rb
+@@ -188,17 +188,28 @@ class CGI
+ # Using #header with the HTML5 tag maker will create a <header> element.
+ alias :header :http_header
+
++ def _no_crlf_check(str)
++ if str
++ str = str.to_s
++ raise "A HTTP status or header field must not include CR and LF" if str =~ /[\r\n]/
++ str
++ else
++ nil
++ end
++ end
++ private :_no_crlf_check
++
+ def _header_for_string(content_type) #:nodoc:
+ buf = ''.dup
+ if nph?()
+- buf << "#{$CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'} 200 OK#{EOL}"
++ buf << "#{_no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'} 200 OK#{EOL}"
+ buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
+- buf << "Server: #{$CGI_ENV['SERVER_SOFTWARE']}#{EOL}"
++ buf << "Server: #{_no_crlf_check($CGI_ENV['SERVER_SOFTWARE'])}#{EOL}"
+ buf << "Connection: close#{EOL}"
+ end
+- buf << "Content-Type: #{content_type}#{EOL}"
++ buf << "Content-Type: #{_no_crlf_check(content_type)}#{EOL}"
+ if @output_cookies
+- @output_cookies.each {|cookie| buf << "Set-Cookie: #{cookie}#{EOL}" }
++ @output_cookies.each {|cookie| buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}" }
+ end
+ return buf
+ end # _header_for_string
+@@ -213,9 +224,9 @@ class CGI
+ ## NPH
+ options.delete('nph') if defined?(MOD_RUBY)
+ if options.delete('nph') || nph?()
+- protocol = $CGI_ENV['SERVER_PROTOCOL'] || 'HTTP/1.0'
++ protocol = _no_crlf_check($CGI_ENV['SERVER_PROTOCOL']) || 'HTTP/1.0'
+ status = options.delete('status')
+- status = HTTP_STATUS[status] || status || '200 OK'
++ status = HTTP_STATUS[status] || _no_crlf_check(status) || '200 OK'
+ buf << "#{protocol} #{status}#{EOL}"
+ buf << "Date: #{CGI.rfc1123_date(Time.now)}#{EOL}"
+ options['server'] ||= $CGI_ENV['SERVER_SOFTWARE'] || ''
+@@ -223,38 +234,38 @@ class CGI
+ end
+ ## common headers
+ status = options.delete('status')
+- buf << "Status: #{HTTP_STATUS[status] || status}#{EOL}" if status
++ buf << "Status: #{HTTP_STATUS[status] || _no_crlf_check(status)}#{EOL}" if status
+ server = options.delete('server')
+- buf << "Server: #{server}#{EOL}" if server
++ buf << "Server: #{_no_crlf_check(server)}#{EOL}" if server
+ connection = options.delete('connection')
+- buf << "Connection: #{connection}#{EOL}" if connection
++ buf << "Connection: #{_no_crlf_check(connection)}#{EOL}" if connection
+ type = options.delete('type')
+- buf << "Content-Type: #{type}#{EOL}" #if type
++ buf << "Content-Type: #{_no_crlf_check(type)}#{EOL}" #if type
+ length = options.delete('length')
+- buf << "Content-Length: #{length}#{EOL}" if length
++ buf << "Content-Length: #{_no_crlf_check(length)}#{EOL}" if length
+ language = options.delete('language')
+- buf << "Content-Language: #{language}#{EOL}" if language
++ buf << "Content-Language: #{_no_crlf_check(language)}#{EOL}" if language
+ expires = options.delete('expires')
+ buf << "Expires: #{CGI.rfc1123_date(expires)}#{EOL}" if expires
+ ## cookie
+ if cookie = options.delete('cookie')
+ case cookie
+ when String, Cookie
+- buf << "Set-Cookie: #{cookie}#{EOL}"
++ buf << "Set-Cookie: #{_no_crlf_check(cookie)}#{EOL}"
+ when Array
+ arr = cookie
+- arr.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
++ arr.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+ when Hash
+ hash = cookie
+- hash.each_value {|c| buf << "Set-Cookie: #{c}#{EOL}" }
++ hash.each_value {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+ end
+ end
+ if @output_cookies
+- @output_cookies.each {|c| buf << "Set-Cookie: #{c}#{EOL}" }
++ @output_cookies.each {|c| buf << "Set-Cookie: #{_no_crlf_check(c)}#{EOL}" }
+ end
+ ## other headers
+ options.each do |key, value|
+- buf << "#{key}: #{value}#{EOL}"
++ buf << "#{_no_crlf_check(key)}: #{_no_crlf_check(value)}#{EOL}"
+ end
+ return buf
+ end # _header_for_hash
+diff --git a/test/cgi/test_cgi_header.rb b/test/cgi/test_cgi_header.rb
+index bab2d03..ec2f4de 100644
+--- a/test/cgi/test_cgi_header.rb
++++ b/test/cgi/test_cgi_header.rb
+@@ -176,6 +176,14 @@ class CGIHeaderTest < Test::Unit::TestCase
+ end
+
+
++ def test_cgi_http_header_crlf_injection
++ cgi = CGI.new
++ assert_raise(RuntimeError) { cgi.http_header("text/xhtml\r\nBOO") }
++ assert_raise(RuntimeError) { cgi.http_header("type" => "text/xhtml\r\nBOO") }
++ assert_raise(RuntimeError) { cgi.http_header("status" => "200 OK\r\nBOO") }
++ assert_raise(RuntimeError) { cgi.http_header("location" => "text/xhtml\r\nBOO") }
++ end
++
+
+ instance_methods.each do |method|
+ private method if method =~ /^test_(.*)/ && $1 != ENV['TEST']
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.6.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
index 91ffde5fa3..7e6373bd24 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.6.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -8,6 +8,7 @@ SRC_URI += " \
file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
file://CVE-2023-28756.patch \
+ file://CVE-2021-33621.patch \
"
SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 02/22] python3: ignore CVE-2023-36632
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 01/22] ruby/cgi-gem: CVE-2021-33621 HTTP response splitting in CGI Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 03/22] libjpeg-turbo: patch CVE-2023-2804 Steve Sakoman
` (19 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/python/python3_3.8.17.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/python/python3_3.8.17.bb b/meta/recipes-devtools/python/python3_3.8.17.bb
index 8c00d65794..00c4ff497a 100644
--- a/meta/recipes-devtools/python/python3_3.8.17.bb
+++ b/meta/recipes-devtools/python/python3_3.8.17.bb
@@ -61,6 +61,8 @@ CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488"
# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
# The module will be removed in the future and flaws documented.
CVE_CHECK_WHITELIST += "CVE-2015-20107"
+# Not an issue, in fact expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2023-36632"
PYTHON_MAJMIN = "3.8"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 03/22] libjpeg-turbo: patch CVE-2023-2804
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 01/22] ruby/cgi-gem: CVE-2021-33621 HTTP response splitting in CGI Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 02/22] python3: ignore CVE-2023-36632 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 04/22] go: fix CVE-2023-29406 net/http: insufficient sanitization of Host header Steve Sakoman
` (18 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Relevant links:
* linked fronm NVD:
* https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1492586118
* follow-up analysis:
* https://github.com/libjpeg-turbo/libjpeg-turbo/issues/668#issuecomment-1496473989
* picked commits fix all issues mentioned in this analysis
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../jpeg/files/CVE-2023-2804-1.patch | 97 +++++++++++++++++++
.../jpeg/files/CVE-2023-2804-2.patch | 75 ++++++++++++++
.../jpeg/libjpeg-turbo_2.0.4.bb | 2 +
3 files changed, 174 insertions(+)
create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
new file mode 100644
index 0000000000..6668f6e41d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-1.patch
@@ -0,0 +1,97 @@
+From 9679473547874c472569d54fecce32b463999a9d Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Tue, 4 Apr 2023 19:06:20 -0500
+Subject: [PATCH] Decomp: Don't enable 2-pass color quant w/ RGB565
+
+The 2-pass color quantization algorithm assumes 3-sample pixels. RGB565
+is the only 3-component colorspace that doesn't have 3-sample pixels, so
+we need to treat it as a special case when determining whether to enable
+2-pass color quantization. Otherwise, attempting to initialize 2-pass
+color quantization with an RGB565 output buffer could cause
+prescan_quantize() to read from uninitialized memory and subsequently
+underflow/overflow the histogram array.
+
+djpeg is supposed to fail gracefully if both -rgb565 and -colors are
+specified, because none of its destination managers (image writers)
+support color quantization with RGB565. However, prescan_quantize() was
+called before that could occur. It is possible but very unlikely that
+these issues could have been reproduced in applications other than
+djpeg. The issues involve the use of two features (12-bit precision and
+RGB565) that are incompatible, and they also involve the use of two
+rarely-used legacy features (RGB565 and color quantization) that don't
+make much sense when combined.
+
+Fixes #668
+Fixes #671
+Fixes #680
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9679473547874c472569d54fecce32b463999a9d]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md | 6 ++++++
+ jdmaster.c | 5 +++--
+ jquant2.c | 5 +++--
+ 3 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index e605abe73..de0c4d0dd 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -1,3 +1,9 @@ quality values.
++9. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
++overruns when attempting to decompress various specially-crafted malformed
++12-bit-per-component JPEG images using a 12-bit-per-component build of djpeg
++(`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
++enabled.
++
+ 2.0.4
+ =====
+
+diff --git a/jdmaster.c b/jdmaster.c
+index b20906438..8d8ef9956 100644
+--- a/jdmaster.c
++++ b/jdmaster.c
+@@ -5,7 +5,7 @@
+ * Copyright (C) 1991-1997, Thomas G. Lane.
+ * Modified 2002-2009 by Guido Vollbeding.
+ * libjpeg-turbo Modifications:
+- * Copyright (C) 2009-2011, 2016, D. R. Commander.
++ * Copyright (C) 2009-2011, 2016, 2023, D. R. Commander.
+ * Copyright (C) 2013, Linaro Limited.
+ * Copyright (C) 2015, Google, Inc.
+ * For conditions of distribution and use, see the accompanying README.ijg
+@@ -492,7 +492,8 @@ master_selection(j_decompress_ptr cinfo)
+ if (cinfo->raw_data_out)
+ ERREXIT(cinfo, JERR_NOTIMPL);
+ /* 2-pass quantizer only works in 3-component color space. */
+- if (cinfo->out_color_components != 3) {
++ if (cinfo->out_color_components != 3 ||
++ cinfo->out_color_space == JCS_RGB565) {
+ cinfo->enable_1pass_quant = TRUE;
+ cinfo->enable_external_quant = FALSE;
+ cinfo->enable_2pass_quant = FALSE;
+diff --git a/jquant2.c b/jquant2.c
+index 6570613bb..c760380fb 100644
+--- a/jquant2.c
++++ b/jquant2.c
+@@ -4,7 +4,7 @@
+ * This file was part of the Independent JPEG Group's software:
+ * Copyright (C) 1991-1996, Thomas G. Lane.
+ * libjpeg-turbo Modifications:
+- * Copyright (C) 2009, 2014-2015, D. R. Commander.
++ * Copyright (C) 2009, 2014-2015, 2020, 2023, D. R. Commander.
+ * For conditions of distribution and use, see the accompanying README.ijg
+ * file.
+ *
+@@ -1230,7 +1230,8 @@ jinit_2pass_quantizer(j_decompress_ptr cinfo)
+ cquantize->error_limiter = NULL;
+
+ /* Make sure jdmaster didn't give me a case I can't handle */
+- if (cinfo->out_color_components != 3)
++ if (cinfo->out_color_components != 3 ||
++ cinfo->out_color_space == JCS_RGB565)
+ ERREXIT(cinfo, JERR_NOTIMPL);
+
+ /* Allocate the histogram/inverse colormap storage */
diff --git a/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
new file mode 100644
index 0000000000..bcba0b513d
--- /dev/null
+++ b/meta/recipes-graphics/jpeg/files/CVE-2023-2804-2.patch
@@ -0,0 +1,75 @@
+From 0deab87e24ab3106d5332205f829d1846fa65001 Mon Sep 17 00:00:00 2001
+From: DRC <information@libjpeg-turbo.org>
+Date: Thu, 6 Apr 2023 18:33:41 -0500
+Subject: [PATCH] jpeg_crop_scanline: Fix calc w/sclg + 2x4,4x2 samp
+
+When computing the downsampled width for a particular component,
+jpeg_crop_scanline() needs to take into account the fact that the
+libjpeg code uses a combination of IDCT scaling and upsampling to
+implement 4x2 and 2x4 upsampling with certain decompression scaling
+factors. Failing to account for that led to incomplete upsampling of
+4x2- or 2x4-subsampled components, which caused the color converter to
+read from uninitialized memory. With 12-bit data precision, this caused
+a buffer overrun or underrun and subsequent segfault if the
+uninitialized memory contained a value that was outside of the valid
+sample range (because the color converter uses the value as an array
+index.)
+
+Fixes #669
+
+CVE: CVE-2023-2804
+Upstream-Status: Backport [https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0deab87e24ab3106d5332205f829d1846fa65001]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ ChangeLog.md | 8 ++++++++
+ jdapistd.c | 10 ++++++----
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/ChangeLog.md b/ChangeLog.md
+index de0c4d0dd..159bd1610 100644
+--- a/ChangeLog.md
++++ b/ChangeLog.md
+@@ -4,6 +4,14 @@ overruns when attempting to decompress various specially-crafted malformed
+ (`-DWITH_12BIT=1`) with both color quantization and RGB565 color conversion
+ enabled.
+
++10. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
++downsampled width for components with 4x2 or 2x4 subsampling factors if
++decompression scaling was enabled. This caused the components to be upsampled
++incompletely, which caused the color converter to read from uninitialized
++memory. With 12-bit data precision, this caused a buffer overrun or underrun
++and subsequent segfault if the sample value read from unitialized memory was
++outside of the valid sample range.
++
+ 2.0.4
+ =====
+
+diff --git a/jdapistd.c b/jdapistd.c
+index 628626254..eb577928c 100644
+--- a/jdapistd.c
++++ b/jdapistd.c
+@@ -4,7 +4,7 @@
+ * This file was part of the Independent JPEG Group's software:
+ * Copyright (C) 1994-1996, Thomas G. Lane.
+ * libjpeg-turbo Modifications:
+- * Copyright (C) 2010, 2015-2018, 2020, D. R. Commander.
++ * Copyright (C) 2010, 2015-2018, 2020, 2023, D. R. Commander.
+ * Copyright (C) 2015, Google, Inc.
+ * For conditions of distribution and use, see the accompanying README.ijg
+ * file.
+@@ -225,9 +225,11 @@ jpeg_crop_scanline(j_decompress_ptr cinfo, JDIMENSION *xoffset,
+ /* Set downsampled_width to the new output width. */
+ orig_downsampled_width = compptr->downsampled_width;
+ compptr->downsampled_width =
+- (JDIMENSION)jdiv_round_up((long)(cinfo->output_width *
+- compptr->h_samp_factor),
+- (long)cinfo->max_h_samp_factor);
++ (JDIMENSION)jdiv_round_up((long)cinfo->output_width *
++ (long)(compptr->h_samp_factor *
++ compptr->_DCT_scaled_size),
++ (long)(cinfo->max_h_samp_factor *
++ cinfo->_min_DCT_scaled_size));
+ if (compptr->downsampled_width < 2 && orig_downsampled_width >= 2)
+ reinit_upsampler = TRUE;
+
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
index 630b20300f..fda425c219 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_2.0.4.bb
@@ -16,6 +16,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}-${PV}.tar.gz \
file://CVE-2021-46822.patch \
file://CVE-2020-35538-1.patch \
file://CVE-2020-35538-2.patch \
+ file://CVE-2023-2804-1.patch \
+ file://CVE-2023-2804-2.patch \
"
SRC_URI[md5sum] = "d01d9e0c28c27bc0de9f4e2e8ff49855"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 04/22] go: fix CVE-2023-29406 net/http: insufficient sanitization of Host header
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (2 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 03/22] libjpeg-turbo: patch CVE-2023-2804 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 05/22] libarchive: ignore CVE-2023-30571 Steve Sakoman
` (17 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2023-29406.patch | 212 ++++++++++++++++++
2 files changed, 213 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 33b53b1a34..b2cf805d2d 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -68,6 +68,7 @@ SRC_URI += "\
file://CVE-2023-29402.patch \
file://CVE-2023-29404.patch \
file://CVE-2023-29400.patch \
+ file://CVE-2023-29406.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
new file mode 100644
index 0000000000..080def4682
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29406.patch
@@ -0,0 +1,212 @@
+From 5fa6923b1ea891400153d04ddf1545e23b40041b Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 28 Jun 2023 13:20:08 -0700
+Subject: [PATCH] [release-branch.go1.19] net/http: validate Host header before
+ sending
+
+Verify that the Host header we send is valid.
+Avoids surprising behavior such as a Host of "go.dev\r\nX-Evil:oops"
+adding an X-Evil header to HTTP/1 requests.
+
+Add a test, skip the test for HTTP/2. HTTP/2 is not vulnerable to
+header injection in the way HTTP/1 is, but x/net/http2 doesn't validate
+the header and will go into a retry loop when the server rejects it.
+CL 506995 adds the necessary validation to x/net/http2.
+
+Updates #60374
+Fixes #61075
+For CVE-2023-29406
+
+Change-Id: I05cb6866a9bead043101954dfded199258c6dd04
+Reviewed-on: https://go-review.googlesource.com/c/go/+/506996
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+(cherry picked from commit 499458f7ca04087958987a33c2703c3ef03e27e2)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/507358
+Run-TryBot: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/5fa6923b1ea891400153d04ddf1545e23b40041b]
+CVE: CVE-2023-29406
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/net/http/http_test.go | 29 ---------------------
+ src/net/http/request.go | 47 ++++++++--------------------------
+ src/net/http/request_test.go | 11 ++------
+ src/net/http/transport_test.go | 18 +++++++++++++
+ 4 files changed, 31 insertions(+), 74 deletions(-)
+
+diff --git a/src/net/http/http_test.go b/src/net/http/http_test.go
+index f4ea52d..ea38cb4 100644
+--- a/src/net/http/http_test.go
++++ b/src/net/http/http_test.go
+@@ -49,35 +49,6 @@ func TestForeachHeaderElement(t *testing.T) {
+ }
+ }
+
+-func TestCleanHost(t *testing.T) {
+- tests := []struct {
+- in, want string
+- }{
+- {"www.google.com", "www.google.com"},
+- {"www.google.com foo", "www.google.com"},
+- {"www.google.com/foo", "www.google.com"},
+- {" first character is a space", ""},
+- {"[1::6]:8080", "[1::6]:8080"},
+-
+- // Punycode:
+- {"гофер.рф/foo", "xn--c1ae0ajs.xn--p1ai"},
+- {"bücher.de", "xn--bcher-kva.de"},
+- {"bücher.de:8080", "xn--bcher-kva.de:8080"},
+- // Verify we convert to lowercase before punycode:
+- {"BÜCHER.de", "xn--bcher-kva.de"},
+- {"BÜCHER.de:8080", "xn--bcher-kva.de:8080"},
+- // Verify we normalize to NFC before punycode:
+- {"gophér.nfc", "xn--gophr-esa.nfc"}, // NFC input; no work needed
+- {"goph\u0065\u0301r.nfd", "xn--gophr-esa.nfd"}, // NFD input
+- }
+- for _, tt := range tests {
+- got := cleanHost(tt.in)
+- if tt.want != got {
+- t.Errorf("cleanHost(%q) = %q, want %q", tt.in, got, tt.want)
+- }
+- }
+-}
+-
+ // Test that cmd/go doesn't link in the HTTP server.
+ //
+ // This catches accidental dependencies between the HTTP transport and
+diff --git a/src/net/http/request.go b/src/net/http/request.go
+index cb2edd2..2706300 100644
+--- a/src/net/http/request.go
++++ b/src/net/http/request.go
+@@ -18,7 +18,6 @@ import (
+ "io/ioutil"
+ "mime"
+ "mime/multipart"
+- "net"
+ "net/http/httptrace"
+ "net/textproto"
+ "net/url"
+@@ -26,7 +25,8 @@ import (
+ "strconv"
+ "strings"
+ "sync"
+-
++
++ "golang.org/x/net/http/httpguts"
+ "golang.org/x/net/idna"
+ )
+
+@@ -557,12 +557,19 @@ func (r *Request) write(w io.Writer, usingProxy bool, extraHeaders Header, waitF
+ // is not given, use the host from the request URL.
+ //
+ // Clean the host, in case it arrives with unexpected stuff in it.
+- host := cleanHost(r.Host)
++ host := r.Host
+ if host == "" {
+ if r.URL == nil {
+ return errMissingHost
+ }
+- host = cleanHost(r.URL.Host)
++ host = r.URL.Host
++ }
++ host, err = httpguts.PunycodeHostPort(host)
++ if err != nil {
++ return err
++ }
++ if !httpguts.ValidHostHeader(host) {
++ return errors.New("http: invalid Host header")
+ }
+
+ // According to RFC 6874, an HTTP client, proxy, or other
+@@ -717,38 +724,6 @@ func idnaASCII(v string) (string, error) {
+ return idna.Lookup.ToASCII(v)
+ }
+
+-// cleanHost cleans up the host sent in request's Host header.
+-//
+-// It both strips anything after '/' or ' ', and puts the value
+-// into Punycode form, if necessary.
+-//
+-// Ideally we'd clean the Host header according to the spec:
+-// https://tools.ietf.org/html/rfc7230#section-5.4 (Host = uri-host [ ":" port ]")
+-// https://tools.ietf.org/html/rfc7230#section-2.7 (uri-host -> rfc3986's host)
+-// https://tools.ietf.org/html/rfc3986#section-3.2.2 (definition of host)
+-// But practically, what we are trying to avoid is the situation in
+-// issue 11206, where a malformed Host header used in the proxy context
+-// would create a bad request. So it is enough to just truncate at the
+-// first offending character.
+-func cleanHost(in string) string {
+- if i := strings.IndexAny(in, " /"); i != -1 {
+- in = in[:i]
+- }
+- host, port, err := net.SplitHostPort(in)
+- if err != nil { // input was just a host
+- a, err := idnaASCII(in)
+- if err != nil {
+- return in // garbage in, garbage out
+- }
+- return a
+- }
+- a, err := idnaASCII(host)
+- if err != nil {
+- return in // garbage in, garbage out
+- }
+- return net.JoinHostPort(a, port)
+-}
+-
+ // removeZone removes IPv6 zone identifier from host.
+ // E.g., "[fe80::1%en0]:8080" to "[fe80::1]:8080"
+ func removeZone(host string) string {
+diff --git a/src/net/http/request_test.go b/src/net/http/request_test.go
+index 461d66e..0d417ff 100644
+--- a/src/net/http/request_test.go
++++ b/src/net/http/request_test.go
+@@ -676,15 +676,8 @@ func TestRequestBadHost(t *testing.T) {
+ }
+ req.Host = "foo.com with spaces"
+ req.URL.Host = "foo.com with spaces"
+- req.Write(logWrites{t, &got})
+- want := []string{
+- "GET /after HTTP/1.1\r\n",
+- "Host: foo.com\r\n",
+- "User-Agent: " + DefaultUserAgent + "\r\n",
+- "\r\n",
+- }
+- if !reflect.DeepEqual(got, want) {
+- t.Errorf("Writes = %q\n Want = %q", got, want)
++ if err := req.Write(logWrites{t, &got}); err == nil {
++ t.Errorf("Writing request with invalid Host: succeded, want error")
+ }
+ }
+
+diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
+index fa0c370..0afb6b9 100644
+--- a/src/net/http/transport_test.go
++++ b/src/net/http/transport_test.go
+@@ -6249,3 +6249,21 @@ func TestIssue32441(t *testing.T) {
+ t.Error(err)
+ }
+ }
++
++func TestRequestSanitization(t *testing.T) {
++ setParallel(t)
++ defer afterTest(t)
++
++ ts := newClientServerTest(t, h1Mode, HandlerFunc(func(rw ResponseWriter, req *Request) {
++ if h, ok := req.Header["X-Evil"]; ok {
++ t.Errorf("request has X-Evil header: %q", h)
++ }
++ })).ts
++ defer ts.Close()
++ req, _ := NewRequest("GET", ts.URL, nil)
++ req.Host = "go.dev\r\nX-Evil:evil"
++ resp, _ := ts.Client().Do(req)
++ if resp != nil {
++ resp.Body.Close()
++ }
++}
+--
+2.25.1
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 05/22] libarchive: ignore CVE-2023-30571
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (3 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 04/22] go: fix CVE-2023-29406 net/http: insufficient sanitization of Host header Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 06/22] libpcre2: patch CVE-2022-41409 Steve Sakoman
` (16 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.
The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.
[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/libarchive/libarchive_3.4.2.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
index 582787d3f3..728eedc401 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.4.2.bb
@@ -46,6 +46,9 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
SRC_URI[md5sum] = "d953ed6b47694dadf0e6042f8f9ff451"
SRC_URI[sha256sum] = "b60d58d12632ecf1e8fad7316dc82c6b9738a35625746b47ecdcaf4aed176176"
+# upstream-wontfix: upstream has documented that reported function is not thread-safe
+CVE_CHECK_WHITELIST += "CVE-2023-30571"
+
inherit autotools update-alternatives pkgconfig
CPPFLAGS += "-I${WORKDIR}/extra-includes"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 06/22] libpcre2: patch CVE-2022-41409
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (4 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 05/22] libarchive: ignore CVE-2023-30571 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 07/22] tiff: fix multiple CVEs Steve Sakoman
` (15 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport commit mentioned in NVD DB links.
https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpcre/libpcre2/CVE-2022-41409.patch | 74 +++++++++++++++++++
.../recipes-support/libpcre/libpcre2_10.34.bb | 1 +
2 files changed, 75 insertions(+)
create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
new file mode 100644
index 0000000000..882277ae73
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
@@ -0,0 +1,74 @@
+From 94e1c001761373b7d9450768aa15d04c25547a35 Mon Sep 17 00:00:00 2001
+From: Philip Hazel <Philip.Hazel@gmail.com>
+Date: Tue, 16 Aug 2022 17:00:45 +0100
+Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line
+
+CVE: CVE-2022-41409
+Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+
+---
+ ChangeLog | 3 +++
+ src/pcre2test.c | 4 ++--
+ testdata/testinput2 | 3 +++
+ testdata/testoutput2 | 4 ++++
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index eab50eb7..276eb57a 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -7,6 +7,9 @@ fully read in caseless matching.
+ 24. Fixed an issue affecting recursions in JIT caused by duplicated data
+ transfers.
+
++20. A negative repeat value in a pcre2test subject line was not being
++diagnosed, leading to infinite looping.
++
+
+ Version 10.34 21-November-2019
+ ------------------------------
+diff --git a/src/pcre2test.c b/src/pcre2test.c
+index 08f86096..f6f5d66c 100644
+--- a/src/pcre2test.c
++++ b/src/pcre2test.c
+@@ -6700,9 +6700,9 @@ while ((c = *p++) != 0)
+ }
+
+ i = (int32_t)li;
+- if (i-- == 0)
++ if (i-- <= 0)
+ {
+- fprintf(outfile, "** Zero repeat not allowed\n");
++ fprintf(outfile, "** Zero or negative repeat not allowed\n");
+ return PR_OK;
+ }
+
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 655e519..14e00ed 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -5772,4 +5772,7 @@ a)"xI
+ /(a)?a/I
+ manm
+
++--
++ \[X]{-10}
++
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index c733c12..958f246 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -17435,6 +17435,10 @@ Subject length lower bound = 1
+ manm
+ 0: a
+
++--
++ \[X]{-10}
++** Zero or negative repeat not allowed
++
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb
index 254badf6f6..3e1b001c32 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.34.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2
file://pcre-cross.patch \
file://CVE-2022-1586.patch \
file://CVE-2022-1587.patch \
+ file://CVE-2022-41409.patch \
"
SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 07/22] tiff: fix multiple CVEs
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (5 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 06/22] libpcre2: patch CVE-2022-41409 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 08/22] " Steve Sakoman
` (14 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Backport fixes for:
* CVE-2023-25433 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44
* CVE-2023-25434 & CVE-2023-25435 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38
* CVE-2023-26965 & CVE-2023-26966 - Upstream-Status: Backport from import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/files/CVE-2023-25433.patch | 173 ++++++++++++++++++
.../files/CVE-2023-25434-CVE-2023-25435.patch | 94 ++++++++++
.../libtiff/files/CVE-2023-26965.patch | 90 +++++++++
.../libtiff/files/CVE-2023-26966.patch | 35 ++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 4 +
5 files changed, 396 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
new file mode 100644
index 0000000000..7d6d40f25a
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25433.patch
@@ -0,0 +1,173 @@
+From 9c22495e5eeeae9e00a1596720c969656bb8d678 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 3 Feb 2023 15:31:31 +0100
+Subject: [PATCH] tiffcrop correctly update buffersize after rotateImage()
+ fix#520 rotateImage() set up a new buffer and calculates its size
+ individually. Therefore, seg_buffs[] size needs to be updated accordingly.
+ Before this fix, the seg_buffs buffer size was calculated with a different
+ formula than within rotateImage().
+
+Closes #520.
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 && https://gitlab.com/libtiff/libtiff/-/commit/688012dca2c39033aa2dc7bcea9796787cfd1b44]
+CVE: CVE-2023-25433
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 69 +++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 56 insertions(+), 13 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 742615a..aab0ec6 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
+ uint32, uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+- unsigned char **, int);
++ unsigned char **, size_t *);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+ unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6384,7 +6384,7 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
+ * but switch xres, yres there. */
+ uint32_t width = image->width;
+ uint32_t length = image->length;
+- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, TRUE))
++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+ {
+ TIFFError ("correct_orientation", "Unable to rotate image");
+ return (-1);
+@@ -7607,8 +7607,12 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+
+ if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+ {
++ /* rotateImage() set up a new buffer and calculates its size
++ * individually. Therefore, seg_buffs size needs to be updated
++ * accordingly. */
++ size_t rot_buf_size = 0;
+ if (rotateImage(crop->rotation, image, &crop->combined_width,
+- &crop->combined_length, &crop_buff, FALSE))
++ &crop->combined_length, &crop_buff, &rot_buf_size))
+ {
+ TIFFError("processCropSelections",
+ "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7713,8 +7717,13 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+
+ if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+ {
+- if (rotateImage(crop->rotation, image, &crop->regionlist[i].width,
+- &crop->regionlist[i].length, &crop_buff, FALSE))
++ /* Furthermore, rotateImage() set up a new buffer and calculates
++ * its size individually. Therefore, seg_buffs size needs to be
++ * updated accordingly. */
++ size_t rot_buf_size = 0;
++ if (rotateImage(
++ crop->rotation, image, &crop->regionlist[i].width,
++ &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
+ {
+ TIFFError("processCropSelections",
+ "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7725,8 +7734,7 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ crop->combined_width = total_width;
+ crop->combined_length = total_length;
+ seg_buffs[i].buffer = crop_buff;
+- seg_buffs[i].size = (((crop->regionlist[i].width * image->bps + 7 ) / 8)
+- * image->spp) * crop->regionlist[i].length;
++ seg_buffs[i].size = rot_buf_size;
+ }
+ }
+ }
+@@ -7735,7 +7743,6 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+
+ /* Copy the crop section of the data from the current image into a buffer
+ * and adjust the IFD values to reflect the new size. If no cropping is
+- * required, use the origial read buffer as the crop buffer.
+ *
+ * There is quite a bit of redundancy between this routine and the more
+ * specialized processCropSelections, but this provides
+@@ -7846,7 +7853,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+ {
+ if (rotateImage(crop->rotation, image, &crop->combined_width,
+- &crop->combined_length, crop_buff_ptr, TRUE))
++ &crop->combined_length, crop_buff_ptr, NULL))
+ {
+ TIFFError("createCroppedImage",
+ "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8515,7 +8522,8 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+ uint32 bytes_per_pixel, bytes_per_sample;
+ uint32 row, rowsize, src_offset, dst_offset;
+ uint32 i, col, width, length;
+- uint32 colsize, buffsize, col_offset, pix_offset;
++ uint32 colsize, col_offset, pix_offset;
++ tmsize_t buffsize;
+ unsigned char *ibuff;
+ unsigned char *src;
+ unsigned char *dst;
+@@ -8528,12 +8536,41 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+ spp = image->spp;
+ bps = image->bps;
+
++ if ((spp != 0 && bps != 0 &&
++ width > (uint32_t)((UINT32_MAX - 7) / spp / bps)) ||
++ (spp != 0 && bps != 0 &&
++ length > (uint32_t)((UINT32_MAX - 7) / spp / bps)))
++ {
++ TIFFError("rotateImage", "Integer overflow detected.");
++ return (-1);
++ }
++
+ rowsize = ((bps * spp * width) + 7) / 8;
+ colsize = ((bps * spp * length) + 7) / 8;
+ if ((colsize * width) > (rowsize * length))
+- buffsize = (colsize + 1) * width;
++{
++ if (((tmsize_t)colsize + 1) != 0 &&
++ (tmsize_t)width > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
++ ((tmsize_t)colsize + 1)))
++ {
++ TIFFError("rotateImage",
++ "Integer overflow when calculating buffer size.");
++ return (-1);
++ }
++ buffsize = ((tmsize_t)colsize + 1) * width;
++ }
+ else
+- buffsize = (rowsize + 1) * length;
++ {
++ if (((tmsize_t)rowsize + 1) != 0 &&
++ (tmsize_t)length > ((TIFF_TMSIZE_T_MAX - NUM_BUFF_OVERSIZE_BYTES) /
++ ((tmsize_t)rowsize + 1)))
++ {
++ TIFFError("rotateImage",
++ "Integer overflow when calculating buffer size.");
++ return (-1);
++ }
++ buffsize = (rowsize + 1) * length;
++ }
+
+ bytes_per_sample = (bps + 7) / 8;
+ bytes_per_pixel = ((bps * spp) + 7) / 8;
+@@ -8556,11 +8593,17 @@ rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+ /* Add 3 padding bytes for extractContigSamplesShifted32bits */
+ if (!(rbuff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES)))
+ {
+- TIFFError("rotateImage", "Unable to allocate rotation buffer of %1u bytes", buffsize + NUM_BUFF_OVERSIZE_BYTES);
++ TIFFError("rotateImage",
++ "Unable to allocate rotation buffer of %" TIFF_SSIZE_FORMAT
++ " bytes ",
++ buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ return (-1);
+ }
+ _TIFFmemset(rbuff, '\0', buffsize + NUM_BUFF_OVERSIZE_BYTES);
+
++ if (rot_buf_size != NULL)
++ *rot_buf_size = buffsize;
++
+ ibuff = *ibuff_ptr;
+ switch (rotation)
+ {
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
new file mode 100644
index 0000000000..6a6596f092
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-25434-CVE-2023-25435.patch
@@ -0,0 +1,94 @@
+From 69818e2f2d246e6631ac2a2da692c3706b849c38 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Sun, 29 Jan 2023 11:09:26 +0100
+Subject: [PATCH] tiffcrop: Amend rotateImage() not to toggle the input (main)
+ image width and length parameters when only cropped image sections are
+ rotated. Remove buffptr from region structure because never used.
+
+Closes #492 #493 #494 #495 #499 #518 #519
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38]
+CVE: CVE-2023-25434 & CVE-2023-25435
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index aab0ec6..ce84414 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -531,7 +531,7 @@ static int rotateContigSamples24bits(uint16, uint16, uint16, uint32,
+ static int rotateContigSamples32bits(uint16, uint16, uint16, uint32,
+ uint32, uint32, uint8 *, uint8 *);
+ static int rotateImage(uint16, struct image_data *, uint32 *, uint32 *,
+- unsigned char **, size_t *);
++ unsigned char **, size_t *, int);
+ static int mirrorImage(uint16, uint16, uint16, uint32, uint32,
+ unsigned char *);
+ static int invertImage(uint16, uint16, uint16, uint32, uint32,
+@@ -6382,10 +6382,11 @@ static int correct_orientation(struct image_data *image, unsigned char **work_b
+ /* Dummy variable in order not to switch two times the
+ * image->width,->length within rotateImage(),
+ * but switch xres, yres there. */
+- uint32_t width = image->width;
+- uint32_t length = image->length;
+- if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL))
+- {
++ uint32_t width = image->width;
++ uint32_t length = image->length;
++ if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,
++ TRUE))
++ {
+ TIFFError ("correct_orientation", "Unable to rotate image");
+ return (-1);
+ }
+@@ -7612,7 +7613,8 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ * accordingly. */
+ size_t rot_buf_size = 0;
+ if (rotateImage(crop->rotation, image, &crop->combined_width,
+- &crop->combined_length, &crop_buff, &rot_buf_size))
++ &crop->combined_length, &crop_buff, &rot_buf_size,
++ FALSE))
+ {
+ TIFFError("processCropSelections",
+ "Failed to rotate composite regions by %d degrees", crop->rotation);
+@@ -7721,9 +7723,10 @@ processCropSelections(struct image_data *image, struct crop_mask *crop,
+ * its size individually. Therefore, seg_buffs size needs to be
+ * updated accordingly. */
+ size_t rot_buf_size = 0;
+- if (rotateImage(
+- crop->rotation, image, &crop->regionlist[i].width,
+- &crop->regionlist[i].length, &crop_buff, &rot_buf_size))
++ if (rotateImage(crop->rotation, image,
++ &crop->regionlist[i].width,
++ &crop->regionlist[i].length, &crop_buff,
++ &rot_buf_size, FALSE))
+ {
+ TIFFError("processCropSelections",
+ "Failed to rotate crop region by %d degrees", crop->rotation);
+@@ -7853,7 +7856,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ if (crop->crop_mode & CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */
+ {
+ if (rotateImage(crop->rotation, image, &crop->combined_width,
+- &crop->combined_length, crop_buff_ptr, NULL))
++ &crop->combined_length, crop_buff_ptr, NULL, TRUE))
+ {
+ TIFFError("createCroppedImage",
+ "Failed to rotate image or cropped selection by %d degrees", crop->rotation);
+@@ -8515,8 +8518,10 @@ rotateContigSamples32bits(uint16 rotation, uint16 spp, uint16 bps, uint32 width,
+
+ /* Rotate an image by a multiple of 90 degrees clockwise */
+ static int
+-rotateImage(uint16 rotation, struct image_data *image, uint32 *img_width,
+- uint32 *img_length, unsigned char **ibuff_ptr, int rot_image_params)
++rotateImage(uint16 rotation, struct image_data *image,
++ uint32 *img_width, uint32 *img_length,
++ unsigned char **ibuff_ptr, size_t *rot_buf_size,
++ int rot_image_params)
+ {
+ int shift_width;
+ uint32 bytes_per_pixel, bytes_per_sample;
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
new file mode 100644
index 0000000000..b7a7e93764
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26965.patch
@@ -0,0 +1,90 @@
+From ec8ef90c1f573c9eb1f17d6a056aa0015f184acf Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Tue, 14 Feb 2023 20:43:43 +0100
+Subject: [PATCH] tiffcrop: Do not reuse input buffer for subsequent images.
+ Fix issue 527
+
+Reuse of read_buff within loadImage() from previous image is quite unsafe, because other functions (like rotateImage() etc.) reallocate that buffer with different size without updating the local prev_readsize value.
+
+Closes #527
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
+CVE: CVE-2023-26965
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 40 ++++++++++------------------------------
+ 1 file changed, 10 insertions(+), 30 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index ce84414..a533089 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -5935,9 +5935,7 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ uint32 tw = 0, tl = 0; /* Tile width and length */
+ tmsize_t tile_rowsize = 0;
+ unsigned char *read_buff = NULL;
+- unsigned char *new_buff = NULL;
+ int readunit = 0;
+- static tmsize_t prev_readsize = 0;
+
+ TIFFGetFieldDefaulted(in, TIFFTAG_BITSPERSAMPLE, &bps);
+ TIFFGetFieldDefaulted(in, TIFFTAG_SAMPLESPERPIXEL, &spp);
+@@ -6232,37 +6230,20 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ read_buff = *read_ptr;
+ /* +3 : add a few guard bytes since reverseSamples16bits() can read a bit */
+ /* outside buffer */
+- if (!read_buff)
++ if (read_buff)
+ {
+- if( buffsize > 0xFFFFFFFFU - 3 )
+- {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+- return (-1);
+- }
+- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
++ _TIFFfree(read_buff);
+ }
+- else
+- {
+- if (prev_readsize < buffsize)
+- {
+- if( buffsize > 0xFFFFFFFFU - 3 )
+- {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
+- return (-1);
+- }
+- new_buff = _TIFFrealloc(read_buff, buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- if (!new_buff)
+- {
+- free (read_buff);
+- read_buff = (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+- }
+- else
+- read_buff = new_buff;
+- }
+- }
++ if (buffsize > 0xFFFFFFFFU - 3)
++ {
++ TIFFError("loadImage", "Required read buffer size too large");
++ return (-1);
++ }
++ read_buff =
++ (unsigned char *)_TIFFmalloc(buffsize + NUM_BUFF_OVERSIZE_BYTES);
+ if (!read_buff)
+ {
+- TIFFError("loadImage", "Unable to allocate/reallocate read buffer");
++ TIFFError("loadImage", "Unable to allocate read buffer");
+ return (-1);
+ }
+
+@@ -6270,7 +6251,6 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+ read_buff[buffsize+1] = 0;
+ read_buff[buffsize+2] = 0;
+
+- prev_readsize = buffsize;
+ *read_ptr = read_buff;
+
+ /* N.B. The read functions used copy separate plane data into a buffer as interleaved
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
new file mode 100644
index 0000000000..48657e6aa4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-26966.patch
@@ -0,0 +1,35 @@
+From b0e1c25dd1d065200c8d8f59ad0afe014861a1b9 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Thu, 16 Feb 2023 12:03:16 +0100
+Subject: [PATCH] tif_luv: Check and correct for NaN data in uv_encode().
+
+Closes #530
+
+Upstream-Status: Backport [import from debian http://security.debian.org/debian-security/pool/updates/main/t/tiff/tiff_4.1.0+git191117-2~deb10u8.debian.tar.xz]
+CVE: CVE-2023-26966
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_luv.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
+index 6fe4858..8b2c5f1 100644
+--- a/libtiff/tif_luv.c
++++ b/libtiff/tif_luv.c
+@@ -923,6 +923,13 @@ uv_encode(double u, double v, int em) /* encode (u',v') coordinates */
+ {
+ register int vi, ui;
+
++ /* check for NaN */
++ if (u != u || v != v)
++ {
++ u = U_NEU;
++ v = V_NEU;
++ }
++
+ if (v < UV_VSTART)
+ return oog_encode(u, v);
+ vi = itrunc((v - UV_VSTART)*(1./UV_SQSIZ), em);
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index 4b48d81e2b..fcb2ce1ae4 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -36,6 +36,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2022-48281.patch \
file://CVE-2023-0795_0796_0797_0798_0799.patch \
file://CVE-2023-0800_0801_0802_0803_0804.patch \
+ file://CVE-2023-25433.patch \
+ file://CVE-2023-25434-CVE-2023-25435.patch \
+ file://CVE-2023-26965.patch \
+ file://CVE-2023-26966.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 08/22] tiff: fix multiple CVEs
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (6 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 07/22] tiff: fix multiple CVEs Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 09/22] dmidecode 3.2: Fix CVE-2023-30630 Steve Sakoman
` (13 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Backport fixes for:
* CVE-2023-2908 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f
* CVE-2023-3316 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536
* CVE-2023-3618 - Upstream-Status: Backport from https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37 && https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/files/CVE-2023-2908.patch | 33 +++++++++++
.../libtiff/files/CVE-2023-3316.patch | 59 +++++++++++++++++++
.../libtiff/files/CVE-2023-3618-1.patch | 34 +++++++++++
.../libtiff/files/CVE-2023-3618-2.patch | 47 +++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 4 ++
5 files changed, 177 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch
new file mode 100644
index 0000000000..62a5e1831c
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-2908.patch
@@ -0,0 +1,33 @@
+From 8c0859a80444c90b8dfb862a9f16de74e16f0a9e Mon Sep 17 00:00:00 2001
+From: xiaoxiaoafeifei <lliangliang2007@163.com>
+Date: Fri, 21 Apr 2023 13:01:34 +0000
+Subject: [PATCH] countInkNamesString(): fix `UndefinedBehaviorSanitizer`:
+ applying zero offset to null pointer
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f]
+CVE: CVE-2023-2908
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c
+index 9d8267a..6389b40 100644
+--- a/libtiff/tif_dir.c
++++ b/libtiff/tif_dir.c
+@@ -145,10 +145,10 @@ static uint16
+ countInkNamesString(TIFF *tif, uint32 slen, const char *s)
+ {
+ uint16 i = 0;
+- const char *ep = s + slen;
+- const char *cp = s;
+
+ if (slen > 0) {
++ const char *ep = s + slen;
++ const char *cp = s;
+ do {
+ for (; cp < ep && *cp != '\0'; cp++) {}
+ if (cp >= ep)
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch
new file mode 100644
index 0000000000..8db24fc714
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3316.patch
@@ -0,0 +1,59 @@
+From d63de61b1ec3385f6383ef9a1f453e4b8b11d536 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 3 Feb 2023 17:38:55 +0100
+Subject: [PATCH] TIFFClose() avoid NULL pointer dereferencing. fix#515
+
+Closes #515
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/d63de61b1ec3385f6383ef9a1f453e4b8b11d536]
+CVE: CVE-2023-3316
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libtiff/tif_close.c | 11 +++++++----
+ tools/tiffcrop.c | 5 ++++-
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/libtiff/tif_close.c b/libtiff/tif_close.c
+index e4228df..335e80f 100644
+--- a/libtiff/tif_close.c
++++ b/libtiff/tif_close.c
+@@ -118,13 +118,16 @@ TIFFCleanup(TIFF* tif)
+ */
+
+ void
+-TIFFClose(TIFF* tif)
++TIFFClose(TIFF *tif)
+ {
+- TIFFCloseProc closeproc = tif->tif_closeproc;
+- thandle_t fd = tif->tif_clientdata;
++ if (tif != NULL)
++ {
++ TIFFCloseProc closeproc = tif->tif_closeproc;
++ thandle_t fd = tif->tif_clientdata;
+
+ TIFFCleanup(tif);
+- (void) (*closeproc)(fd);
++ (void)(*closeproc)(fd);
++ }
+ }
+
+ /* vim: set ts=8 sts=8 sw=8 noet: */
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index a533089..f14bb0c 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2526,7 +2526,10 @@ main(int argc, char* argv[])
+ }
+ }
+
+- TIFFClose(out);
++ if (out != NULL)
++ {
++ TIFFClose(out);
++ }
+
+ return (0);
+ } /* end main */
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
new file mode 100644
index 0000000000..35ed852519
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-1.patch
@@ -0,0 +1,34 @@
+From 881a070194783561fd209b7c789a4e75566f7f37 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 7 Mar 2023 15:02:08 +0800
+Subject: [PATCH] Fix memory leak in tiffcrop.c
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index f14bb0c..7121c7c 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -7746,8 +7746,13 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+
+ read_buff = *read_buff_ptr;
+
++ /* Memory is freed before crop_buff_ptr is overwritten */
++ if (*crop_buff_ptr != NULL)
++ {
++ _TIFFfree(*crop_buff_ptr);
++ }
++
+ /* process full image, no crop buffer needed */
+- crop_buff = read_buff;
+ *crop_buff_ptr = read_buff;
+ crop->combined_width = image->width;
+ crop->combined_length = image->length;
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch
new file mode 100644
index 0000000000..fd67305c0b
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-3618-2.patch
@@ -0,0 +1,47 @@
+From b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 Mon Sep 17 00:00:00 2001
+From: Su_Laus <sulau@freenet.de>
+Date: Fri, 5 May 2023 19:43:46 +0200
+Subject: [PATCH] Consider error return of writeSelections(). Fixes #553
+
+Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8]
+CVE: CVE-2023-3618
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ tools/tiffcrop.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 7121c7c..93b7f96 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -2437,9 +2437,15 @@ main(int argc, char* argv[])
+ { /* Whole image or sections not based on output page size */
+ if (crop.selections > 0)
+ {
+- writeSelections(in, &out, &crop, &image, &dump, seg_buffs,
+- mp, argv[argc - 1], &next_page, total_pages);
+- }
++ if (writeSelections(in, &out, &crop, &image, &dump,
++ seg_buffs, mp, argv[argc - 1],
++ &next_page, total_pages))
++ {
++ TIFFError("main",
++ "Unable to write new image selections");
++ exit(EXIT_FAILURE);
++ }
++ }
+ else /* One file all images and sections */
+ {
+ if (update_output_file (&out, mp, crop.exp_mode, argv[argc - 1],
+@@ -7749,7 +7755,7 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop,
+ /* Memory is freed before crop_buff_ptr is overwritten */
+ if (*crop_buff_ptr != NULL)
+ {
+- _TIFFfree(*crop_buff_ptr);
++ _TIFFfree(*crop_buff_ptr);
+ }
+
+ /* process full image, no crop buffer needed */
+--
+2.25.1
+
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index fcb2ce1ae4..e3daaf1007 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -40,6 +40,10 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-25434-CVE-2023-25435.patch \
file://CVE-2023-26965.patch \
file://CVE-2023-26966.patch \
+ file://CVE-2023-2908.patch \
+ file://CVE-2023-3316.patch \
+ file://CVE-2023-3618-1.patch \
+ file://CVE-2023-3618-2.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 09/22] dmidecode 3.2: Fix CVE-2023-30630
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (7 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 08/22] " Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 10/22] qemu: CVE-ID correction for CVE-2020-35505 Steve Sakoman
` (12 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Dhairya Nagodra <dnagodra@cisco.com>
Upstream Repository: https://git.savannah.gnu.org/git/dmidecode.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30630
Type: Security Fix
CVE: CVE-2023-30630
Score: 7.8
Patch: https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../CVE-2023-30630-dependent_p1.patch | 236 ++++++++++++++++++
.../CVE-2023-30630-dependent_p2.patch | 198 +++++++++++++++
.../dmidecode/dmidecode/CVE-2023-30630.patch | 62 +++++
.../dmidecode/dmidecode_3.2.bb | 3 +
4 files changed, 499 insertions(+)
create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
create mode 100644 meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
new file mode 100644
index 0000000000..f1d449acbe
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p1.patch
@@ -0,0 +1,236 @@
+From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:21 +0100
+Subject: [PATCH] dmidecode: Split table fetching from decoding
+
+Clean up function dmi_table so that it does only one thing:
+* dmi_table() is renamed to dmi_table_get(). It now retrieves the
+ DMI table, but does not process it any longer.
+* Decoding or dumping the table is now done in smbios3_decode(),
+ smbios_decode() and legacy_decode().
+No functional change.
+
+A side effect of this change is that writing the header and body of
+dump files is now done in a single location. This is required to
+further consolidate the writing of dump files.
+
+CVE-ID: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]
+
+Backport Changes:
+- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
+ pr_info(). This is backported to printf() as per v3.2.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+---
+ dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 62 insertions(+), 24 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index a3e9d6c..d6eedd1 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+ }
+ }
+
+-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+- u32 flags)
++/* Allocates a buffer for the table, must be freed by the caller */
++static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
++ const char *devmem, u32 flags)
+ {
+ u8 *buf;
+
+@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ {
+ if (num)
+ printf("%u structures occupying %u bytes.\n",
+- num, len);
++ num, *len);
+ if (!(opt.flags & FLAG_FROM_DUMP))
+ printf("Table at 0x%08llX.\n",
+ (unsigned long long)base);
+@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ * would be the result of the kernel truncating the table on
+ * parse error.
+ */
+- size_t size = len;
++ size_t size = *len;
+ buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
+ &size, devmem);
+- if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
++ if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
+ {
+ fprintf(stderr, "Wrong DMI structures length: %u bytes "
+ "announced, only %lu bytes available.\n",
+- len, (unsigned long)size);
++ *len, (unsigned long)size);
+ }
+- len = size;
++ *len = size;
+ }
+ else
+- buf = mem_chunk(base, len, devmem);
++ buf = mem_chunk(base, *len, devmem);
+
+ if (buf == NULL)
+ {
+@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
+ fprintf(stderr,
+ "Try compiling dmidecode with -DUSE_MMAP.\n");
+ #endif
+- return;
+ }
+
+- if (opt.flags & FLAG_DUMP_BIN)
+- dmi_table_dump(buf, len);
+- else
+- dmi_table_decode(buf, len, num, ver >> 8, flags);
+-
+- free(buf);
++ return buf;
+ }
+
+
+@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
+
+ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+- u32 ver;
++ u32 ver, len;
+ u64 offset;
++ u8 *table;
+
+ /* Don't let checksum run beyond the buffer */
+ if (buf[0x06] > 0x20)
+@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ return 0;
+ }
+
+- dmi_table(((off_t)offset.h << 32) | offset.l,
+- DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
++ /* Maximum length, may get trimmed */
++ len = DWORD(buf + 0x0C);
++ table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
++ devmem, flags | FLAG_STOP_AT_EOT);
++ if (table == NULL)
++ return 1;
+
+ if (opt.flags & FLAG_DUMP_BIN)
+ {
+@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ memcpy(crafted, buf, 32);
+ overwrite_smbios3_address(crafted);
+
++ dmi_table_dump(table, len);
+ if (!(opt.flags & FLAG_QUIET))
+ printf("# Writing %d bytes to %s.\n", crafted[0x06],
+ opt.dumpfile);
+ write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
+ }
++ else
++ {
++ dmi_table_decode(table, len, 0, ver >> 8,
++ flags | FLAG_STOP_AT_EOT);
++ }
++
++ free(table);
+
+ return 1;
+ }
+
+ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ {
+- u16 ver;
++ u16 ver, num;
++ u32 len;
++ u8 *table;
+
+ /* Don't let checksum run beyond the buffer */
+ if (buf[0x05] > 0x20)
+@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ printf("SMBIOS %u.%u present.\n",
+ ver >> 8, ver & 0xFF);
+
+- dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
+- ver << 8, devmem, flags);
++ /* Maximum length, may get trimmed */
++ len = WORD(buf + 0x16);
++ num = WORD(buf + 0x1C);
++ table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
++ devmem, flags);
++ if (table == NULL)
++ return 1;
+
+ if (opt.flags & FLAG_DUMP_BIN)
+ {
+@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ memcpy(crafted, buf, 32);
+ overwrite_dmi_address(crafted + 0x10);
+
++ dmi_table_dump(table, len);
+ if (!(opt.flags & FLAG_QUIET))
+ printf("# Writing %d bytes to %s.\n", crafted[0x05],
+ opt.dumpfile);
+ write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+ }
++ else
++ {
++ dmi_table_decode(table, len, num, ver, flags);
++ }
++
++ free(table);
+
+ return 1;
+ }
+
+ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ {
++ u16 ver, num;
++ u32 len;
++ u8 *table;
++
+ if (!checksum(buf, 0x0F))
+ return 0;
+
++ ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
+ if (!(opt.flags & FLAG_QUIET))
+ printf("Legacy DMI %u.%u present.\n",
+ buf[0x0E] >> 4, buf[0x0E] & 0x0F);
+
+- dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
+- ((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
+- devmem, flags);
++ /* Maximum length, may get trimmed */
++ len = WORD(buf + 0x06);
++ num = WORD(buf + 0x0C);
++ table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
++ devmem, flags);
++ if (table == NULL)
++ return 1;
+
+ if (opt.flags & FLAG_DUMP_BIN)
+ {
+@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ memcpy(crafted, buf, 16);
+ overwrite_dmi_address(crafted);
+
++ dmi_table_dump(table, len);
+ if (!(opt.flags & FLAG_QUIET))
+ printf("# Writing %d bytes to %s.\n", 0x0F,
+ opt.dumpfile);
+ write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
+ }
++ else
++ {
++ dmi_table_decode(table, len, num, ver, flags);
++ }
++
++ free(table);
+
+ return 1;
+ }
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
new file mode 100644
index 0000000000..353c2553f5
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630-dependent_p2.patch
@@ -0,0 +1,198 @@
+From 58e8a07b1aef0e53af1642b30248255e53e42790 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:25 +0100
+Subject: [PATCH] dmidecode: Write the whole dump file at once
+
+When option --dump-bin is used, write the whole dump file at once,
+instead of opening and closing the file separately for the table
+and then for the entry point.
+
+As the file writing function is no longer generic, it gets moved
+from util.c to dmidecode.c.
+
+One minor functional change resulting from the new implementation is
+that the entry point is written first now, so the messages printed
+are swapped.
+
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f38]
+
+Backport Changes:
+- In the file dmidecode.c, the commit [2241f1d] in v3.3 introduces
+ pr_info(). This is backported to printf() as per v3.2.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit d8cfbc808f387e87091c25e7d5b8c2bb348bb206)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
+---
+ dmidecode.c | 69 +++++++++++++++++++++++++++++++++++++++--------------
+ util.c | 40 -------------------------------
+ util.h | 1 -
+ 3 files changed, 51 insertions(+), 59 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index d6eedd1..b91e53b 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -5094,11 +5094,56 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+ }
+ }
+
+-static void dmi_table_dump(const u8 *buf, u32 len)
++static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
++ u32 table_len)
+ {
++ FILE *f;
++
++ f = fopen(opt.dumpfile, "wb");
++ if (!f)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fopen");
++ return -1;
++ }
++
++ if (!(opt.flags & FLAG_QUIET))
++ printf("# Writing %d bytes to %s.\n", ep_len, opt.dumpfile);
++ if (fwrite(ep, ep_len, 1, f) != 1)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fwrite");
++ goto err_close;
++ }
++
++ if (fseek(f, 32, SEEK_SET) != 0)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fseek");
++ goto err_close;
++ }
++
+ if (!(opt.flags & FLAG_QUIET))
+- printf("# Writing %d bytes to %s.\n", len, opt.dumpfile);
+- write_dump(32, len, buf, opt.dumpfile, 0);
++ printf("# Writing %d bytes to %s.\n", table_len, opt.dumpfile);
++ if (fwrite(table, table_len, 1, f) != 1)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fwrite");
++ goto err_close;
++ }
++
++ if (fclose(f))
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("fclose");
++ return -1;
++ }
++
++ return 0;
++
++err_close:
++ fclose(f);
++ return -1;
+ }
+
+ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
+@@ -5351,11 +5396,7 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
+ memcpy(crafted, buf, 32);
+ overwrite_smbios3_address(crafted);
+
+- dmi_table_dump(table, len);
+- if (!(opt.flags & FLAG_QUIET))
+- printf("# Writing %d bytes to %s.\n", crafted[0x06],
+- opt.dumpfile);
+- write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
++ dmi_table_dump(crafted, crafted[0x06], table, len);
+ }
+ else
+ {
+@@ -5427,11 +5468,7 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
+ memcpy(crafted, buf, 32);
+ overwrite_dmi_address(crafted + 0x10);
+
+- dmi_table_dump(table, len);
+- if (!(opt.flags & FLAG_QUIET))
+- printf("# Writing %d bytes to %s.\n", crafted[0x05],
+- opt.dumpfile);
+- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
++ dmi_table_dump(crafted, crafted[0x05], table, len);
+ }
+ else
+ {
+@@ -5472,11 +5509,7 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
+ memcpy(crafted, buf, 16);
+ overwrite_dmi_address(crafted);
+
+- dmi_table_dump(table, len);
+- if (!(opt.flags & FLAG_QUIET))
+- printf("# Writing %d bytes to %s.\n", 0x0F,
+- opt.dumpfile);
+- write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
++ dmi_table_dump(crafted, 0x0F, table, len);
+ }
+ else
+ {
+diff --git a/util.c b/util.c
+index eeffdae..2e1931c 100644
+--- a/util.c
++++ b/util.c
+@@ -247,46 +247,6 @@ out:
+ return p;
+ }
+
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add)
+-{
+- FILE *f;
+-
+- f = fopen(dumpfile, add ? "r+b" : "wb");
+- if (!f)
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fopen");
+- return -1;
+- }
+-
+- if (fseek(f, base, SEEK_SET) != 0)
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fseek");
+- goto err_close;
+- }
+-
+- if (fwrite(data, len, 1, f) != 1)
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fwrite");
+- goto err_close;
+- }
+-
+- if (fclose(f))
+- {
+- fprintf(stderr, "%s: ", dumpfile);
+- perror("fclose");
+- return -1;
+- }
+-
+- return 0;
+-
+-err_close:
+- fclose(f);
+- return -1;
+-}
+-
+ /* Returns end - start + 1, assuming start < end */
+ u64 u64_range(u64 start, u64 end)
+ {
+diff --git a/util.h b/util.h
+index 3094cf8..ef24eb9 100644
+--- a/util.h
++++ b/util.h
+@@ -27,5 +27,4 @@
+ int checksum(const u8 *buf, size_t len);
+ void *read_file(off_t base, size_t *len, const char *filename);
+ void *mem_chunk(off_t base, size_t len, const char *devmem);
+-int write_dump(size_t base, size_t len, const void *data, const char *dumpfile, int add);
+ u64 u64_range(u64 start, u64 end);
diff --git a/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
new file mode 100644
index 0000000000..bf4d060c8c
--- /dev/null
+++ b/meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630.patch
@@ -0,0 +1,62 @@
+From b7dacccff32294ea522df32a9391d0218e7600ea Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Mon, 20 Feb 2023 14:53:31 +0100
+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing file
+
+Make sure that the file passed to option --dump-bin does not already
+exist. In practice, it is rather unlikely that an honest user would
+want to overwrite an existing dump file, while this possibility
+could be used by a rogue user to corrupt a system file.
+
+CVE: CVE-2023-30630
+Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=6ca381c1247c]
+
+Backport Changes:
+- Ignored changes in man/dmidecode.8 file.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
+(cherry picked from commit 6ca381c1247c81f74e1ca4e7706f70bdda72e6f2)
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
+---
+ dmidecode.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/dmidecode.c b/dmidecode.c
+index b91e53b..846d9a1 100644
+--- a/dmidecode.c
++++ b/dmidecode.c
+@@ -60,6 +60,7 @@
+ * https://www.dmtf.org/sites/default/files/DSP0270_1.0.1.pdf
+ */
+
++#include <fcntl.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <strings.h>
+@@ -5097,13 +5098,22 @@ static void dmi_table_string(const struct dmi_header *h, const u8 *data, u16 ver
+ static int dmi_table_dump(const u8 *ep, u32 ep_len, const u8 *table,
+ u32 table_len)
+ {
++ int fd;
+ FILE *f;
+
+- f = fopen(opt.dumpfile, "wb");
++ fd = open(opt.dumpfile, O_WRONLY|O_CREAT|O_EXCL, 0666);
++ if (fd == -1)
++ {
++ fprintf(stderr, "%s: ", opt.dumpfile);
++ perror("open");
++ return -1;
++ }
++
++ f = fdopen(fd, "wb");
+ if (!f)
+ {
+ fprintf(stderr, "%s: ", opt.dumpfile);
+- perror("fopen");
++ perror("fdopen");
+ return -1;
+ }
+
diff --git a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
index 8caffb5cc3..1e7c38dc8a 100644
--- a/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
+++ b/meta/recipes-devtools/dmidecode/dmidecode_3.2.bb
@@ -6,6 +6,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/dmidecode/${BP}.tar.xz \
file://0001-Committing-changes-from-do_unpack_extra.patch \
+ file://CVE-2023-30630-dependent_p1.patch \
+ file://CVE-2023-30630-dependent_p2.patch \
+ file://CVE-2023-30630.patch \
"
COMPATIBLE_HOST = "(i.86|x86_64|aarch64|arm|powerpc|powerpc64).*-linux"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 10/22] qemu: CVE-ID correction for CVE-2020-35505
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (8 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 09/22] dmidecode 3.2: Fix CVE-2023-30630 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 11/22] qemu:fix CVE-2023-3354 VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service Steve Sakoman
` (11 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Emily Vekariya <emily.vekariya@einfochips.com>
- The commit [https://github.com/qemu/qemu/commit/995457517340]
("esp: ensure cmdfifo is not empty and current_dev is non-NULL")
fixes CVE-2020-35505 instead of CVE-2020-35504.
- Hence, corrected the CVE-ID in CVE-2020-35505.patch.
- Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
index c5ff6e89ff..40c0b1e74f 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35505.patch
@@ -20,16 +20,19 @@ Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
-CVE: CVE-2020-35504
+CVE: CVE-2020-35505
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-35505.patch?h=ubuntu/focal-security Upstream commit https://github.com/qemu/qemu/commit/99545751734035b76bd372c4e7215bb337428d89 ]
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com>
---
- hw/scsi/esp.c | 3 +++
- 1 file changed, 3 insertions(+)
+ hw/scsi/esp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
+index c7d701bf..c2a67bc8 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
-@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, ui
+@@ -193,6 +193,10 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
trace_esp_do_busid_cmd(busid);
lun = busid & 7;
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 11/22] qemu:fix CVE-2023-3354 VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (9 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 10/22] qemu: CVE-ID correction for CVE-2020-35505 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 12/22] ghostscript: backport fix for CVE-2023-38559 Steve Sakoman
` (10 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-3354.patch | 87 +++++++++++++++++++
2 files changed, 88 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 352277573b..2871818cb1 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -138,6 +138,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3409-5.patch \
file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
file://CVE-2023-0330.patch \
+ file://CVE-2023-3354.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
new file mode 100644
index 0000000000..2942e84cac
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3354.patch
@@ -0,0 +1,87 @@
+From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 20 Jun 2023 09:45:34 +0100
+Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The TLS handshake make take some time to complete, during which time an
+I/O watch might be registered with the main loop. If the owner of the
+I/O channel invokes qio_channel_close() while the handshake is waiting
+to continue the I/O watch must be removed. Failing to remove it will
+later trigger the completion callback which the owner is not expecting
+to receive. In the case of the VNC server, this results in a SEGV as
+vnc_disconnect_start() tries to shutdown a client connection that is
+already gone / NULL.
+
+CVE-2023-3354
+Reported-by: jiangyegen <jiangyegen@huawei.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4]
+CVE: CVE-2023-3354
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ include/io/channel-tls.h | 1 +
+ io/channel-tls.c | 18 ++++++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
+index fdbdf12f..e49e2831 100644
+--- a/include/io/channel-tls.h
++++ b/include/io/channel-tls.h
+@@ -49,6 +49,7 @@ struct QIOChannelTLS {
+ QIOChannel *master;
+ QCryptoTLSSession *session;
+ QIOChannelShutdown shutdown;
++ guint hs_ioc_tag;
+ };
+
+ /**
+diff --git a/io/channel-tls.c b/io/channel-tls.c
+index 7ec8ceff..8b32fbde 100644
+--- a/io/channel-tls.c
++++ b/io/channel-tls.c
+@@ -194,12 +194,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+ }
+
+ trace_qio_channel_tls_handshake_pending(ioc, status);
+- qio_channel_add_watch_full(ioc->master,
+- condition,
+- qio_channel_tls_handshake_io,
+- data,
+- NULL,
+- context);
++ ioc->hs_ioc_tag =
++ qio_channel_add_watch_full(ioc->master,
++ condition,
++ qio_channel_tls_handshake_io,
++ data,
++ NULL,
++ context);
+ }
+ }
+
+@@ -214,6 +215,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
+ QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
+ qio_task_get_source(task));
+
++ tioc->hs_ioc_tag = 0;
+ g_free(data);
+ qio_channel_tls_handshake_task(tioc, task, context);
+
+@@ -371,6 +373,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
+ {
+ QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+
++ if (tioc->hs_ioc_tag) {
++ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
++ }
++
+ return qio_channel_close(tioc->master, errp);
+ }
+
+--
+2.25.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 12/22] ghostscript: backport fix for CVE-2023-38559
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (10 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 11/22] qemu:fix CVE-2023-3354 VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 13/22] procps: patch CVE-2023-4016 Steve Sakoman
` (9 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...pcx-buffer-overrun-fix-from-devices-.patch | 31 +++++++++++++++++++
.../ghostscript/ghostscript_9.52.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
new file mode 100644
index 0000000000..91b9f6df50
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
@@ -0,0 +1,31 @@
+From d81b82c70bc1fb9991bb95f1201abb5dea55f57f Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: [PATCH] Bug 706897: Copy pcx buffer overrun fix from
+ devices/gdevpcx.c
+
+Bounds check the buffer, before dereferencing the pointer.
+
+Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f]
+CVE: CVE-2023-38559
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index 3b019d6..2888776 100644
+--- a/base/gdevdevn.c
++++ b/base/gdevdevn.c
+@@ -1980,7 +1980,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, int step, gp_file * file
+ byte data = *from;
+
+ from += step;
+- if (data != *from || from == end) {
++ if (from >= end || data != *from) {
+ if (data >= 0xc0)
+ gp_fputc(0xc1, file);
+ } else {
+--
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
index 57f0b51ad3..37e9ed8e84 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.52.bb
@@ -40,6 +40,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
file://CVE-2021-3781_2.patch \
file://CVE-2021-3781_3.patch \
file://CVE-2023-28879.patch \
+ file://0001-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch \
"
SRC_URI = "${SRC_URI_BASE} \
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 13/22] procps: patch CVE-2023-4016
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (11 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 12/22] ghostscript: backport fix for CVE-2023-38559 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 14/22] cve-update-nvd2-native: always pass str for json.loads() Steve Sakoman
` (8 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Backport patch from upstream master.
There were three changes needed to apply the patch:
* move NEWS change to start of the file
* change file location from src/ps/ to ps/
* change xmalloc/xcmalloc to malloc/cmalloc
The x*malloc functions were introduced in commit in future version.
https://gitlab.com/procps-ng/procps/-/commit/584028dbe513127ef68c55aa631480454bcc26bf
They call the original function plus additionally throw error when out of memory.
https://gitlab.com/procps-ng/procps/-/blob/v4.0.3/local/xalloc.h?ref_type=tags
So this replacement is correct in context of our version.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../procps/procps/CVE-2023-4016.patch | 85 +++++++++++++++++++
meta/recipes-extended/procps/procps_3.3.16.bb | 1 +
2 files changed, 86 insertions(+)
create mode 100644 meta/recipes-extended/procps/procps/CVE-2023-4016.patch
diff --git a/meta/recipes-extended/procps/procps/CVE-2023-4016.patch b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch
new file mode 100644
index 0000000000..50582a8649
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/CVE-2023-4016.patch
@@ -0,0 +1,85 @@
+From 2c933ecba3bb1d3041a5a7a53a7b4078a6003413 Mon Sep 17 00:00:00 2001
+From: Craig Small <csmall@dropbear.xyz>
+Date: Thu, 10 Aug 2023 21:18:38 +1000
+Subject: [PATCH] ps: Fix possible buffer overflow in -C option
+
+ps allocates memory using malloc(length of arg * len of struct).
+In certain strange circumstances, the arg length could be very large
+and the multiplecation will overflow, allocating a small amount of
+memory.
+
+Subsequent strncpy() will then write into unallocated memory.
+The fix is to use calloc. It's slower but this is a one-time
+allocation. Other malloc(x * y) calls have also been replaced
+by calloc(x, y)
+
+References:
+ https://www.freelists.org/post/procps/ps-buffer-overflow-CVE-20234016
+ https://nvd.nist.gov/vuln/detail/CVE-2023-4016
+ https://gitlab.com/procps-ng/procps/-/issues/297
+ https://bugs.debian.org/1042887
+
+Signed-off-by: Craig Small <csmall@dropbear.xyz>
+
+CVE: CVE-2023-4016
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/2c933ecba3bb1d3041a5a7a53a7b4078a6003413]
+
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+
+---
+ NEWS | 1 +
+ ps/parser.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index b9509734..64fa3da8 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,3 +1,5 @@
++ * ps: Fix buffer overflow in -C option CVE-2023-4016 Debian #1042887, issue #297
++
+ procps-ng-3.3.16
+ ----------------
+ * library: Increment to 8:2:0
+diff --git a/ps/parser.c b/ps/parser.c
+index 248aa741..15873dfa 100644
+--- a/ps/parser.c
++++ b/ps/parser.c
+@@ -184,7 +184,6 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+ const char *err; /* error code that could or did happen */
+ /*** prepare to operate ***/
+ node = malloc(sizeof(selection_node));
+- node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
+ node->n = 0;
+ buf = strdup(arg);
+ /*** sanity check and count items ***/
+@@ -205,6 +204,7 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+ } while (*++walk);
+ if(need_item) goto parse_error;
+ node->n = items;
++ node->u = calloc(items, sizeof(sel_union));
+ /*** actually parse the list ***/
+ walk = buf;
+ while(items--){
+@@ -1031,15 +1031,15 @@ static const char *parse_trailing_pids(void){
+ thisarg = ps_argc - 1; /* we must be at the end now */
+
+ pidnode = malloc(sizeof(selection_node));
+- pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++ pidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */
+ pidnode->n = 0;
+
+ grpnode = malloc(sizeof(selection_node));
+- grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++ grpnode->u = calloc(i,sizeof(sel_union)); /* waste is insignificant */
+ grpnode->n = 0;
+
+ sidnode = malloc(sizeof(selection_node));
+- sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
++ sidnode->u = calloc(i, sizeof(sel_union)); /* waste is insignificant */
+ sidnode->n = 0;
+
+ while(i--){
+--
+GitLab
+
diff --git a/meta/recipes-extended/procps/procps_3.3.16.bb b/meta/recipes-extended/procps/procps_3.3.16.bb
index 3a8289b359..ac27734a6f 100644
--- a/meta/recipes-extended/procps/procps_3.3.16.bb
+++ b/meta/recipes-extended/procps/procps_3.3.16.bb
@@ -14,6 +14,7 @@ inherit autotools gettext pkgconfig update-alternatives
SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
file://sysctl.conf \
+ file://CVE-2023-4016.patch \
"
SRCREV = "59c88e18f29000ceaf7e5f98181b07be443cf12f"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 14/22] cve-update-nvd2-native: always pass str for json.loads()
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (12 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 13/22] procps: patch CVE-2023-4016 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 15/22] harfbuzz: Resolve backported commit bug Steve Sakoman
` (7 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Yuta Hayama <hayama@lineo.co.jp>
Currently json.loads() accepts one of the types str, bytes, or bytearray
as an argument, but bytes and bytearrays have only been allowed since
python 3.6. The version of Python3 provided by default on Ubuntu 16.04
and Debian 9.x is 3.5, so make raw_data type str to work correctly on
these build hosts.
Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 2f7dad7e82..67d76f75dd 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -136,7 +136,7 @@ def nvd_request_next(url, api_key, args):
if (r.headers['content-encoding'] == 'gzip'):
buf = r.read()
- raw_data = gzip.decompress(buf)
+ raw_data = gzip.decompress(buf).decode("utf-8")
else:
raw_data = r.read().decode("utf-8")
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 15/22] harfbuzz: Resolve backported commit bug.
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (13 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 14/22] cve-update-nvd2-native: always pass str for json.loads() Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 16/22] linux-yocto/5.4: update to v5.4.249 Steve Sakoman
` (6 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Dhairya Nagodra <dnagodra@cisco.com>
The commit [https://github.com/openembedded/openembedded-core/commit/c22bbe9b45e3]
backports fix for CVE-2023-25193 for version 2.6.4.
The apply() in src/hb-ot-layout-gpos-table.hh ends prematurely.
The if block in apply() has an extra return statement,
which causes it to return w/o executing
buffer->unsafe_to_concat_from_outbuffer() function.
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../harfbuzz/harfbuzz/CVE-2023-25193.patch | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
index 8243117551..e4ac13dbad 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz/CVE-2023-25193.patch
@@ -1,4 +1,4 @@
-From 8708b9e081192786c027bb7f5f23d76dbe5c19e8 Mon Sep 17 00:00:00 2001
+From 9c8e972dbecda93546038d24444d8216397d75a3 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Mon, 6 Feb 2023 14:51:25 -0700
Subject: [PATCH] [GPOS] Avoid O(n^2) behavior in mark-attachment
@@ -8,13 +8,15 @@ Comment1: The Original Patch [https://github.com/harfbuzz/harfbuzz/commit/85be87
Comment2: The Patch contained files MarkBasePosFormat1.hh and MarkLigPosFormat1.hh which were moved from hb-ot-layout-gpos-table.hh as per https://github.com/harfbuzz/harfbuzz/commit/197d9a5c994eb41c8c89b7b958b26b1eacfeeb00
CVE: CVE-2023-25193
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
+
---
- src/hb-ot-layout-gpos-table.hh | 101 ++++++++++++++++++++++++---------
+ src/hb-ot-layout-gpos-table.hh | 103 +++++++++++++++++++++++----------
src/hb-ot-layout-gsubgpos.hh | 5 +-
- 2 files changed, 77 insertions(+), 29 deletions(-)
+ 2 files changed, 78 insertions(+), 30 deletions(-)
diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
-index 024312d..88df13d 100644
+index 024312d..db5f9ae 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -1458,6 +1458,25 @@ struct MarkBasePosFormat1
@@ -102,8 +104,9 @@ index 024312d..88df13d 100644
+ //if (!_hb_glyph_info_is_base_glyph (&buffer->info[idx])) { return_trace (false); }
- unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[skippy_iter.idx].codepoint);
+- if (base_index == NOT_COVERED) return_trace (false);
+ unsigned int base_index = (this+baseCoverage).get_coverage (buffer->info[idx].codepoint);
- if (base_index == NOT_COVERED) return_trace (false);
++ if (base_index == NOT_COVERED)
+ {
+ buffer->unsafe_to_concat_from_outbuffer (idx, buffer->idx + 1);
+ return_trace (false);
@@ -174,6 +177,3 @@ index 5a7e564..437123c 100644
void set_auto_zwj (bool auto_zwj_) { auto_zwj = auto_zwj_; init_iters (); }
void set_auto_zwnj (bool auto_zwnj_) { auto_zwnj = auto_zwnj_; init_iters (); }
void set_random (bool random_) { random = random_; }
---
-2.25.1
-
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 16/22] linux-yocto/5.4: update to v5.4.249
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (14 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 15/22] harfbuzz: Resolve backported commit bug Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 17/22] linux-yocto/5.4: update to v5.4.250 Steve Sakoman
` (5 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating to the latest korg -stable release that comprises
the following commits:
b30db4f7e45f Linux 5.4.249
c87439055174 xfs: verify buffer contents when we skip log replay
72ab3d39b443 mm: make wait_on_page_writeback() wait for multiple pending writebacks
9ea42ba3e695 mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback)
dffd25725e99 i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle
f89bcf03e90c x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys
a43c763f9cbe drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
45f574d8dfc1 drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
c81a542e45a0 drm/exynos: vidi: fix a wrong error return
948b8b5fd0f3 ARM: dts: Fix erroneous ADS touchscreen polarities
8d6f9f5f3bfc ASoC: nau8824: Add quirk to active-high jack-detect
d6fd1b3f7648 s390/cio: unregister device when the only path is gone
0de32d3dd39d usb: gadget: udc: fix NULL dereference in remove()
823dd7de8213 nfcsim.c: Fix error checking for debugfs_create_dir
c32b39d0707b media: cec: core: don't set last_initiator if tx in progress
a69a15a1e789 arm64: Add missing Set/Way CMO encodings
99de9a18e646 HID: wacom: Add error check to wacom_parse_and_register()
2af8d9637270 scsi: target: iscsi: Prevent login threads from racing between each other
321a81d26c8d sch_netem: acquire qdisc lock in netem_change()
91274bbe78a2 Revert "net: phy: dp83867: perform soft reset and retain established link"
25c8d38c7560 netfilter: nfnetlink_osf: fix module autoload
476c617e4dd4 netfilter: nf_tables: disallow element updates of bound anonymous sets
d3b110395fea be2net: Extend xmit workaround to BE3 chip
789d5286060f net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch
35373d602bd4 ipvs: align inner_mac_header for encapsulation
ee155675bda8 mmc: usdhi60rol0: fix deferred probing
0bd483fb95ce mmc: sh_mmcif: fix deferred probing
6160d37db171 mmc: sdhci-acpi: fix deferred probing
b25875cf5e3b mmc: omap_hsmmc: fix deferred probing
cbb0118f8aa0 mmc: omap: fix deferred probing
e0d505356973 mmc: mvsdio: fix deferred probing
c2e675509ff8 mmc: mvsdio: convert to devm_platform_ioremap_resource
3ef787d61972 mmc: mtk-sd: fix deferred probing
3c01d64996be net: qca_spi: Avoid high load if QCA7000 is not available
bf7a4fd33669 xfrm: Linearize the skb after offloading if needed.
d0fe8a733fa7 ieee802154: hwsim: Fix possible memory leaks
dfcac203a36a rcu: Upgrade rcu_swap_protected() to rcu_replace_pointer()
94199d4727f6 x86/mm: Avoid using set_pgd() outside of real PGD pages
be178a5eae0f cifs: Fix potential deadlock when updating vol in cifs_reconnect()
8a5aaa4562a9 cifs: Merge is_path_valid() into get_normalized_path()
339134c15c64 cifs: Introduce helpers for finding TCP connection
cf8c7aa90618 cifs: Get rid of kstrdup_const()'d paths
3fa4c08104c4 cifs: Clean up DFS referral cache
b73539b887a4 nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
1cc7dcfdeb5e writeback: fix dereferencing NULL mapping->host on writeback_page_template
18a0202bec17 ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN
ab530c9bec51 mmc: meson-gx: remove redundant mmc_request_done() call from irq context
88b373d1c5e9 cgroup: Do not corrupt task iteration when rebinding subsystem
c06c568e43e7 PCI: hv: Fix a race condition bug in hv_pci_query_relations()
f02a67690777 Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
966708ed9dd9 nilfs2: fix buffer corruption due to concurrent device reads
a93ae93e9f1b media: dvb-core: Fix use-after-free due to race at dvb_register_device()
225bd8cc9c3f media: dvbdev: fix error logic at dvb_register_device()
5bc971f0435f media: dvbdev: Fix memleak in dvb_register_device
40d7530bc7fd tick/common: Align tick period during sched_timer setup
b9b61fd1f74d x86/purgatory: remove PGO flags
4d02a166cbee tracing: Add tracing_reset_all_online_cpus_unlocked() function
e14e9cc588bd epoll: ep_autoremove_wake_function should use list_del_init_careful
e77e5481d5bf list: add "list_del_init_careful()" to go with "list_empty_careful()"
c32ab1c1959a mm: rewrite wait_on_page_bit_common() logic
559cefc7c25f nilfs2: reject devices with insufficient block count
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index d775a60e9f..8e2ac6f853 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "8d8179549a233e7517523ac12887016451da2e20"
-SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc"
+SRCREV_machine ?= "7c1c3e523391507938420fb93bfafbbf1788e6b1"
+SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.248"
+LINUX_VERSION ?= "5.4.249"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 5e2b2ab6cf..710fc63d47 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.248"
+LINUX_VERSION ?= "5.4.249"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "ca5368c73bab4eb276a8e721df28c02ceb8f3eeb"
-SRCREV_machine ?= "abb579170926348d1518bc1a2de8cb1cdf403808"
-SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc"
+SRCREV_machine_qemuarm ?= "532857ef9f2014098015fa9ba30501639f8840ee"
+SRCREV_machine ?= "de0d74f8949990ebd464742fbb4b4e5bfaace7b3"
+SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 336e72eede..3e4c1ca08b 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "68775a8671944b96c6a1ee795809f81149951f2d"
-SRCREV_machine_qemuarm64 ?= "54bc3d459501d8df9baf093a34d8bb676c207a07"
-SRCREV_machine_qemumips ?= "ba2d346cc66307fa6332b9fb86eb8ca66f30ebcd"
-SRCREV_machine_qemuppc ?= "6703d4c7c75fab78e0c72227a98aba8071d5b1c3"
-SRCREV_machine_qemuriscv64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
-SRCREV_machine_qemux86 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
-SRCREV_machine_qemux86-64 ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
-SRCREV_machine_qemumips64 ?= "66cac7d41a43594760f6ac48e848d73315cc5dd3"
-SRCREV_machine ?= "d18af0e8acb7c4cb245739fa8165a44845ff2ba0"
-SRCREV_meta ?= "465d61ba36f5c7e32d1fddef078d5d2068fcc2cc"
+SRCREV_machine_qemuarm ?= "05e04a6628f7da8169ee7c46288bdcf5694de623"
+SRCREV_machine_qemuarm64 ?= "23ac11eda9c661a3d01fc0142a6e23aad03f2b08"
+SRCREV_machine_qemumips ?= "08adf55a99423b9a86b9cf0b11dcf1f6bf0a280d"
+SRCREV_machine_qemuppc ?= "5b29dfbf9af0afb45cc588154a9ac6c7f68f4d81"
+SRCREV_machine_qemuriscv64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
+SRCREV_machine_qemux86 ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
+SRCREV_machine_qemux86-64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
+SRCREV_machine_qemumips64 ?= "a70b5911861ec339487b3fd3edc49983d3e46669"
+SRCREV_machine ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
+SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.248"
+LINUX_VERSION ?= "5.4.249"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 17/22] linux-yocto/5.4: update to v5.4.250
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (15 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 16/22] linux-yocto/5.4: update to v5.4.249 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 18/22] linux-yocto/5.4: update to v5.4.251 Steve Sakoman
` (4 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating to the latest korg -stable release that comprises
the following commits:
27745d94abe1 Linux 5.4.250
00363ef30797 x86/cpu/amd: Add a Zenbleed fix
92b292bed627 x86/cpu/amd: Move the errata checking functionality up
4d4112e2845c x86/microcode/AMD: Load late on both threads too
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index 8e2ac6f853..f31b920ca7 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "7c1c3e523391507938420fb93bfafbbf1788e6b1"
-SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736"
+SRCREV_machine ?= "0057180769503ac049b495a794f864053965c7ea"
+SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.249"
+LINUX_VERSION ?= "5.4.250"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 710fc63d47..6f94fe3bd6 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.249"
+LINUX_VERSION ?= "5.4.250"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "532857ef9f2014098015fa9ba30501639f8840ee"
-SRCREV_machine ?= "de0d74f8949990ebd464742fbb4b4e5bfaace7b3"
-SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736"
+SRCREV_machine_qemuarm ?= "f0ae300728e87e4b1e51305737b9f4dda383e7bf"
+SRCREV_machine ?= "de7c8d928de44e1c130760bf11d741d25e1c0213"
+SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 3e4c1ca08b..9589ca280a 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "05e04a6628f7da8169ee7c46288bdcf5694de623"
-SRCREV_machine_qemuarm64 ?= "23ac11eda9c661a3d01fc0142a6e23aad03f2b08"
-SRCREV_machine_qemumips ?= "08adf55a99423b9a86b9cf0b11dcf1f6bf0a280d"
-SRCREV_machine_qemuppc ?= "5b29dfbf9af0afb45cc588154a9ac6c7f68f4d81"
-SRCREV_machine_qemuriscv64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
-SRCREV_machine_qemux86 ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
-SRCREV_machine_qemux86-64 ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
-SRCREV_machine_qemumips64 ?= "a70b5911861ec339487b3fd3edc49983d3e46669"
-SRCREV_machine ?= "19998b76926cac29365e10bc1abc976ff2481cb5"
-SRCREV_meta ?= "cc142627e073a6ef70b2646df36a8119cda3c736"
+SRCREV_machine_qemuarm ?= "fb7218e03f4d75e77f3bc50217855e043e32b06a"
+SRCREV_machine_qemuarm64 ?= "9561485ac053a0ea76ee95fa8dead1da30a41a8a"
+SRCREV_machine_qemumips ?= "7bd91d1af3b4a24e1f34e3a9583d02d7f08aaf53"
+SRCREV_machine_qemuppc ?= "f4145ff9d93b0e0b0393d16c1889bcf3c6e13e15"
+SRCREV_machine_qemuriscv64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
+SRCREV_machine_qemux86 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
+SRCREV_machine_qemux86-64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
+SRCREV_machine_qemumips64 ?= "72944e165489f0dc5121461bfc74fb2bfaa3d7d7"
+SRCREV_machine ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
+SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.249"
+LINUX_VERSION ?= "5.4.250"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 18/22] linux-yocto/5.4: update to v5.4.251
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (16 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 17/22] linux-yocto/5.4: update to v5.4.250 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 19/22] openssl: Upgrade 1.1.1t -> 1.1.1v Steve Sakoman
` (3 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating to the latest korg -stable release that comprises
the following commits:
887433e4bc93 Linux 5.4.251
1e02fbe4f0ed tracing/histograms: Return an error if we fail to add histogram to hist_vars list
b1062596556e tcp: annotate data-races around fastopenq.max_qlen
21c325d01ecc tcp: annotate data-races around tp->notsent_lowat
7175277b4d0b tcp: annotate data-races around rskq_defer_accept
3121d649e4c6 tcp: annotate data-races around tp->linger2
b1cd5655fc13 net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX
8ce44cf35ef6 tcp: annotate data-races around tp->tcp_tx_delay
c822536b3e41 netfilter: nf_tables: can't schedule in nft_chain_validate
caa228792fb5 netfilter: nf_tables: fix spurious set element insertion failure
b8944e53ee70 llc: Don't drop packet from non-root netns.
b07e31824df6 fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
6d39e9fc5934 Revert "tcp: avoid the lookup process failing to get sk in ehash table"
0c0bd9789a8d net:ipv6: check return value of pskb_trim()
17046107ca15 iavf: Fix use-after-free in free_netdev
765e1eaf42de net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()
3b6f56021af6 pinctrl: amd: Use amd_pinconf_set() for all config options
951f4e9730f1 fbdev: imxfb: warn about invalid left/right margin
3e03319ab97d spi: bcm63xx: fix max prepend length
c9f56f3c7bc9 igb: Fix igb_down hung on surprise removal
7d80e834625c wifi: iwlwifi: mvm: avoid baid size integer overflow
41d149376078 wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
970c7035f4b0 devlink: report devlink_port_type_warn source device
e09a285ea1e8 bpf: Address KCSAN report on bpf_lru_list
cec1857b1ea5 sched/fair: Don't balance task to its current running CPU
9d8d3df71516 arm64: mm: fix VA-range sanity check
8ad6679a5bb9 posix-timers: Ensure timer ID search-loop limit is valid
d0345f7c7dbc md/raid10: prevent soft lockup while flush writes
09539f9e2076 md: fix data corruption for raid456 when reshape restart while grow up
4181c30a2c55 nbd: Add the maximum limit of allocated index in nbd_dev_add
d4f1cd9b9d66 debugobjects: Recheck debug_objects_enabled before reporting
0afcebcec057 ext4: correct inline offset when handling xattrs in inode body
5d580017bdb9 drm/client: Fix memory leak in drm_client_modeset_probe
52daf6ba2e0d drm/client: Fix memory leak in drm_client_target_cloned
9533dbfac0ff can: bcm: Fix UAF in bcm_proc_show()
5dd838be69e4 selftests: tc: set timeout to 15 minutes
7f83199862c2 fuse: revalidate: don't invalidate if interrupted
ae91ab710d8e btrfs: fix warning when putting transaction with qgroups enabled after abort
e217a3d19e10 perf probe: Add test for regression introduced by switch to die_get_decl_file()
380c7ceabdde drm/atomic: Fix potential use-after-free in nonblocking commits
b7084ebf4f54 scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
3f22f9ddbb29 scsi: qla2xxx: Pointer may be dereferenced
a1c5149a82de scsi: qla2xxx: Correct the index of array
1b7e5bdf2be2 scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
4f90a8b04816 scsi: qla2xxx: Fix potential NULL pointer dereference
d25fded78d88 scsi: qla2xxx: Wait for io return on terminate rport
056fd1820724 tracing/probes: Fix not to count error code to total length
93114cbc7cb1 tracing: Fix null pointer dereference in tracing_err_log_open()
597eb52583d4 xtensa: ISS: fix call to split_if_spec
e84829522fc7 ring-buffer: Fix deadloop issue on reading trace_pipe
481535905608 tracing/histograms: Add histograms to hist_vars if they have referenced variables
46574e5a0a2a tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
30962268fa1a tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
0697a1a592c7 Revert "8250: add support for ASIX devices with a FIFO bug"
45e55e9cac13 meson saradc: fix clock divider mask length
2cdced57bc00 ceph: don't let check_caps skip sending responses for revoke msgs
1883a484c87e hwrng: imx-rngc - fix the timeout for init and self check
e3373e6b6c79 firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool()
826c7bfe5c49 serial: atmel: don't enable IRQs prematurely
15d4bd0f0a6b drm/rockchip: vop: Leave vblank enabled in self-refresh
6bc6ec8b0a0b drm/atomic: Allow vblank-enabled + self-refresh "disable"
f86942709b0e fs: dlm: return positive pid value for F_GETLK
ecfd1f82c4f5 md/raid0: add discard support for the 'original' layout
dac4afa3efae misc: pci_endpoint_test: Re-init completion for every test
dd2210379205 misc: pci_endpoint_test: Free IRQs before removing the device
9cfa4ef25de5 PCI: rockchip: Set address alignment for endpoint mode
35aec6bc0c04 PCI: rockchip: Use u32 variable to access 32-bit registers
13b93891308c PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core
c049b20655f6 PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked
a1f311d430f2 PCI: rockchip: Write PCI Device ID to correct register
592795119f2b PCI: rockchip: Assert PCI Configuration Enable bit after probe
35c95eda7b6d PCI: qcom: Disable write access to read only registers for IP v2.3.3
b0aac7792525 PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
f450388d8b6d PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold
a4855aeb13e4 jfs: jfs_dmap: Validate db_l2nbperpage while mounting
ee2fd448608e ext4: only update i_reserved_data_blocks on successful block allocation
02543d1ddd77 ext4: fix wrong unit use in ext4_mb_clear_bb
96a85becb811 erofs: fix compact 4B support for 16k block size
42725e5c1b18 SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
29a560437f67 misc: fastrpc: Create fastrpc scalar with correct buffer count
b157987242bd powerpc: Fail build if using recordmcount with binutils v2.37
2b59740ebc86 net: bcmgenet: Ensure MDIO unregistration has clocks enabled
1fe96568e78b mtd: rawnand: meson: fix unaligned DMA buffers handling
86b9820395f2 tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
96a16069a81d pinctrl: amd: Only use special debounce behavior for GPIO 0
6dcb493fc478 pinctrl: amd: Detect internal GPIO0 debounce handling
a1a443651569 pinctrl: amd: Fix mistake in handling clearing pins at startup
cf57a0853ba5 net/sched: make psched_mtu() RTNL-less safe
96391959a99e net/sched: flower: Ensure both minimum and maximum ports are specified
166fa538e0dd cls_flower: Add extack support for src and dst port range options
aadca5f08aef wifi: airo: avoid uninitialized warning in airo_get_rate()
cc2c06ca7fbf erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF
b55c38fe2441 platform/x86: wmi: Break possible infinite loop when parsing GUID
cb8a256202b9 platform/x86: wmi: move variables
669c488cb25a platform/x86: wmi: use guid_t and guid_equal()
fd8049d6553f platform/x86: wmi: remove unnecessary argument
4c8e26fc3302 platform/x86: wmi: Fix indentation in some cases
8717326e4362 platform/x86: wmi: Replace UUID redefinitions by their originals
c7eeba470585 ipv6/addrconf: fix a potential refcount underflow for idev
7a06554214fe NTB: ntb_tool: Add check for devm_kcalloc
88e243618e4c NTB: ntb_transport: fix possible memory leak while device_register() fails
b5b9e041eb04 ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
0ae4fac8fe33 NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
bb17520c0383 ntb: idt: Fix error handling in idt_pci_driver_init()
4e64ef41c6cf udp6: fix udp6_ehashfn() typo
61b4c4659746 icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
4c7276a6daf7 ionic: remove WARN_ON to prevent panic_on_warn
3e77647acdcf ionic: ionic_intr_free parameter change
f0dc38bdef52 ionic: move irq request to qcq alloc
7cf21fba1bf8 ionic: clean irq affinity on queue deinit
ef7fc26b6a19 ionic: improve irq numa locality
808211a8d427 net/sched: cls_fw: Fix improper refcount update leads to use-after-free
d98ac5bce2d5 net: mvneta: fix txq_map in case of txq_number==1
58cd168825b4 scsi: qla2xxx: Fix error code in qla2x00_start_sp()
b49b55a7d578 igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings
a45afb07121c igc: Remove delay during TX ring configuration
59c190082a01 drm/panel: simple: Add connector_type for innolux_at043tn24
64b76abfe32d drm/panel: Add and fill drm_panel type field
362940f8e40f drm/panel: Initialise panel dev and funcs through drm_panel_init()
6d5172a3ab8f workqueue: clean up WORK_* constant types, clarify masking
003d33924911 net: lan743x: Don't sleep in atomic context
373b9475ea8c block/partition: fix signedness issue for Amiga partitions
22df19fee7b9 tty: serial: fsl_lpuart: add earlycon for imx8ulp platform
b7d636c924eb netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
61c7a5256543 netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
565bdccdded3 netfilter: nf_tables: fix scheduling-while-atomic splat
7c4610ac3b41 netfilter: nf_tables: unbind non-anonymous set if rule construction fails
90d54ee329d2 netfilter: nf_tables: reject unbound anonymous set before commit phase
1df28fde1270 netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain
1adb5c272b20 netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
077ef851f0a3 netfilter: nf_tables: add rescheduling points during loop detection walks
11352851944c netfilter: nf_tables: use net_generic infra for transaction data
d59ed9dc0058 netfilter: add helper function to set up the nfnetlink header and use it
fa498dead9ee netfilter: nftables: add helper function to set the base sequence number
ef35dd70a340 netfilter: nf_tables: fix nat hook table deletion
d1b7fe307c75 block: add overflow checks for Amiga partition support
2b71cbf7ab48 fanotify: disallow mount/sb marks on kernel internal pseudo fs
9a6ce27a5d61 fs: no need to check source
c1c41cda0ab1 ARM: orion5x: fix d2net gpio initialization
679c34821ab7 btrfs: fix race when deleting quota root from the dirty cow roots list
f0fbbd405a94 fs: Lock moved directories
b97ac51f8492 fs: Establish locking order for unrelated directories
d95dc41ad181 Revert "f2fs: fix potential corruption when moving a directory"
a9a926423a63 ext4: Remove ext4 locking of moved directory
eefebf8877d3 fs: avoid empty option when generating legacy mount string
e9a3310bc2fc jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
a249a61ac528 integrity: Fix possible multiple allocation in integrity_inode_get()
0729029e6472 bcache: Remove unnecessary NULL point check in node allocations
4be68f1c7076 mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used.
2f6c76994646 mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
c491e27151c1 mmc: core: disable TRIM on Kingston EMMC04G-M627
ce7278dedab7 NFSD: add encoding of op_recall flag for write delegation
5016511287dc ALSA: jack: Fix mutex call in snd_jack_report()
c64fda48a3ad i2c: xiic: Don't try to handle more interrupt events after error
696e470e910e i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process()
498962715773 sh: dma: Fix DMA channel offset calculation
58b1b3c54e16 net: dsa: tag_sja1105: fix MAC DA patching from meta frames
67a67e258407 net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
ab0085bd7902 xsk: Honor SO_BINDTODEVICE on bind
9347e432297e xsk: Improve documentation for AF_XDP
e63dc31b9452 tcp: annotate data races in __tcp_oow_rate_limited()
e9c2687988b7 net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
fffa51e786ce powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
45b34500f3ef f2fs: fix error path handling in truncate_dnode()
860d9b717f65 mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
398e6a015877 spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
18d50fb44109 Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
4d8fc6137749 sctp: fix potential deadlock on &net->sctp.addr_wq_lock
999ff7fe492b rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
d5c39cca4d03 pwm: sysfs: Do not apply state to already disabled PWMs
5375c024f8ae pwm: imx-tpm: force 'real_period' to be zero in suspend
d252c74b8b7a mfd: stmpe: Only disable the regulators if they are enabled
d9db18addf42 KVM: s390: vsie: fix the length of APCB bitmap
baec796723b7 mfd: stmfx: Fix error path in stmfx_chip_init
5d26f134efa8 serial: 8250_omap: Use force_suspend and resume for system suspend
337073cacad4 mfd: intel-lpss: Add missing check for platform_get_resource
0a6afc83b028 usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()
becd09685d44 KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
151b0dd6d1a0 mfd: rt5033: Drop rt5033-battery sub-device
8e8dae8eb230 usb: hide unused usbfs_notify_suspend/resume functions
fe9cdc198619 usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
1531ba3fab51 extcon: Fix kernel doc of property capability fields to avoid warnings
257daec29dcd extcon: Fix kernel doc of property fields to avoid warnings
648a163cff21 usb: dwc3: qcom: Fix potential memory leak
d485150c9a52 media: usb: siano: Fix warning due to null work_func_t function pointer
619e6f9a564a media: videodev2.h: Fix struct v4l2_input tuner index comment
e9586c49bdd4 media: usb: Check az6007_read() return value
fd869bdb5f12 sh: j2: Use ioremap() to translate device tree address into kernel memory
85f4c53849e4 w1: fix loop in w1_fini()
dc88382c1d44 block: change all __u32 annotations to __be32 in affs_hardblocks.h
fa8548d1a0a4 block: fix signed int overflow in Amiga partition support
bec218258cbd usb: dwc3: gadget: Propagate core init errors to UDC during pullup
f55127df9918 USB: serial: option: add LARA-R6 01B PIDs
bac502cd472a hwrng: st - keep clock enabled while hwrng is registered
071560202a52 hwrng: st - Fix W=1 unused variable warning
18fa56ca4cb8 NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION
c182d87c67e2 ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard
02dc8e8bdbe4 modpost: fix off by one in is_executable_section()
1030c0c30968 crypto: marvell/cesa - Fix type mismatch warning
ad3c4ecff00b modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
084bf580019c modpost: fix section mismatch message for R_ARM_ABS32
c893658d9ce6 crypto: nx - fix build warnings when DEBUG_FS is not enabled
a43bcb0b661c hwrng: virtio - Fix race on data_avail and actual data
b70315e44f03 hwrng: virtio - always add a pending request
102a354d52ca hwrng: virtio - don't waste entropy
f2a7dfd35f0c hwrng: virtio - don't wait on cleanup
6fe732764a58 hwrng: virtio - add an internal buffer
2cbfb51d2c7e powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary
aa3932eb0739 pinctrl: at91-pio4: check return value of devm_kasprintf()
e297350c33f6 perf dwarf-aux: Fix off-by-one in die_get_varname()
7f822c8036fe pinctrl: cherryview: Return correct value if pin in push-pull mode
1768e362f20f PCI: Add pci_clear_master() stub for non-CONFIG_PCI
5d3955bc32d4 PCI: ftpci100: Release the clock resources
331dce61c0d4 PCI: pciehp: Cancel bringup sequence if card is not present
f58c8563686b scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe()
666e7f9d60ce PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
961c8370c5f7 scsi: qedf: Fix NULL dereference in error handling
6f64558b43cf ASoC: imx-audmix: check return value of devm_kasprintf()
35455616110b clk: keystone: sci-clk: check return value of kasprintf()
ffe6ad17cf14 clk: cdce925: check return value of kasprintf()
5f13d67027fa ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
801c8341f7af clk: tegra: tegra124-emc: Fix potential memory leak
262db3ff58e2 drm/radeon: fix possible division-by-zero errors
cacc0506e571 drm/amdkfd: Fix potential deallocation of previously deallocated memory.
9e3858f82e3c fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
5541d1856c87 arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
40ac5cb6cbb0 IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
68e0033dee72 soc/fsl/qe: fix usb.c build errors
b756eb5eb9b0 ASoC: es8316: Do not set rate constraints for unsupported MCLKs
d1c1ca27cac0 ASoC: es8316: Increment max value for ALC Capture Target Volume control
b54bac970b54 memory: brcmstb_dpfe: fix testing array offset after use
f54142ed16b5 ARM: ep93xx: fix missing-prototype warnings
c2324c5aa247 drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
4a23954279fc arm64: dts: qcom: msm8916: correct camss unit address
97dcb8dfefaa ARM: dts: gta04: Move model property out of pinctrl node
25bbd1c7bef8 RDMA/bnxt_re: Fix to remove an unnecessary log
ed039ad88ab0 drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks`
87ccaf56097a Input: adxl34x - do not hardcode interrupt trigger type
c7a8cc9140cf ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
c516c00847f5 Input: drv260x - sleep between polling GO bit
3e789aee218b radeon: avoid double free in ci_dpm_init()
bc5b57a23087 netlink: Add __sock_i_ino() for __netlink_diag_dump().
1c405b3d3769 ipvlan: Fix return value of ipvlan_queue_xmit()
1d2ab3d4383e netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.
337fdce45063 netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
32deadf89430 lib/ts_bm: reset initial match offset for every block of text
dd6ff3f38627 net: nfc: Fix use-after-free caused by nfc_llcp_find_local
edc5d8776a32 nfc: llcp: simplify llcp_sock_connect() error paths
9c9662e2512b gtp: Fix use-after-free in __gtp_encap_destroy().
08d8ff1bc688 selftests: rtnetlink: remove netdevsim device after ipsec offload test
bd1de6107f10 netlink: do not hard code device address lenth in fdb dumps
8f6652ed2ad9 netlink: fix potential deadlock in netlink_set_err()
88d89b4a3102 wifi: ath9k: convert msecs to jiffies where needed
76d5bda2c3af wifi: cfg80211: rewrite merging of inherited elements
e4c33144fc75 wifi: iwlwifi: pull from TXQs with softirqs disabled
2ba902da9090 rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO
786e264b37d2 wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
68305a19bada memstick r592: make memstick_debug_get_tpc_name() static
6f4454ccbea9 kexec: fix a memory leak in crash_shrink_memory()
4503261ab97b watchdog/perf: more properly prevent false positives with turbo modes
d5fa3918dfce watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config
7874fb3bef8b wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
4dc3560561a0 wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
f432198058a6 wifi: ray_cs: Fix an error handling path in ray_probe()
8fe51dce8bdc wifi: ray_cs: Drop useless status variable in parse_addr()
0dec0ad304d4 wifi: ray_cs: Utilize strnlen() in parse_addr()
ee73ad566a29 wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
b7df4e0cb4ed wl3501_cs: use eth_hw_addr_set()
24f34f67be24 net: create netdev->dev_addr assignment helpers
dd5dca10d806 wl3501_cs: Fix misspelling and provide missing documentation
051d70773b9c wl3501_cs: Remove unnecessary NULL check
91c3c9eaf1ed wl3501_cs: Fix a bunch of formatting issues related to function docs
add539f7d16b wifi: atmel: Fix an error handling path in atmel_probe()
5b06f702805d wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
ca4a2955d866 wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
91c3325da240 regulator: core: Streamline debugfs operations
1bb38ef697e4 regulator: core: Fix more error checking for debugfs_create_dir()
6ca0c94f2b02 nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect()
66a1be74230b nfc: constify several pointers to u8, char and sk_buff
fea2104e752a wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan()
bc5099512057 spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG
f394d204d640 samples/bpf: Fix buffer overflow in tcp_basertt
90e3c1017757 wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
be3989d93be3 wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation
717e4277ddf7 ima: Fix build warnings
8430a8e8e854 pstore/ram: Add check for kstrdup
540cdd720772 evm: Complete description of evm_inode_setattr()
568b73406d93 ARM: 9303/1: kprobes: avoid missing-declaration warnings
ba6da16eefb1 powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
c97460ce1f7c PM: domains: fix integer overflow issues in genpd_parse_state()
54cc10a0f4b0 clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
38ca169d66c3 clocksource/drivers/cadence-ttc: Use ttc driver as platform driver
8af3b8d770da tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode().
7b0c664541cd irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
d244927e350e irqchip/jcore-aic: Kill use of irq_create_strict_mappings()
be481881753b md/raid10: fix io loss while replacement replace rdev
45fa023b3334 md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
31c805a44b75 md/raid10: fix wrong setting of max_corr_read_errors
283f4a63fee3 md/raid10: fix overflow of md/safe_mode_delay
b0b971fe7d61 md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
484104918305 x86/resctrl: Only show tasks' pid in current pid namespace
7206eca1ac44 x86/resctrl: Use is_closid_match() in more places
6f2bb37da468 bgmac: fix *initial* chip reset to support BCM5358
794bfb6fd992 drm/amdgpu: Validate VM ioctl flags.
2a4cfd5b0354 scripts/tags.sh: Resolve gtags empty index generation
fff826d665f9 drm/i915: Initialise outparam for error return from wait_for_register
99036f1aed7e HID: wacom: Use ktime_t rather than int when dealing with timestamps
815c95d82b79 fbdev: imsttfb: Fix use after free bug in imsttfb_probe
a7c8d2f3753d video: imsttfb: check for ioremap() failures
f042d80a631f x86/smp: Use dedicated cache-line for mwait_play_dead()
23f98fe887ce gfs2: Don't deref jdesc in evict
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
3 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
index f31b920ca7..3a44375824 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb
@@ -11,13 +11,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "0057180769503ac049b495a794f864053965c7ea"
-SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4"
+SRCREV_machine ?= "6a552f5822442183d2487c91903f27085183ca0e"
+SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
-LINUX_VERSION ?= "5.4.250"
+LINUX_VERSION ?= "5.4.251"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
index 6f94fe3bd6..3136b0defc 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb
@@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig"
require recipes-kernel/linux/linux-yocto.inc
-LINUX_VERSION ?= "5.4.250"
+LINUX_VERSION ?= "5.4.251"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine_qemuarm ?= "f0ae300728e87e4b1e51305737b9f4dda383e7bf"
-SRCREV_machine ?= "de7c8d928de44e1c130760bf11d741d25e1c0213"
-SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4"
+SRCREV_machine_qemuarm ?= "29ae0b5c67d29249bf00cb8eaaae5914d928bbd6"
+SRCREV_machine ?= "16db12c2685020aa6347a18df5099f40a9176366"
+SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b"
PV = "${LINUX_VERSION}+git${SRCPV}"
diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
index 9589ca280a..848d9a339d 100644
--- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb
@@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base"
KBRANCH_qemux86-64 ?= "v5.4/standard/base"
KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64"
-SRCREV_machine_qemuarm ?= "fb7218e03f4d75e77f3bc50217855e043e32b06a"
-SRCREV_machine_qemuarm64 ?= "9561485ac053a0ea76ee95fa8dead1da30a41a8a"
-SRCREV_machine_qemumips ?= "7bd91d1af3b4a24e1f34e3a9583d02d7f08aaf53"
-SRCREV_machine_qemuppc ?= "f4145ff9d93b0e0b0393d16c1889bcf3c6e13e15"
-SRCREV_machine_qemuriscv64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
-SRCREV_machine_qemux86 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
-SRCREV_machine_qemux86-64 ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
-SRCREV_machine_qemumips64 ?= "72944e165489f0dc5121461bfc74fb2bfaa3d7d7"
-SRCREV_machine ?= "c862ec7816d3f8b34c6e2a9ba9d2dae79eda31d1"
-SRCREV_meta ?= "863d597749c6214d272d704c8c04ead3373142f4"
+SRCREV_machine_qemuarm ?= "9a096c043b453855252aece3716d50fdf4111a77"
+SRCREV_machine_qemuarm64 ?= "25499e5c52ebb2111a3dd7dd863937f56cf2a39d"
+SRCREV_machine_qemumips ?= "12e990899599d1aac8dd8007a8864db68135d6f0"
+SRCREV_machine_qemuppc ?= "19d91ad471bb87a464520283e58d5ff83c7151fa"
+SRCREV_machine_qemuriscv64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
+SRCREV_machine_qemux86 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
+SRCREV_machine_qemux86-64 ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
+SRCREV_machine_qemumips64 ?= "854f6bee15babf95445644cba59691cd45173180"
+SRCREV_machine ?= "2adacd3242d46ddaff62e5a4695b98edf01cccc5"
+SRCREV_meta ?= "25f38de25d47570a132a18a1dc147b10e05b378b"
# remap qemuarm to qemuarma15 for the 5.4 kernel
# KMACHINE_qemuarm ?= "qemuarma15"
@@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}"
LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814"
-LINUX_VERSION ?= "5.4.250"
+LINUX_VERSION ?= "5.4.251"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
DEPENDS += "openssl-native util-linux-native"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 19/22] openssl: Upgrade 1.1.1t -> 1.1.1v
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (17 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 18/22] linux-yocto/5.4: update to v5.4.251 Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 20/22] linux-firmware: Fix mediatek mt7601u firmware path Steve Sakoman
` (2 subsequent siblings)
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
https://www.openssl.org/news/openssl-1.1.1-notes.html
Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
All CVEs for upgrade to 1.1.1u were already patched, so effectively
this will apply patches for CVE-2023-3446 and CVE-2023-3817 plus
several non-CVE fixes.
Because of mips build changes were backported to openssl 1.1.1 branch,
backport of a patch from kirkstone is necessary.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...1-Configure-do-not-tweak-mips-cflags.patch | 37 +++
.../openssl/openssl/CVE-2023-0464.patch | 226 ------------------
.../openssl/openssl/CVE-2023-0465.patch | 60 -----
.../openssl/openssl/CVE-2023-0466.patch | 82 -------
.../openssl/openssl/CVE-2023-2650.patch | 122 ----------
.../{openssl_1.1.1t.bb => openssl_1.1.1v.bb} | 7 +-
6 files changed, 39 insertions(+), 495 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
rename meta/recipes-connectivity/openssl/{openssl_1.1.1t.bb => openssl_1.1.1v.bb} (96%)
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 0000000000..b3f6a942d5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,37 @@
+From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 14 Sep 2021 12:18:25 +0200
+Subject: [PATCH] Configure: do not tweak mips cflags
+
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+Index: openssl-3.0.4/Configure
+===================================================================
+--- openssl-3.0.4.orig/Configure
++++ openssl-3.0.4/Configure
+@@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+ push @{$config{shared_ldflag}}, "-mno-cygwin";
+ }
+
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+- # minimally required architecture flags for assembly modules
+- my $value;
+- $value = '-mips2' if ($target =~ /mips32/);
+- $value = '-mips3' if ($target =~ /mips64/);
+- unshift @{$config{cflags}}, $value;
+- unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+ if ($auto_threads) {
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
deleted file mode 100644
index cce5bad9f0..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0464.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From 879f7080d7e141f415c79eaa3a8ac4a3dad0348b Mon Sep 17 00:00:00 2001
-From: Pauli <pauli@openssl.org>
-Date: Wed, 8 Mar 2023 15:28:20 +1100
-Subject: [PATCH] x509: excessive resource use verifying policy constraints
-
-A security vulnerability has been identified in all supported versions
-of OpenSSL related to the verification of X.509 certificate chains
-that include policy constraints. Attackers may be able to exploit this
-vulnerability by creating a malicious certificate chain that triggers
-exponential use of computational resources, leading to a denial-of-service
-(DoS) attack on affected systems.
-
-Fixes CVE-2023-0464
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-(Merged from https://github.com/openssl/openssl/pull/20569)
-
-CVE: CVE-2023-0464
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b]
-Signed-off-by: Nikhil R <nikhil.r@kpit.com>
-
----
- crypto/x509v3/pcy_local.h | 8 +++++++-
- crypto/x509v3/pcy_node.c | 12 +++++++++---
- crypto/x509v3/pcy_tree.c | 37 +++++++++++++++++++++++++++----------
- 3 files changed, 43 insertions(+), 14 deletions(-)
-
-diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
-index 5daf78de45..344aa06765 100644
---- a/crypto/x509v3/pcy_local.h
-+++ b/crypto/x509v3/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
-
- struct X509_POLICY_TREE_st {
-+ /* The number of nodes in the tree */
-+ size_t node_count;
-+ /* The maximum number of nodes in the tree */
-+ size_t node_maximum;
-+
- /* This is the tree 'level' data */
- X509_POLICY_LEVEL *levels;
- int nlevel;
-@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- X509_POLICY_DATA *data,
- X509_POLICY_NODE *parent,
-- X509_POLICY_TREE *tree);
-+ X509_POLICY_TREE *tree,
-+ int extra_data);
- void policy_node_free(X509_POLICY_NODE *node);
- int policy_node_match(const X509_POLICY_LEVEL *lvl,
- const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c
-index e2d7b15322..d574fb9d66 100644
---- a/crypto/x509v3/pcy_node.c
-+++ b/crypto/x509v3/pcy_node.c
-@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
- X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- X509_POLICY_DATA *data,
- X509_POLICY_NODE *parent,
-- X509_POLICY_TREE *tree)
-+ X509_POLICY_TREE *tree,
-+ int extra_data)
- {
- X509_POLICY_NODE *node;
-
-+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */
-+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
-+ return NULL;
-+
- node = OPENSSL_zalloc(sizeof(*node));
- if (node == NULL) {
- X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
-@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- }
- node->data = data;
- node->parent = parent;
-- if (level) {
-+ if (level != NULL) {
- if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
- if (level->anyPolicy)
- goto node_error;
-@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- }
- }
-
-- if (tree) {
-+ if (extra_data) {
- if (tree->extra_data == NULL)
- tree->extra_data = sk_X509_POLICY_DATA_new_null();
- if (tree->extra_data == NULL){
-@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
- }
- }
-
-+ tree->node_count++;
- if (parent)
- parent->nchild++;
-
-diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
-index 6e8322cbc5..6c7fd35405 100644
---- a/crypto/x509v3/pcy_tree.c
-+++ b/crypto/x509v3/pcy_tree.c
-@@ -13,6 +13,18 @@
-
- #include "pcy_local.h"
-
-+/*
-+ * If the maximum number of nodes in the policy tree isn't defined, set it to
-+ * a generous default of 1000 nodes.
-+ *
-+ * Defining this to be zero means unlimited policy tree growth which opens the
-+ * door on CVE-2023-0464.
-+ */
-+
-+#ifndef OPENSSL_POLICY_TREE_NODES_MAX
-+# define OPENSSL_POLICY_TREE_NODES_MAX 1000
-+#endif
-+
- /*
- * Enable this to print out the complete policy tree at various point during
- * evaluation.
-@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
- return X509_PCY_TREE_INTERNAL;
- }
-
-+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */
-+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
-+
- /*
- * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
- *
-@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
- level = tree->levels;
- if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
- goto bad_tree;
-- if (level_add_node(level, data, NULL, tree) == NULL) {
-+ if (level_add_node(level, data, NULL, tree, 1) == NULL) {
- policy_data_free(data);
- goto bad_tree;
- }
-@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
- * Return value: 1 on success, 0 otherwise
- */
- static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
-- X509_POLICY_DATA *data)
-+ X509_POLICY_DATA *data,
-+ X509_POLICY_TREE *tree)
- {
- X509_POLICY_LEVEL *last = curr - 1;
- int i, matched = 0;
-@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
- X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
-
- if (policy_node_match(last, node, data->valid_policy)) {
-- if (level_add_node(curr, data, node, NULL) == NULL)
-+ if (level_add_node(curr, data, node, tree, 0) == NULL)
- return 0;
- matched = 1;
- }
- }
- if (!matched && last->anyPolicy) {
-- if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
-+ if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
- return 0;
- }
- return 1;
-@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
- * Return value: 1 on success, 0 otherwise.
- */
- static int tree_link_nodes(X509_POLICY_LEVEL *curr,
-- const X509_POLICY_CACHE *cache)
-+ const X509_POLICY_CACHE *cache,
-+ X509_POLICY_TREE *tree)
- {
- int i;
-
-@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
- X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
-
- /* Look for matching nodes in previous level */
-- if (!tree_link_matching_nodes(curr, data))
-+ if (!tree_link_matching_nodes(curr, data, tree))
- return 0;
- }
- return 1;
-@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr,
- /* Curr may not have anyPolicy */
- data->qualifier_set = cache->anyPolicy->qualifier_set;
- data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-- if (level_add_node(curr, data, node, tree) == NULL) {
-+ if (level_add_node(curr, data, node, tree, 1) == NULL) {
- policy_data_free(data);
- return 0;
- }
-@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
- }
- /* Finally add link to anyPolicy */
- if (last->anyPolicy &&
-- level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
-+ level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
- return 0;
- return 1;
- }
-@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree,
- extra->qualifier_set = anyPolicy->data->qualifier_set;
- extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
- | POLICY_DATA_FLAG_EXTRA_NODE;
-- node = level_add_node(NULL, extra, anyPolicy->parent, tree);
-+ node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
- }
- if (!tree->user_policies) {
- tree->user_policies = sk_X509_POLICY_NODE_new_null();
-@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree)
-
- for (i = 1; i < tree->nlevel; i++, curr++) {
- cache = policy_cache_set(curr->cert);
-- if (!tree_link_nodes(curr, cache))
-+ if (!tree_link_nodes(curr, cache, tree))
- return X509_PCY_TREE_INTERNAL;
-
- if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
---
-2.34.1
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
deleted file mode 100644
index be5068074e..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0465.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Mar 2023 16:52:55 +0000
-Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
- certs
-
-Even though we check the leaf cert to confirm it is valid, we
-later ignored the invalid flag and did not notice that the leaf
-cert was bad.
-
-Fixes: CVE-2023-0465
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20588)
-
-CVE: CVE-2023-0465
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b013765abfa80036dc779dd0e50602c57bb3bf95]
-Comment: Refreshed first hunk
-Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
-
----
- crypto/x509/x509_vfy.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 925fbb5412..1dfe4f9f31 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1649,18 +1649,25 @@
- }
- /* Invalid or inconsistent extensions */
- if (ret == X509_PCY_TREE_INVALID) {
-- int i;
-+ int i, cbcalled = 0;
-
- /* Locate certificates with bad extensions and notify callback. */
-- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
- X509 *x = sk_X509_value(ctx->chain, i);
-
- if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
- continue;
-+ cbcalled = 1;
- if (!verify_cb_cert(ctx, x, i,
- X509_V_ERR_INVALID_POLICY_EXTENSION))
- return 0;
- }
-+ if (!cbcalled) {
-+ /* Should not be able to get here */
-+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+ /* The callback ignored the error so we return success */
- return 1;
- }
- if (ret == X509_PCY_TREE_FAILURE) {
---
-2.34.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
deleted file mode 100644
index f042aa5da1..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-0466.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 21 Mar 2023 16:15:47 +0100
-Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
-
-The function was incorrectly documented as enabling policy checking.
-
-Fixes: CVE-2023-0466
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20564)
-
-CVE: CVE-2023-0466
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a]
-Comment: Refreshed first hunk from CHANGE and NEWS
-Signed-off-by: Omkar Patil <omkar.patil@kpit.com>
-
----
- CHANGES | 5 +++++
- NEWS | 1 +
- doc/man3/X509_VERIFY_PARAM_set_flags.pod | 9 +++++++--
- 3 files changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/CHANGES b/CHANGES
-index efccf7838e..b19f1429bb 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -9,6 +9,11 @@
-
- Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
-
-+ *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
-+ that it does not enable policy checking. Thanks to
-+ David Benjamin for discovering this issue. (CVE-2023-0466)
-+ [Tomas Mraz]
-+
- *) Fixed X.400 address type confusion in X.509 GeneralName.
-
- There is a type confusion vulnerability relating to X.400 address processing
-diff --git a/NEWS b/NEWS
-index 36a9bb6890..62615693fa 100644
---- a/NEWS
-+++ b/NEWS
-@@ -7,6 +7,7 @@
-
- Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
-
-+ o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
- o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
- o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
- o Fixed Double free after calling PEM_read_bio_ex (CVE-2022-4450)
-diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-index f6f304bf7b..aa292f9336 100644
---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
-@@ -92,8 +92,9 @@ B<trust>.
- X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
- B<t>. Normally the current time is used.
-
--X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
--by default) and adds B<policy> to the acceptable policy set.
-+X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
-+Contrary to preexisting documentation of this function it does not enable
-+policy checking.
-
- X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
- by default) and sets the acceptable policy set to B<policies>. Any existing
-@@ -377,6 +378,10 @@ and has no effect.
-
- The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
-
-+The function X509_VERIFY_PARAM_add0_policy() was historically documented as
-+enabling policy checking however the implementation has never done this.
-+The documentation was changed to align with the implementation.
-+
- =head1 COPYRIGHT
-
- Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
---
-2.34.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
deleted file mode 100644
index ef344dda7f..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Fri, 12 May 2023 10:00:13 +0200
-Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will
- translate
-
-OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
-numeric text form. For gigantic sub-identifiers, this would take a very
-long time, the time complexity being O(n^2) where n is the size of that
-sub-identifier.
-
-To mitigate this, a restriction on the size that OBJ_obj2txt() will
-translate to canonical numeric text form is added, based on RFC 2578
-(STD 58), which says this:
-
-> 3.5. OBJECT IDENTIFIER values
->
-> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
-> For the SMIv2, each number in the list is referred to as a sub-identifier,
-> there are at most 128 sub-identifiers in a value, and each sub-identifier
-> has a maximum value of 2^32-1 (4294967295 decimal).
-
-Fixes otc/security#96
-Fixes CVE-2023-2650
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098]
-CVE: CVE-2023-2650
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- CHANGES | 28 +++++++++++++++++++++++++++-
- NEWS | 2 ++
- crypto/objects/obj_dat.c | 19 +++++++++++++++++++
- 3 files changed, 48 insertions(+), 1 deletion(-)
-
-diff --git a/CHANGES b/CHANGES
-index 1eaaf4e..f2cf38f 100644
---- a/CHANGES
-+++ b/CHANGES
-@@ -7,7 +7,33 @@
- https://github.com/openssl/openssl/commits/ and pick the appropriate
- release branch.
-
-- Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
-+ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
-+
-+ *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
-+ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
-+
-+ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
-+ numeric text form. For gigantic sub-identifiers, this would take a very
-+ long time, the time complexity being O(n^2) where n is the size of that
-+ sub-identifier. (CVE-2023-2650)
-+
-+ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
-+ IDENTIFIER to canonical numeric text form if the size of that OBJECT
-+ IDENTIFIER is 586 bytes or less, and fail otherwise.
-+
-+ The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
-+ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
-+ most 128 sub-identifiers, and that the maximum value that each sub-
-+ identifier may have is 2^32-1 (4294967295 decimal).
-+
-+ For each byte of every sub-identifier, only the 7 lower bits are part of
-+ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
-+ these restrictions may occupy is 32 * 128 / 7, which is approximately 586
-+ bytes.
-+
-+ Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
-+
-+Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
-
- *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
- that it does not enable policy checking. Thanks to
-diff --git a/NEWS b/NEWS
-index a86220a..41922c4 100644
---- a/NEWS
-+++ b/NEWS
-@@ -7,6 +7,8 @@
-
- Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
-
-+ o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
-+ OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
- o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
- o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
- o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
-diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
-index 7e8de72..d699915 100644
---- a/crypto/objects/obj_dat.c
-+++ b/crypto/objects/obj_dat.c
-@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- first = 1;
- bl = NULL;
-
-+ /*
-+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
-+ *
-+ * > 3.5. OBJECT IDENTIFIER values
-+ * >
-+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
-+ * > numbers. For the SMIv2, each number in the list is referred to as a
-+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
-+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
-+ * > decimal).
-+ *
-+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
-+ * i.e. 586 bytes long.
-+ *
-+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
-+ */
-+ if (len > 586)
-+ goto err;
-+
- while (len > 0) {
- l = 0;
- use_bn = 0;
---
-2.25.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb
similarity index 96%
rename from meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
rename to meta/recipes-connectivity/openssl/openssl_1.1.1v.bb
index eea8ef64af..d1222dc470 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1t.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1v.bb
@@ -19,17 +19,14 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://reproducible.patch \
file://reproducibility.patch \
file://0001-Configure-add-2-missing-key-sorts.patch \
- file://CVE-2023-0464.patch \
- file://CVE-2023-0465.patch \
- file://CVE-2023-0466.patch \
- file://CVE-2023-2650.patch \
+ file://0001-Configure-do-not-tweak-mips-cflags.patch \
"
SRC_URI_append_class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] = "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b"
+SRC_URI[sha256sum] = "d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0"
inherit lib_package multilib_header multilib_script ptest
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 20/22] linux-firmware: Fix mediatek mt7601u firmware path
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (18 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 19/22] openssl: Upgrade 1.1.1t -> 1.1.1v Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 21/22] systemd-systemctl: fix errors in instance name expansion Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 22/22] kernel: skip installing fitImage when using Initramfs bundles Steve Sakoman
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Marek Vasut <marex@denx.de>
The following linux-firmware commit moved the mt7601u firmware blob
into a mediatek/ subdirectory, update the path accordingly.
8451c2b1 ("mt76xx: Move the old Mediatek WiFi firmware to mediatek")
(From OE-Core rev: 6fa5c4967a7e70192e9233c92534f27ec3e394c8)
Fixes: 64603f602d ("linux-firmware: upgrade 20230404 -> 20230515")
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
index a367a9fd01..206de1bcd1 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
@@ -411,7 +411,7 @@ LICENSE_${PN}-mt7601u-license = "Firmware-ralink_a_mediatek_company_firmware"
FILES_${PN}-mt7601u-license = "${nonarch_base_libdir}/firmware/LICENCE.ralink_a_mediatek_company_firmware"
FILES_${PN}-mt7601u = " \
- ${nonarch_base_libdir}/firmware/mt7601u.bin \
+ ${nonarch_base_libdir}/firmware/mediatek/mt7601u.bin \
"
RDEPENDS_${PN}-mt7601u += "${PN}-mt7601u-license"
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 21/22] systemd-systemctl: fix errors in instance name expansion
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (19 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 20/22] linux-firmware: Fix mediatek mt7601u firmware path Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
2023-08-13 21:18 ` [OE-core][dunfell 22/22] kernel: skip installing fitImage when using Initramfs bundles Steve Sakoman
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Yuta Hayama <hayama@lineo.co.jp>
If the instance name indicated by %i begins with a number, the meaning of the
replacement string "\\1{}".format(instance) is ambiguous.
To indicate group number 1 regardless of the instance name, use "\g<1>".
(From OE-Core rev: d18b939fb08b37380ce95934da38e6522392621c)
Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/systemd/systemd-systemctl/systemctl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/systemd/systemd-systemctl/systemctl b/meta/recipes-core/systemd/systemd-systemctl/systemctl
index b890bdd6f0..e003c860e3 100755
--- a/meta/recipes-core/systemd/systemd-systemctl/systemctl
+++ b/meta/recipes-core/systemd/systemd-systemctl/systemctl
@@ -189,7 +189,7 @@ class SystemdUnit():
try:
for dependent in config.get('Install', prop):
# expand any %i to instance (ignoring escape sequence %%)
- dependent = re.sub("([^%](%%)*)%i", "\\1{}".format(instance), dependent)
+ dependent = re.sub("([^%](%%)*)%i", "\\g<1>{}".format(instance), dependent)
wants = systemdir / "{}.{}".format(dependent, dirstem) / service
add_link(wants, target)
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][dunfell 22/22] kernel: skip installing fitImage when using Initramfs bundles
2023-08-13 21:18 [OE-core][dunfell 00/22] Patch review Steve Sakoman
` (20 preceding siblings ...)
2023-08-13 21:18 ` [OE-core][dunfell 21/22] systemd-systemctl: fix errors in instance name expansion Steve Sakoman
@ 2023-08-13 21:18 ` Steve Sakoman
21 siblings, 0 replies; 25+ messages in thread
From: Steve Sakoman @ 2023-08-13 21:18 UTC (permalink / raw)
To: openembedded-core
From: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
When including an initramfs bundle inside a FIT image, the fitImage is created
after the install task by do_assemble_fitimage_initramfs.
This happens after the generation of the initramfs bundle
(done by do_bundle_initramfs).
So, at the level of the install task we should not try to install the fitImage.
The fitImage is still not generated yet.
After the generation of the fitImage, the deploy task copies the fitImage from
the build directory to the deploy folder.
Change-Id: I3eaa6bba1412f388f710fa0f389f66631c1c4826
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1b67fd9ac74935fa41e960478c54e45422339138)
Signed-off-by: Frederic Martinsons <frederic.martinsons@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/kernel.bbclass | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass
index c6310d8de7..5d8b3b062a 100644
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -417,12 +417,26 @@ kernel_do_install() {
#
install -d ${D}/${KERNEL_IMAGEDEST}
install -d ${D}/boot
+
+ #
+ # When including an initramfs bundle inside a FIT image, the fitImage is created after the install task
+ # by do_assemble_fitimage_initramfs.
+ # This happens after the generation of the initramfs bundle (done by do_bundle_initramfs).
+ # So, at the level of the install task we should not try to install the fitImage. fitImage is still not
+ # generated yet.
+ # After the generation of the fitImage, the deploy task copies the fitImage from the build directory to
+ # the deploy folder.
+ #
+
for imageType in ${KERNEL_IMAGETYPES} ; do
- install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION}
- if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then
- ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType}
+ if [ $imageType != "fitImage" ] || [ "${INITRAMFS_IMAGE_BUNDLE}" != "1" ] ; then
+ install -m 0644 ${KERNEL_OUTPUT_DIR}/${imageType} ${D}/${KERNEL_IMAGEDEST}/${imageType}-${KERNEL_VERSION}
+ if [ "${KERNEL_PACKAGE_NAME}" = "kernel" ]; then
+ ln -sf ${imageType}-${KERNEL_VERSION} ${D}/${KERNEL_IMAGEDEST}/${imageType}
+ fi
fi
done
+
install -m 0644 System.map ${D}/boot/System.map-${KERNEL_VERSION}
install -m 0644 .config ${D}/boot/config-${KERNEL_VERSION}
install -m 0644 vmlinux ${D}/boot/vmlinux-${KERNEL_VERSION}
--
2.34.1
^ permalink raw reply related [flat|nested] 25+ messages in thread