* [OE-core][dunfell 00/14] Patch review @ 2023-09-12 13:53 Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman ` (13 more replies) 0 siblings, 14 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core Please review this set of changes for dunfell and have comments back by end of day Thursday, September 14. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5868 The following changes since commit c953ccba6c2a334cc58a97eee073bdb51a68f1d3: linux/cve-exclusion: remove obsolete manual entries (2023-08-31 04:26:32 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Anuj Mittal (4): glibc/check-test-wrapper: don't emit warnings from ssh selftest/cases/glibc.py: increase the memory for testing oeqa/utils/nfs: allow requesting non-udp ports selftest/cases/glibc.py: switch to using NFS over TCP Ashish Sharma (1): qemu: Backport fix CVE-2023-3180 Michael Halstead (2): yocto-uninative: Update to 4.3 resulttool/resultutils: allow index generation despite corrupt json Priyal Doshi (1): rootfs-post: remove traling blanks from tasks Richard Purdie (2): oeqa/target/ssh: Ensure EAGAIN doesn't truncate output oeqa/runtime/ltp: Increase ltp test output timeout Shubham Kulkarni (1): openssh: Securiry fix for CVE-2023-38408 Staffan Rydén (1): kernel: Fix path comparison in kernel staging dir symlinking Vijay Anusuri (2): bind: Backport fix for CVE-2023-2828 qemu: Backport fix for CVE-2023-0330 meta/classes/kernel.bbclass | 7 +- meta/classes/rootfs-postcommands.bbclass | 6 +- meta/classes/rootfsdebugfiles.bbclass | 2 +- meta/conf/distro/include/yocto-uninative.inc | 8 +- meta/lib/oeqa/core/target/ssh.py | 3 + meta/lib/oeqa/runtime/cases/ltp.py | 2 +- meta/lib/oeqa/selftest/cases/glibc.py | 6 +- meta/lib/oeqa/utils/nfs.py | 4 +- .../bind/bind/CVE-2023-2828.patch | 166 +++++ .../recipes-connectivity/bind/bind_9.11.37.bb | 1 + .../openssh/openssh/CVE-2023-38408-01.patch | 189 ++++++ .../openssh/openssh/CVE-2023-38408-02.patch | 581 ++++++++++++++++++ .../openssh/openssh/CVE-2023-38408-03.patch | 171 ++++++ .../openssh/openssh/CVE-2023-38408-04.patch | 34 + .../openssh/openssh/CVE-2023-38408-05.patch | 194 ++++++ .../openssh/openssh/CVE-2023-38408-06.patch | 73 +++ .../openssh/openssh/CVE-2023-38408-07.patch | 125 ++++ .../openssh/openssh/CVE-2023-38408-08.patch | 315 ++++++++++ .../openssh/openssh/CVE-2023-38408-09.patch | 38 ++ .../openssh/openssh/CVE-2023-38408-10.patch | 39 ++ .../openssh/openssh/CVE-2023-38408-11.patch | 307 +++++++++ .../openssh/openssh/CVE-2023-38408-12.patch | 120 ++++ .../openssh/openssh_8.2p1.bb | 12 + .../glibc/glibc/check-test-wrapper | 2 +- meta/recipes-devtools/qemu/qemu.inc | 4 +- ...-2023-0330.patch => CVE-2023-0330_1.patch} | 0 .../qemu/qemu/CVE-2023-0330_2.patch | 135 ++++ .../qemu/qemu/CVE-2023-3180.patch | 49 ++ scripts/lib/resulttool/resultutils.py | 6 +- 29 files changed, 2579 insertions(+), 20 deletions(-) create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 Steve Sakoman ` (12 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Vijay Anusuri <vanusuri@mvista.com> Upstream Patch: https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch LINK: https://security-tracker.debian.org/tracker/CVE-2023-2828 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../bind/bind/CVE-2023-2828.patch | 166 ++++++++++++++++++ .../recipes-connectivity/bind/bind_9.11.37.bb | 1 + 2 files changed, 167 insertions(+) create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch new file mode 100644 index 0000000000..6f6c104530 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-2828.patch @@ -0,0 +1,166 @@ + +Upstream-Status: Backport [import from debian security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.11.5.P4+dfsg-5.1+deb10u9.debian.tar.xz +Upstream patch https://downloads.isc.org/isc/bind9/9.16.42/patches/0001-CVE-2023-2828.patch] +Upstream Commit: https://github.com/isc-projects/bind9/commit/da0eafcdee52147e72d407cc3b9f179378ee1d3a +CVE: CVE-2023-2828 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> + +--- + lib/dns/rbtdb.c | 106 +++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 63 insertions(+), 43 deletions(-) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index b1b928c..3165e26 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -792,7 +792,7 @@ static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + bool tree_locked, expire_t reason); + static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked); ++ size_t purgesize, bool tree_locked); + static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx, + rdatasetheader_t *newheader); + static void resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version, +@@ -6784,6 +6784,16 @@ addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader, + + static dns_dbmethods_t zone_methods; + ++static size_t ++rdataset_size(rdatasetheader_t *header) { ++ if (!NONEXISTENT(header)) { ++ return (dns_rdataslab_size((unsigned char *)header, ++ sizeof(*header))); ++ } ++ ++ return (sizeof(*header)); ++} ++ + static isc_result_t + addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options, +@@ -6932,7 +6942,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + } + + if (cache_is_overmem) +- overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked); ++ overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader), ++ tree_locked); + + NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock, + isc_rwlocktype_write); +@@ -6947,9 +6958,14 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, + cleanup_dead_nodes(rbtdb, rbtnode->locknum); + + header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); ++ if (header != NULL) { ++ dns_ttl_t rdh_ttl = header->rdh_ttl; ++ ++ if (rdh_ttl < now - RBTDB_VIRTUAL) { ++ expire_header(rbtdb, header, tree_locked, ++ expire_ttl); ++ } ++ } + + /* + * If we've been holding a write lock on the tree just for +@@ -10388,54 +10404,58 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, + ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum], header, link); + } + ++static size_t ++expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize, ++ bool tree_locked) { ++ rdatasetheader_t *header, *header_prev; ++ size_t purged = 0; ++ ++ for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); ++ header != NULL && purged <= purgesize; header = header_prev) ++ { ++ header_prev = ISC_LIST_PREV(header, link); ++ /* ++ * Unlink the entry at this point to avoid checking it ++ * again even if it's currently used someone else and ++ * cannot be purged at this moment. This entry won't be ++ * referenced any more (so unlinking is safe) since the ++ * TTL was reset to 0. ++ */ ++ ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link); ++ size_t header_size = rdataset_size(header); ++ expire_header(rbtdb, header, tree_locked, expire_lru); ++ purged += header_size; ++ } ++ ++ return (purged); ++} ++ + /*% +- * Purge some expired and/or stale (i.e. unused for some period) cache entries +- * under an overmem condition. To recover from this condition quickly, up to +- * 2 entries will be purged. This process is triggered while adding a new +- * entry, and we specifically avoid purging entries in the same LRU bucket as +- * the one to which the new entry will belong. Otherwise, we might purge +- * entries of the same name of different RR types while adding RRsets from a +- * single response (consider the case where we're adding A and AAAA glue records +- * of the same NS name). +- */ ++ * Purge some stale (i.e. unused for some period - LRU based cleaning) cache ++ * entries under the overmem condition. To recover from this condition quickly, ++ * we cleanup entries up to the size of newly added rdata (passed as purgesize). ++ * ++ * This process is triggered while adding a new entry, and we specifically avoid ++ * purging entries in the same LRU bucket as the one to which the new entry will ++ * belong. Otherwise, we might purge entries of the same name of different RR ++ * types while adding RRsets from a single response (consider the case where ++ * we're adding A and AAAA glue records of the same NS name). ++*/ + static void +-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, +- isc_stdtime_t now, bool tree_locked) ++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t purgesize, ++ bool tree_locked) + { +- rdatasetheader_t *header, *header_prev; + unsigned int locknum; +- int purgecount = 2; ++ size_t purged = 0; + + for (locknum = (locknum_start + 1) % rbtdb->node_lock_count; +- locknum != locknum_start && purgecount > 0; ++ locknum != locknum_start && purged <= purgesize; + locknum = (locknum + 1) % rbtdb->node_lock_count) { + NODE_LOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); + +- header = isc_heap_element(rbtdb->heaps[locknum], 1); +- if (header && header->rdh_ttl < now - RBTDB_VIRTUAL) { +- expire_header(rbtdb, header, tree_locked, +- expire_ttl); +- purgecount--; +- } +- +- for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]); +- header != NULL && purgecount > 0; +- header = header_prev) { +- header_prev = ISC_LIST_PREV(header, link); +- /* +- * Unlink the entry at this point to avoid checking it +- * again even if it's currently used someone else and +- * cannot be purged at this moment. This entry won't be +- * referenced any more (so unlinking is safe) since the +- * TTL was reset to 0. +- */ +- ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, +- link); +- expire_header(rbtdb, header, tree_locked, +- expire_lru); +- purgecount--; +- } ++ purged += expire_lru_headers(rbtdb, locknum, purgesize - purged, ++ tree_locked); + + NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, + isc_rwlocktype_write); diff --git a/meta/recipes-connectivity/bind/bind_9.11.37.bb b/meta/recipes-connectivity/bind/bind_9.11.37.bb index 2fca28e684..80fbcbfa36 100644 --- a/meta/recipes-connectivity/bind/bind_9.11.37.bb +++ b/meta/recipes-connectivity/bind/bind_9.11.37.bb @@ -22,6 +22,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://CVE-2022-2795.patch \ file://CVE-2022-38177.patch \ file://CVE-2022-38178.patch \ + file://CVE-2023-2828.patch \ " SRC_URI[sha256sum] = "0d8efbe7ec166ada90e46add4267b7e7c934790cba9bd5af6b8380a4fbfb5aff" -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 Steve Sakoman ` (11 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Shubham Kulkarni <skulkarni@mvista.com> The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009. References: https://nvd.nist.gov/vuln/detail/CVE-2023-38408 Upstream patches: https://github.com/openssh/openssh-portable/commit/dee22129, https://github.com/openssh/openssh-portable/commit/099cdf59, https://github.com/openssh/openssh-portable/commit/29ef8a04, https://github.com/openssh/openssh-portable/commit/892506b1, https://github.com/openssh/openssh-portable/commit/0c111eb8, https://github.com/openssh/openssh-portable/commit/52a03e9f, https://github.com/openssh/openssh-portable/commit/1fe16fd6, https://github.com/openssh/openssh-portable/commit/e0e8bee8, https://github.com/openssh/openssh-portable/commit/8afaa7d7, https://github.com/openssh/openssh-portable/commit/1a4b9275, https://github.com/openssh/openssh-portable/commit/4c1e3ce8, https://github.com/openssh/openssh-portable/commit/1f2731f5. Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../openssh/openssh/CVE-2023-38408-01.patch | 189 ++++++ .../openssh/openssh/CVE-2023-38408-02.patch | 581 ++++++++++++++++++ .../openssh/openssh/CVE-2023-38408-03.patch | 171 ++++++ .../openssh/openssh/CVE-2023-38408-04.patch | 34 + .../openssh/openssh/CVE-2023-38408-05.patch | 194 ++++++ .../openssh/openssh/CVE-2023-38408-06.patch | 73 +++ .../openssh/openssh/CVE-2023-38408-07.patch | 125 ++++ .../openssh/openssh/CVE-2023-38408-08.patch | 315 ++++++++++ .../openssh/openssh/CVE-2023-38408-09.patch | 38 ++ .../openssh/openssh/CVE-2023-38408-10.patch | 39 ++ .../openssh/openssh/CVE-2023-38408-11.patch | 307 +++++++++ .../openssh/openssh/CVE-2023-38408-12.patch | 120 ++++ .../openssh/openssh_8.2p1.bb | 12 + 13 files changed, 2198 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch new file mode 100644 index 0000000000..c899056337 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-01.patch @@ -0,0 +1,189 @@ +From f6213e03887237714eb5bcfc9089c707069f87c5 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Fri, 1 Oct 2021 16:35:49 +1000 +Subject: [PATCH 01/12] make OPENSSL_HAS_ECC checks more thorough + +ok dtucker + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/dee22129bbc61e25b1003adfa2bc584c5406ef2d] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-pkcs11-client.c | 16 ++++++++-------- + ssh-pkcs11.c | 26 +++++++++++++------------- + 2 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c +index 8a0ffef..41114c7 100644 +--- a/ssh-pkcs11-client.c ++++ b/ssh-pkcs11-client.c +@@ -163,7 +163,7 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + return (ret); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + const BIGNUM *rp, EC_KEY *ec) +@@ -220,12 +220,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + sshbuf_free(msg); + return (ret); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + static RSA_METHOD *helper_rsa; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static EC_KEY_METHOD *helper_ecdsa; +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void +@@ -233,10 +233,10 @@ wrap_key(struct sshkey *k) + { + if (k->type == KEY_RSA) + RSA_set_method(k->rsa, helper_rsa); +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + else if (k->type == KEY_ECDSA) + EC_KEY_set_method(k->ecdsa, helper_ecdsa); +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + else + fatal("%s: unknown key type", __func__); + } +@@ -247,7 +247,7 @@ pkcs11_start_helper_methods(void) + if (helper_rsa != NULL) + return (0); + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + int (*orig_sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; + if (helper_ecdsa != NULL) +@@ -257,7 +257,7 @@ pkcs11_start_helper_methods(void) + return (-1); + EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); + EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) + fatal("%s: RSA_meth_dup failed", __func__); +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index a302c79..b56a41b 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -78,7 +78,7 @@ struct pkcs11_key { + + int pkcs11_interactive = 0; + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static void + ossl_error(const char *msg) + { +@@ -89,7 +89,7 @@ ossl_error(const char *msg) + error("%s: libcrypto error: %.100s", __func__, + ERR_error_string(e, NULL)); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + int + pkcs11_init(int interactive) +@@ -190,10 +190,10 @@ pkcs11_del_provider(char *provider_id) + + static RSA_METHOD *rsa_method; + static int rsa_idx = 0; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static EC_KEY_METHOD *ec_key_method; + static int ec_key_idx = 0; +-#endif ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* release a wrapped object */ + static void +@@ -492,7 +492,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, + return (0); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + /* openssl callback doing the actual signing operation */ + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, +@@ -604,7 +604,7 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider *provider, CK_ULONG slotidx, + + return (0); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + /* remove trailing spaces */ + static void +@@ -679,7 +679,7 @@ pkcs11_key_included(struct sshkey ***keysp, int *nkeys, struct sshkey *key) + return (0); + } + +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + static struct sshkey * + pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + CK_OBJECT_HANDLE *obj) +@@ -802,7 +802,7 @@ fail: + + return (key); + } +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + + static struct sshkey * + pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -910,7 +910,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + #endif + struct sshkey *key = NULL; + int i; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + int nid; + #endif + const u_char *cp; +@@ -999,7 +999,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + key->type = KEY_RSA; + key->flags |= SSHKEY_FLAG_EXT; + rsa = NULL; /* now owned by key */ +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + } else if (EVP_PKEY_base_id(evp) == EVP_PKEY_EC) { + if (EVP_PKEY_get0_EC_KEY(evp) == NULL) { + error("invalid x509; no ec key"); +@@ -1030,7 +1030,7 @@ pkcs11_fetch_x509_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + key->type = KEY_ECDSA; + key->flags |= SSHKEY_FLAG_EXT; + ec = NULL; /* now owned by key */ +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + } else { + error("unknown certificate key type"); + goto out; +@@ -1237,11 +1237,11 @@ pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx, + case CKK_RSA: + key = pkcs11_fetch_rsa_pubkey(p, slotidx, &obj); + break; +-#ifdef HAVE_EC_KEY_METHOD_NEW ++#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) + case CKK_ECDSA: + key = pkcs11_fetch_ecdsa_pubkey(p, slotidx, &obj); + break; +-#endif /* HAVE_EC_KEY_METHOD_NEW */ ++#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + default: + /* XXX print key type? */ + key = NULL; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch new file mode 100644 index 0000000000..25ba921869 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-02.patch @@ -0,0 +1,581 @@ +From 92cebfbcc221c9ef3f6bbb78da3d7699c0ae56be Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 14:03:45 +0000 +Subject: [PATCH 02/12] upstream: Separate ssh-pkcs11-helpers for each p11 + module + +Make ssh-pkcs11-client start an independent helper for each provider, +providing better isolation between modules and reliability if a single +module misbehaves. + +This also implements reference counting of PKCS#11-hosted keys, +allowing ssh-pkcs11-helper subprocesses to be automatically reaped +when no remaining keys reference them. This fixes some bugs we have +that make PKCS11 keys unusable after they have been deleted, e.g. +https://bugzilla.mindrot.org/show_bug.cgi?id=3125 + +ok markus@ + +OpenBSD-Commit-ID: 0ce188b14fe271ab0568f4500070d96c5657244e + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/099cdf59ce1e72f55d421c8445bf6321b3004755] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-pkcs11-client.c | 372 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 282 insertions(+), 90 deletions(-) + +diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c +index 41114c7..4f3c6ed 100644 +--- a/ssh-pkcs11-client.c ++++ b/ssh-pkcs11-client.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-pkcs11-client.c,v 1.16 2020/01/25 00:03:36 djm Exp $ */ ++/* $OpenBSD: ssh-pkcs11-client.c,v 1.18 2023/07/19 14:03:45 djm Exp $ */ + /* + * Copyright (c) 2010 Markus Friedl. All rights reserved. + * Copyright (c) 2014 Pedro Martelletto. All rights reserved. +@@ -30,12 +30,11 @@ + #include <string.h> + #include <unistd.h> + #include <errno.h> ++#include <limits.h> + + #include <openssl/ecdsa.h> + #include <openssl/rsa.h> + +-#include "openbsd-compat/openssl-compat.h" +- + #include "pathnames.h" + #include "xmalloc.h" + #include "sshbuf.h" +@@ -47,18 +46,140 @@ + #include "ssh-pkcs11.h" + #include "ssherr.h" + ++#include "openbsd-compat/openssl-compat.h" ++ + /* borrows code from sftp-server and ssh-agent */ + +-static int fd = -1; +-static pid_t pid = -1; ++/* ++ * Maintain a list of ssh-pkcs11-helper subprocesses. These may be looked up ++ * by provider path or their unique EC/RSA METHOD pointers. ++ */ ++struct helper { ++ char *path; ++ pid_t pid; ++ int fd; ++ RSA_METHOD *rsa_meth; ++ EC_KEY_METHOD *ec_meth; ++ int (*rsa_finish)(RSA *rsa); ++ void (*ec_finish)(EC_KEY *key); ++ size_t nrsa, nec; /* number of active keys of each type */ ++}; ++static struct helper **helpers; ++static size_t nhelpers; ++ ++static struct helper * ++helper_by_provider(const char *path) ++{ ++ size_t i; ++ ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] == NULL || helpers[i]->path == NULL || ++ helpers[i]->fd == -1) ++ continue; ++ if (strcmp(helpers[i]->path, path) == 0) ++ return helpers[i]; ++ } ++ return NULL; ++} ++ ++static struct helper * ++helper_by_rsa(const RSA *rsa) ++{ ++ size_t i; ++ const RSA_METHOD *meth; ++ ++ if ((meth = RSA_get_method(rsa)) == NULL) ++ return NULL; ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] != NULL && helpers[i]->rsa_meth == meth) ++ return helpers[i]; ++ } ++ return NULL; ++ ++} ++ ++static struct helper * ++helper_by_ec(const EC_KEY *ec) ++{ ++ size_t i; ++ const EC_KEY_METHOD *meth; ++ ++ if ((meth = EC_KEY_get_method(ec)) == NULL) ++ return NULL; ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] != NULL && helpers[i]->ec_meth == meth) ++ return helpers[i]; ++ } ++ return NULL; ++ ++} ++ ++static void ++helper_free(struct helper *helper) ++{ ++ size_t i; ++ int found = 0; ++ ++ if (helper == NULL) ++ return; ++ if (helper->path == NULL || helper->ec_meth == NULL || ++ helper->rsa_meth == NULL) ++ fatal("%s: inconsistent helper", __func__); ++ debug3("%s: free helper for provider %s", __func__ , helper->path); ++ for (i = 0; i < nhelpers; i++) { ++ if (helpers[i] == helper) { ++ if (found) ++ fatal("%s: helper recorded more than once", __func__); ++ found = 1; ++ } ++ else if (found) ++ helpers[i - 1] = helpers[i]; ++ } ++ if (found) { ++ helpers = xrecallocarray(helpers, nhelpers, ++ nhelpers - 1, sizeof(*helpers)); ++ nhelpers--; ++ } ++ free(helper->path); ++ EC_KEY_METHOD_free(helper->ec_meth); ++ RSA_meth_free(helper->rsa_meth); ++ free(helper); ++} ++ ++static void ++helper_terminate(struct helper *helper) ++{ ++ if (helper == NULL) { ++ return; ++ } else if (helper->fd == -1) { ++ debug3("%s: already terminated", __func__); ++ } else { ++ debug3("terminating helper for %s; " ++ "remaining %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); ++ close(helper->fd); ++ /* XXX waitpid() */ ++ helper->fd = -1; ++ helper->pid = -1; ++ } ++ /* ++ * Don't delete the helper entry until there are no remaining keys ++ * that reference it. Otherwise, any signing operation would call ++ * a free'd METHOD pointer and that would be bad. ++ */ ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_free(helper); ++} + + static void +-send_msg(struct sshbuf *m) ++send_msg(int fd, struct sshbuf *m) + { + u_char buf[4]; + size_t mlen = sshbuf_len(m); + int r; + ++ if (fd == -1) ++ return; + POKE_U32(buf, mlen); + if (atomicio(vwrite, fd, buf, 4) != 4 || + atomicio(vwrite, fd, sshbuf_mutable_ptr(m), +@@ -69,12 +190,15 @@ send_msg(struct sshbuf *m) + } + + static int +-recv_msg(struct sshbuf *m) ++recv_msg(int fd, struct sshbuf *m) + { + u_int l, len; + u_char c, buf[1024]; + int r; + ++ sshbuf_reset(m); ++ if (fd == -1) ++ return 0; /* XXX */ + if ((len = atomicio(read, fd, buf, 4)) != 4) { + error("read from helper failed: %u", len); + return (0); /* XXX */ +@@ -83,7 +207,6 @@ recv_msg(struct sshbuf *m) + if (len > 256 * 1024) + fatal("response too long: %u", len); + /* read len bytes into m */ +- sshbuf_reset(m); + while (len > 0) { + l = len; + if (l > sizeof(buf)) +@@ -104,14 +227,17 @@ recv_msg(struct sshbuf *m) + int + pkcs11_init(int interactive) + { +- return (0); ++ return 0; + } + + void + pkcs11_terminate(void) + { +- if (fd >= 0) +- close(fd); ++ size_t i; ++ ++ debug3("%s: terminating %zu helpers", __func__, nhelpers); ++ for (i = 0; i < nhelpers; i++) ++ helper_terminate(helpers[i]); + } + + static int +@@ -122,7 +248,11 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + u_char *blob = NULL, *signature = NULL; + size_t blen, slen = 0; + int r, ret = -1; ++ struct helper *helper; + ++ if ((helper = helper_by_rsa(rsa)) == NULL || helper->fd == -1) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path); + if (padding != RSA_PKCS1_PADDING) + goto fail; + key = sshkey_new(KEY_UNSPEC); +@@ -144,10 +274,10 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + (r = sshbuf_put_string(msg, from, flen)) != 0 || + (r = sshbuf_put_u32(msg, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { ++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { + if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + if (slen <= (size_t)RSA_size(rsa)) { +@@ -163,7 +293,26 @@ rsa_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, int padding) + return (ret); + } + +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) ++static int ++rsa_finish(RSA *rsa) ++{ ++ struct helper *helper; ++ ++ if ((helper = helper_by_rsa(rsa)) == NULL) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: free PKCS11 RSA key for provider %s", __func__, helper->path); ++ if (helper->rsa_finish != NULL) ++ helper->rsa_finish(rsa); ++ if (helper->nrsa == 0) ++ fatal("%s: RSA refcount error", __func__); ++ helper->nrsa--; ++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_terminate(helper); ++ return 1; ++} ++ + static ECDSA_SIG * + ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + const BIGNUM *rp, EC_KEY *ec) +@@ -175,7 +324,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + u_char *blob = NULL, *signature = NULL; + size_t blen, slen = 0; + int r, nid; ++ struct helper *helper; + ++ if ((helper = helper_by_ec(ec)) == NULL || helper->fd == -1) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: signing with PKCS11 provider %s", __func__, helper->path); + nid = sshkey_ecdsa_key_to_nid(ec); + if (nid < 0) { + error("%s: couldn't get curve nid", __func__); +@@ -203,10 +356,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + (r = sshbuf_put_string(msg, dgst, dgst_len)) != 0 || + (r = sshbuf_put_u32(msg, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- if (recv_msg(msg) == SSH2_AGENT_SIGN_RESPONSE) { ++ if (recv_msg(helper->fd, msg) == SSH2_AGENT_SIGN_RESPONSE) { + if ((r = sshbuf_get_string(msg, &signature, &slen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + cp = signature; +@@ -220,75 +373,110 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv, + sshbuf_free(msg); + return (ret); + } +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ + +-static RSA_METHOD *helper_rsa; +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +-static EC_KEY_METHOD *helper_ecdsa; +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ ++static void ++ecdsa_do_finish(EC_KEY *ec) ++{ ++ struct helper *helper; ++ ++ if ((helper = helper_by_ec(ec)) == NULL) ++ fatal("%s: no helper for PKCS11 key", __func__); ++ debug3("%s: free PKCS11 ECDSA key for provider %s", __func__, helper->path); ++ if (helper->ec_finish != NULL) ++ helper->ec_finish(ec); ++ if (helper->nec == 0) ++ fatal("%s: ECDSA refcount error", __func__); ++ helper->nec--; ++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); ++ if (helper->nrsa == 0 && helper->nec == 0) ++ helper_terminate(helper); ++} + + /* redirect private key crypto operations to the ssh-pkcs11-helper */ + static void +-wrap_key(struct sshkey *k) ++wrap_key(struct helper *helper, struct sshkey *k) + { +- if (k->type == KEY_RSA) +- RSA_set_method(k->rsa, helper_rsa); +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +- else if (k->type == KEY_ECDSA) +- EC_KEY_set_method(k->ecdsa, helper_ecdsa); +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ +- else ++ debug3("%s: wrap %s for provider %s", __func__, sshkey_type(k), helper->path); ++ if (k->type == KEY_RSA) { ++ RSA_set_method(k->rsa, helper->rsa_meth); ++ if (helper->nrsa++ >= INT_MAX) ++ fatal("%s: RSA refcount error", __func__); ++ } else if (k->type == KEY_ECDSA) { ++ EC_KEY_set_method(k->ecdsa, helper->ec_meth); ++ if (helper->nec++ >= INT_MAX) ++ fatal("%s: EC refcount error", __func__); ++ } else + fatal("%s: unknown key type", __func__); ++ k->flags |= SSHKEY_FLAG_EXT; ++ debug3("%s: provider %s remaining keys: %zu RSA %zu ECDSA", __func__, ++ helper->path, helper->nrsa, helper->nec); + } + + static int +-pkcs11_start_helper_methods(void) ++pkcs11_start_helper_methods(struct helper *helper) + { +- if (helper_rsa != NULL) +- return (0); +- +-#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) +- int (*orig_sign)(int, const unsigned char *, int, unsigned char *, ++ int (*ec_init)(EC_KEY *key); ++ int (*ec_copy)(EC_KEY *dest, const EC_KEY *src); ++ int (*ec_set_group)(EC_KEY *key, const EC_GROUP *grp); ++ int (*ec_set_private)(EC_KEY *key, const BIGNUM *priv_key); ++ int (*ec_set_public)(EC_KEY *key, const EC_POINT *pub_key); ++ int (*ec_sign)(int, const unsigned char *, int, unsigned char *, + unsigned int *, const BIGNUM *, const BIGNUM *, EC_KEY *) = NULL; +- if (helper_ecdsa != NULL) +- return (0); +- helper_ecdsa = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); +- if (helper_ecdsa == NULL) +- return (-1); +- EC_KEY_METHOD_get_sign(helper_ecdsa, &orig_sign, NULL, NULL); +- EC_KEY_METHOD_set_sign(helper_ecdsa, orig_sign, NULL, ecdsa_do_sign); +-#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ +- +- if ((helper_rsa = RSA_meth_dup(RSA_get_default_method())) == NULL) ++ RSA_METHOD *rsa_meth; ++ EC_KEY_METHOD *ec_meth; ++ ++ if ((ec_meth = EC_KEY_METHOD_new(EC_KEY_OpenSSL())) == NULL) ++ return -1; ++ EC_KEY_METHOD_get_sign(ec_meth, &ec_sign, NULL, NULL); ++ EC_KEY_METHOD_set_sign(ec_meth, ec_sign, NULL, ecdsa_do_sign); ++ EC_KEY_METHOD_get_init(ec_meth, &ec_init, &helper->ec_finish, ++ &ec_copy, &ec_set_group, &ec_set_private, &ec_set_public); ++ EC_KEY_METHOD_set_init(ec_meth, ec_init, ecdsa_do_finish, ++ ec_copy, ec_set_group, ec_set_private, ec_set_public); ++ ++ if ((rsa_meth = RSA_meth_dup(RSA_get_default_method())) == NULL) + fatal("%s: RSA_meth_dup failed", __func__); +- if (!RSA_meth_set1_name(helper_rsa, "ssh-pkcs11-helper") || +- !RSA_meth_set_priv_enc(helper_rsa, rsa_encrypt)) ++ helper->rsa_finish = RSA_meth_get_finish(rsa_meth); ++ if (!RSA_meth_set1_name(rsa_meth, "ssh-pkcs11-helper") || ++ !RSA_meth_set_priv_enc(rsa_meth, rsa_encrypt) || ++ !RSA_meth_set_finish(rsa_meth, rsa_finish)) + fatal("%s: failed to prepare method", __func__); + +- return (0); ++ helper->ec_meth = ec_meth; ++ helper->rsa_meth = rsa_meth; ++ return 0; + } + +-static int +-pkcs11_start_helper(void) ++static struct helper * ++pkcs11_start_helper(const char *path) + { + int pair[2]; +- char *helper, *verbosity = NULL; +- +- if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) +- verbosity = "-vvv"; +- +- if (pkcs11_start_helper_methods() == -1) { +- error("pkcs11_start_helper_methods failed"); +- return (-1); +- } ++ char *prog, *verbosity = NULL; ++ struct helper *helper; ++ pid_t pid; + ++ if (nhelpers >= INT_MAX) ++ fatal("%s: too many helpers", __func__); ++ debug3("%s: start helper for %s", __func__, path); + if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) { + error("socketpair: %s", strerror(errno)); +- return (-1); ++ return NULL; ++ } ++ helper = xcalloc(1, sizeof(*helper)); ++ if (pkcs11_start_helper_methods(helper) == -1) { ++ error("pkcs11_start_helper_methods failed"); ++ goto fail; + } + if ((pid = fork()) == -1) { + error("fork: %s", strerror(errno)); +- return (-1); ++ fail: ++ close(pair[0]); ++ close(pair[1]); ++ RSA_meth_free(helper->rsa_meth); ++ EC_KEY_METHOD_free(helper->ec_meth); ++ free(helper); ++ return NULL; + } else if (pid == 0) { + if ((dup2(pair[1], STDIN_FILENO) == -1) || + (dup2(pair[1], STDOUT_FILENO) == -1)) { +@@ -297,18 +485,27 @@ pkcs11_start_helper(void) + } + close(pair[0]); + close(pair[1]); +- helper = getenv("SSH_PKCS11_HELPER"); +- if (helper == NULL || strlen(helper) == 0) +- helper = _PATH_SSH_PKCS11_HELPER; ++ prog = getenv("SSH_PKCS11_HELPER"); ++ if (prog == NULL || strlen(prog) == 0) ++ prog = _PATH_SSH_PKCS11_HELPER; ++ if (log_level_get() >= SYSLOG_LEVEL_DEBUG1) ++ verbosity = "-vvv"; + debug("%s: starting %s %s", __func__, helper, + verbosity == NULL ? "" : verbosity); +- execlp(helper, helper, verbosity, (char *)NULL); +- fprintf(stderr, "exec: %s: %s\n", helper, strerror(errno)); ++ execlp(prog, prog, verbosity, (char *)NULL); ++ fprintf(stderr, "exec: %s: %s\n", prog, strerror(errno)); + _exit(1); + } + close(pair[1]); +- fd = pair[0]; +- return (0); ++ helper->fd = pair[0]; ++ helper->path = xstrdup(path); ++ helper->pid = pid; ++ debug3("%s: helper %zu for \"%s\" on fd %d pid %ld", __func__, nhelpers, ++ helper->path, helper->fd, (long)helper->pid); ++ helpers = xrecallocarray(helpers, nhelpers, ++ nhelpers + 1, sizeof(*helpers)); ++ helpers[nhelpers++] = helper; ++ return helper; + } + + int +@@ -322,9 +519,11 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + size_t blen; + u_int nkeys, i; + struct sshbuf *msg; ++ struct helper *helper; + +- if (fd < 0 && pkcs11_start_helper() < 0) +- return (-1); ++ if ((helper = helper_by_provider(name)) == NULL && ++ (helper = pkcs11_start_helper(name)) == NULL) ++ return -1; + + if ((msg = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); +@@ -332,10 +531,10 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + (r = sshbuf_put_cstring(msg, name)) != 0 || + (r = sshbuf_put_cstring(msg, pin)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); ++ send_msg(helper->fd, msg); + sshbuf_reset(msg); + +- type = recv_msg(msg); ++ type = recv_msg(helper->fd, msg); + if (type == SSH2_AGENT_IDENTITIES_ANSWER) { + if ((r = sshbuf_get_u32(msg, &nkeys)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -350,7 +549,7 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + __func__, ssh_err(r)); + if ((r = sshkey_from_blob(blob, blen, &k)) != 0) + fatal("%s: bad key: %s", __func__, ssh_err(r)); +- wrap_key(k); ++ wrap_key(helper, k); + (*keysp)[i] = k; + if (labelsp) + (*labelsp)[i] = label; +@@ -371,22 +570,15 @@ pkcs11_add_provider(char *name, char *pin, struct sshkey ***keysp, + int + pkcs11_del_provider(char *name) + { +- int r, ret = -1; +- struct sshbuf *msg; +- +- if ((msg = sshbuf_new()) == NULL) +- fatal("%s: sshbuf_new failed", __func__); +- if ((r = sshbuf_put_u8(msg, SSH_AGENTC_REMOVE_SMARTCARD_KEY)) != 0 || +- (r = sshbuf_put_cstring(msg, name)) != 0 || +- (r = sshbuf_put_cstring(msg, "")) != 0) +- fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- send_msg(msg); +- sshbuf_reset(msg); +- +- if (recv_msg(msg) == SSH_AGENT_SUCCESS) +- ret = 0; +- sshbuf_free(msg); +- return (ret); ++ struct helper *helper; ++ ++ /* ++ * ssh-agent deletes keys before calling this, so the helper entry ++ * should be gone before we get here. ++ */ ++ debug3("%s: delete %s", __func__, name); ++ if ((helper = helper_by_provider(name)) != NULL) ++ helper_terminate(helper); ++ return 0; + } +- + #endif /* ENABLE_PKCS11 */ +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch new file mode 100644 index 0000000000..e16e5e245e --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-03.patch @@ -0,0 +1,171 @@ +From 2f1be98e83feb90665b9292eff8bb734537fd491 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 14:02:27 +0000 +Subject: [PATCH 03/12] upstream: Ensure FIDO/PKCS11 libraries contain expected + symbols + +This checks via nlist(3) that candidate provider libraries contain one +of the symbols that we will require prior to dlopen(), which can cause +a number of side effects, including execution of constructors. + +Feedback deraadt; ok markus + +OpenBSD-Commit-ID: 1508a5fbd74e329e69a55b56c453c292029aefbe + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/29ef8a04866ca14688d5b7fed7b8b9deab851f77] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + misc.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + misc.h | 1 + + ssh-pkcs11.c | 4 +++ + ssh-sk.c | 6 ++-- + 4 files changed, 86 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 3a31d5c..8a107e4 100644 +--- a/misc.c ++++ b/misc.c +@@ -28,6 +28,7 @@ + + #include <sys/types.h> + #include <sys/ioctl.h> ++#include <sys/mman.h> + #include <sys/socket.h> + #include <sys/stat.h> + #include <sys/time.h> +@@ -41,6 +42,9 @@ + #ifdef HAVE_POLL_H + #include <poll.h> + #endif ++#ifdef HAVE_NLIST_H ++#include <nlist.h> ++#endif + #include <signal.h> + #include <stdarg.h> + #include <stdio.h> +@@ -2266,3 +2270,76 @@ ssh_signal(int signum, sshsig_t handler) + } + return osa.sa_handler; + } ++ ++ ++/* ++ * Returns zero if the library at 'path' contains symbol 's', nonzero ++ * otherwise. ++ */ ++int ++lib_contains_symbol(const char *path, const char *s) ++{ ++#ifdef HAVE_NLIST_H ++ struct nlist nl[2]; ++ int ret = -1, r; ++ ++ memset(nl, 0, sizeof(nl)); ++ nl[0].n_name = xstrdup(s); ++ nl[1].n_name = NULL; ++ if ((r = nlist(path, nl)) == -1) { ++ error("%s: nlist failed for %s", __func__, path); ++ goto out; ++ } ++ if (r != 0 || nl[0].n_value == 0 || nl[0].n_type == 0) { ++ error("%s: library %s does not contain symbol %s", __func__, path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ free(nl[0].n_name); ++ return ret; ++#else /* HAVE_NLIST_H */ ++ int fd, ret = -1; ++ struct stat st; ++ void *m = NULL; ++ size_t sz = 0; ++ ++ memset(&st, 0, sizeof(st)); ++ if ((fd = open(path, O_RDONLY)) < 0) { ++ error("%s: open %s: %s", __func__, path, strerror(errno)); ++ return -1; ++ } ++ if (fstat(fd, &st) != 0) { ++ error("%s: fstat %s: %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ if (!S_ISREG(st.st_mode)) { ++ error("%s: %s is not a regular file", __func__, path); ++ goto out; ++ } ++ if (st.st_size < 0 || ++ (size_t)st.st_size < strlen(s) || ++ st.st_size >= INT_MAX/2) { ++ error("%s: %s bad size %lld", __func__, path, (long long)st.st_size); ++ goto out; ++ } ++ sz = (size_t)st.st_size; ++ if ((m = mmap(NULL, sz, PROT_READ, MAP_PRIVATE, fd, 0)) == MAP_FAILED || ++ m == NULL) { ++ error("%s: mmap %s: %s", __func__, path, strerror(errno)); ++ goto out; ++ } ++ if (memmem(m, sz, s, strlen(s)) == NULL) { ++ error("%s: %s does not contain expected string %s", __func__, path, s); ++ goto out; ++ } ++ /* success */ ++ ret = 0; ++ out: ++ if (m != NULL && m != MAP_FAILED) ++ munmap(m, sz); ++ close(fd); ++ return ret; ++#endif /* HAVE_NLIST_H */ ++} +diff --git a/misc.h b/misc.h +index 4a05db2..3f9f4db 100644 +--- a/misc.h ++++ b/misc.h +@@ -86,6 +86,7 @@ const char *atoi_err(const char *, int *); + int parse_absolute_time(const char *, uint64_t *); + void format_absolute_time(uint64_t, char *, size_t); + int path_absolute(const char *); ++int lib_contains_symbol(const char *, const char *); + + void sock_set_v6only(int); + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index b56a41b..639a6f7 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1499,6 +1499,10 @@ pkcs11_register_provider(char *provider_id, char *pin, + __func__, provider_id); + goto fail; + } ++ if (lib_contains_symbol(provider_id, "C_GetFunctionList") != 0) { ++ error("provider %s is not a PKCS11 library", provider_id); ++ goto fail; ++ } + /* open shared pkcs11-library */ + if ((handle = dlopen(provider_id, RTLD_NOW)) == NULL) { + error("dlopen %s failed: %s", provider_id, dlerror()); +diff --git a/ssh-sk.c b/ssh-sk.c +index 5ff9381..9df12cc 100644 +--- a/ssh-sk.c ++++ b/ssh-sk.c +@@ -119,10 +119,12 @@ sshsk_open(const char *path) + #endif + return ret; + } +- if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { +- error("Provider \"%s\" dlopen failed: %s", path, dlerror()); ++ if (lib_contains_symbol(path, "sk_api_version") != 0) { ++ error("provider %s is not an OpenSSH FIDO library", path); + goto fail; + } ++ if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) ++ fatal("Provider \"%s\" dlopen failed: %s", path, dlerror()); + if ((ret->sk_api_version = dlsym(ret->dlhandle, + "sk_api_version")) == NULL) { + error("Provider \"%s\" dlsym(sk_api_version) failed: %s", +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch new file mode 100644 index 0000000000..5e8040c9bf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-04.patch @@ -0,0 +1,34 @@ +From 0862f338941bfdfb2cadee87de6d5fdca1b8f457 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:55:53 +0000 +Subject: [PATCH 04/12] upstream: terminate process if requested to load a + PKCS#11 provider that isn't a PKCS#11 provider; from / ok markus@ + +OpenBSD-Commit-ID: 39532cf18b115881bb4cfaee32084497aadfa05c + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-pkcs11.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 639a6f7..7530acc 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -1508,10 +1508,8 @@ pkcs11_register_provider(char *provider_id, char *pin, + error("dlopen %s failed: %s", provider_id, dlerror()); + goto fail; + } +- if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) { +- error("dlsym(C_GetFunctionList) failed: %s", dlerror()); +- goto fail; +- } ++ if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) ++ fatal("dlsym(C_GetFunctionList) failed: %s", dlerror()); + p = xcalloc(1, sizeof(*p)); + p->name = xstrdup(provider_id); + p->handle = handle; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch new file mode 100644 index 0000000000..0ddbdc68d4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-05.patch @@ -0,0 +1,194 @@ +From a6cee3905edf070c0de135d3f2ee5b74da1dbd28 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Tue, 26 May 2020 01:26:58 +0000 +Subject: [PATCH 05/12] upstream: Restrict ssh-agent from signing web + challenges for FIDO + +keys. + +When signing messages in ssh-agent using a FIDO key that has an +application string that does not start with "ssh:", ensure that the +message being signed is one of the forms expected for the SSH protocol +(currently pubkey authentication and sshsig signatures). + +This prevents ssh-agent forwarding on a host that has FIDO keys +attached granting the ability for the remote side to sign challenges +for web authentication using those keys too. + +Note that the converse case of web browsers signing SSH challenges is +already precluded because no web RP can have the "ssh:" prefix in the +application string that we require. + +ok markus@ + +OpenBSD-Commit-ID: 9ab6012574ed0352d2f097d307f4a988222d1b19 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/0c111eb84efba7c2a38b2cc3278901a0123161b9] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 100 insertions(+), 10 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index ceb348c..1794f35 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.255 2020/02/06 22:30:54 naddy Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -77,6 +77,7 @@ + + #include "xmalloc.h" + #include "ssh.h" ++#include "ssh2.h" + #include "sshbuf.h" + #include "sshkey.h" + #include "authfd.h" +@@ -167,6 +168,9 @@ static long lifetime = 0; + + static int fingerprint_hash = SSH_FP_HASH_DEFAULT; + ++/* Refuse signing of non-SSH messages for web-origin FIDO keys */ ++static int restrict_websafe = 1; ++ + static void + close_socket(SocketEntry *e) + { +@@ -282,6 +286,80 @@ agent_decode_alg(struct sshkey *key, u_int flags) + return NULL; + } + ++/* ++ * This function inspects a message to be signed by a FIDO key that has a ++ * web-like application string (i.e. one that does not begin with "ssh:". ++ * It checks that the message is one of those expected for SSH operations ++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges ++ * for the web. ++ */ ++static int ++check_websafe_message_contents(struct sshkey *key, ++ const u_char *msg, size_t len) ++{ ++ int matched = 0; ++ struct sshbuf *b; ++ u_char m, n; ++ char *cp1 = NULL, *cp2 = NULL; ++ int r; ++ struct sshkey *mkey = NULL; ++ ++ if ((b = sshbuf_from(msg, len)) == NULL) ++ fatal("%s: sshbuf_new", __func__); ++ ++ /* SSH userauth request */ ++ if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */ ++ (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */ ++ (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */ ++ (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */ ++ (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */ ++ (r = sshkey_froms(b, &mkey)) == 0 && /* key */ ++ sshbuf_len(b) == 0) { ++ debug("%s: parsed userauth", __func__); ++ if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 && ++ strcmp(cp1, "ssh-connection") == 0 && ++ strcmp(cp2, "publickey") == 0 && ++ sshkey_equal(key, mkey)) { ++ debug("%s: well formed userauth", __func__); ++ matched = 1; ++ } ++ } ++ free(cp1); ++ free(cp2); ++ sshkey_free(mkey); ++ sshbuf_free(b); ++ if (matched) ++ return 1; ++ ++ if ((b = sshbuf_from(msg, len)) == NULL) ++ fatal("%s: sshbuf_new", __func__); ++ cp1 = cp2 = NULL; ++ mkey = NULL; ++ ++ /* SSHSIG */ ++ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 && ++ (r = sshbuf_consume(b, 6)) == 0 && ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */ ++ sshbuf_len(b) == 0) { ++ debug("%s: parsed sshsig", __func__); ++ matched = 1; ++ } ++ ++ sshbuf_free(b); ++ if (matched) ++ return 1; ++ ++ /* XXX CA signature operation */ ++ ++ error("web-origin key attempting to sign non-SSH message"); ++ return 0; ++} ++ + /* ssh2 only */ + static void + process_sign_request2(SocketEntry *e) +@@ -314,14 +392,20 @@ process_sign_request2(SocketEntry *e) + verbose("%s: user refused key", __func__); + goto send; + } +- if (sshkey_is_sk(id->key) && +- (id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { +- if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, +- SSH_FP_DEFAULT)) == NULL) +- fatal("%s: fingerprint failed", __func__); +- notifier = notify_start(0, +- "Confirm user presence for key %s %s", +- sshkey_type(id->key), fp); ++ if (sshkey_is_sk(id->key)) { ++ if (strncmp(id->key->sk_application, "ssh:", 4) != 0 && ++ !check_websafe_message_contents(key, data, dlen)) { ++ /* error already logged */ ++ goto send; ++ } ++ if ((id->key->sk_flags & SSH_SK_USER_PRESENCE_REQD)) { ++ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal("%s: fingerprint failed", __func__); ++ notifier = notify_start(0, ++ "Confirm user presence for key %s %s", ++ sshkey_type(id->key), fp); ++ } + } + if ((r = sshkey_sign(id->key, &signature, &slen, + data, dlen, agent_decode_alg(key, flags), +@@ -1214,7 +1298,7 @@ main(int ac, char **av) + __progname = ssh_get_progname(av[0]); + seed_rng(); + +- while ((ch = getopt(ac, av, "cDdksE:a:P:t:")) != -1) { ++ while ((ch = getopt(ac, av, "cDdksE:a:O:P:t:")) != -1) { + switch (ch) { + case 'E': + fingerprint_hash = ssh_digest_alg_by_name(optarg); +@@ -1229,6 +1313,12 @@ main(int ac, char **av) + case 'k': + k_flag++; + break; ++ case 'O': ++ if (strcmp(optarg, "no-restrict-websafe") == 0) ++ restrict_websafe = 0; ++ else ++ fatal("Unknown -O option"); ++ break; + case 'P': + if (provider_whitelist != NULL) + fatal("-P option already specified"); +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch new file mode 100644 index 0000000000..ac494aab0b --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-06.patch @@ -0,0 +1,73 @@ +From a5d845b7b42861d18f43e83de9f24c7374d1b458 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 18 Sep 2020 08:16:38 +0000 +Subject: [PATCH 06/12] upstream: handle multiple messages in a single read() + +PR#183 by Dennis Kaarsemaker; feedback and ok markus@ + +OpenBSD-Commit-ID: 8570bb4d02d00cf70b98590716ea6a7d1cce68d1 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/52a03e9fca2d74eef953ddd4709250f365ca3975] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 1794f35..78f7268 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.258 2020/05/26 01:26:58 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -853,8 +853,10 @@ send: + } + #endif /* ENABLE_PKCS11 */ + +-/* dispatch incoming messages */ +- ++/* ++ * dispatch incoming message. ++ * returns 1 on success, 0 for incomplete messages or -1 on error. ++ */ + static int + process_message(u_int socknum) + { +@@ -908,7 +910,7 @@ process_message(u_int socknum) + /* send a fail message for all other request types */ + send_status(e, 0); + } +- return 0; ++ return 1; + } + + switch (type) { +@@ -952,7 +954,7 @@ process_message(u_int socknum) + send_status(e, 0); + break; + } +- return 0; ++ return 1; + } + + static void +@@ -1043,7 +1045,12 @@ handle_conn_read(u_int socknum) + if ((r = sshbuf_put(sockets[socknum].input, buf, len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + explicit_bzero(buf, sizeof(buf)); +- process_message(socknum); ++ for (;;) { ++ if ((r = process_message(socknum)) == -1) ++ return -1; ++ else if (r == 0) ++ break; ++ } + return 0; + } + +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch new file mode 100644 index 0000000000..0dcf23ae17 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-07.patch @@ -0,0 +1,125 @@ +From 653cc18c922fc387b3d3aa1b081c5e5283cce28a Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Tue, 26 Jan 2021 00:47:47 +0000 +Subject: [PATCH 07/12] upstream: use recallocarray to allocate the agent + sockets table; + +also clear socket entries that are being marked as unused. + +spinkle in some debug2() spam to make it easier to watch an agent +do its thing. + +ok markus + +OpenBSD-Commit-ID: 74582c8e82e96afea46f6c7b6813a429cbc75922 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1fe16fd61bb53944ec510882acc0491abd66ff76] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 78f7268..2635bc5 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.264 2020/09/18 08:16:38 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -175,11 +175,12 @@ static void + close_socket(SocketEntry *e) + { + close(e->fd); +- e->fd = -1; +- e->type = AUTH_UNUSED; + sshbuf_free(e->input); + sshbuf_free(e->output); + sshbuf_free(e->request); ++ memset(e, '\0', sizeof(*e)); ++ e->fd = -1; ++ e->type = AUTH_UNUSED; + } + + static void +@@ -249,6 +250,8 @@ process_request_identities(SocketEntry *e) + struct sshbuf *msg; + int r; + ++ debug2("%s: entering", __func__); ++ + if ((msg = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_u8(msg, SSH2_AGENT_IDENTITIES_ANSWER)) != 0 || +@@ -441,6 +444,7 @@ process_remove_identity(SocketEntry *e) + struct sshkey *key = NULL; + Identity *id; + ++ debug2("%s: entering", __func__); + if ((r = sshkey_froms(e->request, &key)) != 0) { + error("%s: get key: %s", __func__, ssh_err(r)); + goto done; +@@ -467,6 +471,7 @@ process_remove_all_identities(SocketEntry *e) + { + Identity *id; + ++ debug2("%s: entering", __func__); + /* Loop over all identities and clear the keys. */ + for (id = TAILQ_FIRST(&idtab->idlist); id; + id = TAILQ_FIRST(&idtab->idlist)) { +@@ -520,6 +525,7 @@ process_add_identity(SocketEntry *e) + u_char ctype; + int r = SSH_ERR_INTERNAL_ERROR; + ++ debug2("%s: entering", __func__); + if ((r = sshkey_private_deserialize(e->request, &k)) != 0 || + k == NULL || + (r = sshbuf_get_cstring(e->request, &comment, NULL)) != 0) { +@@ -667,6 +673,7 @@ process_lock_agent(SocketEntry *e, int lock) + static u_int fail_count = 0; + size_t pwlen; + ++ debug2("%s: entering", __func__); + /* + * This is deliberately fatal: the user has requested that we lock, + * but we can't parse their request properly. The only safe thing to +@@ -738,6 +745,7 @@ process_add_smartcard_key(SocketEntry *e) + struct sshkey **keys = NULL, *k; + Identity *id; + ++ debug2("%s: entering", __func__); + if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || + (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { + error("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -818,6 +826,7 @@ process_remove_smartcard_key(SocketEntry *e) + int r, success = 0; + Identity *id, *nxt; + ++ debug2("%s: entering", __func__); + if ((r = sshbuf_get_cstring(e->request, &provider, NULL)) != 0 || + (r = sshbuf_get_cstring(e->request, &pin, NULL)) != 0) { + error("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -962,6 +971,8 @@ new_socket(sock_type type, int fd) + { + u_int i, old_alloc, new_alloc; + ++ debug("%s: type = %s", __func__, type == AUTH_CONNECTION ? "CONNECTION" : ++ (type == AUTH_SOCKET ? "SOCKET" : "UNKNOWN")); + set_nonblock(fd); + + if (fd > max_fd) +@@ -981,7 +992,8 @@ new_socket(sock_type type, int fd) + } + old_alloc = sockets_alloc; + new_alloc = sockets_alloc + 10; +- sockets = xreallocarray(sockets, new_alloc, sizeof(sockets[0])); ++ sockets = xrecallocarray(sockets, old_alloc, new_alloc, ++ sizeof(sockets[0])); + for (i = old_alloc; i < new_alloc; i++) + sockets[i].type = AUTH_UNUSED; + sockets_alloc = new_alloc; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch new file mode 100644 index 0000000000..141c8113bf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-08.patch @@ -0,0 +1,315 @@ +From c30158ea225cf8ad67c3dcc88fa9e4afbf8959a7 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Tue, 26 Jan 2021 00:53:31 +0000 +Subject: [PATCH 08/12] upstream: more ssh-agent refactoring + +Allow confirm_key() to accept an additional reason suffix + +Factor publickey userauth parsing out into its own function and allow +it to optionally return things it parsed out of the message to its +caller. + +feedback/ok markus@ + +OpenBSD-Commit-ID: 29006515617d1aa2d8b85cd2bf667e849146477e + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/e0e8bee8024fa9e31974244d14f03d799e5c0775] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.c | 197 ++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 130 insertions(+), 67 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 2635bc5..7ad323c 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.269 2021/01/26 00:47:47 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -216,15 +216,16 @@ lookup_identity(struct sshkey *key) + + /* Check confirmation of keysign request */ + static int +-confirm_key(Identity *id) ++confirm_key(Identity *id, const char *extra) + { + char *p; + int ret = -1; + + p = sshkey_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT); + if (p != NULL && +- ask_permission("Allow use of key %s?\nKey fingerprint %s.", +- id->comment, p)) ++ ask_permission("Allow use of key %s?\nKey fingerprint %s.%s%s", ++ id->comment, p, ++ extra == NULL ? "" : "\n", extra == NULL ? "" : extra)) + ret = 0; + free(p); + +@@ -290,74 +291,133 @@ agent_decode_alg(struct sshkey *key, u_int flags) + } + + /* +- * This function inspects a message to be signed by a FIDO key that has a +- * web-like application string (i.e. one that does not begin with "ssh:". +- * It checks that the message is one of those expected for SSH operations +- * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges +- * for the web. ++ * Attempt to parse the contents of a buffer as a SSH publickey userauth ++ * request, checking its contents for consistency and matching the embedded ++ * key against the one that is being used for signing. ++ * Note: does not modify msg buffer. ++ * Optionally extract the username and session ID from the request. + */ + static int +-check_websafe_message_contents(struct sshkey *key, +- const u_char *msg, size_t len) ++parse_userauth_request(struct sshbuf *msg, const struct sshkey *expected_key, ++ char **userp, struct sshbuf **sess_idp) + { +- int matched = 0; +- struct sshbuf *b; +- u_char m, n; +- char *cp1 = NULL, *cp2 = NULL; ++ struct sshbuf *b = NULL, *sess_id = NULL; ++ char *user = NULL, *service = NULL, *method = NULL, *pkalg = NULL; + int r; ++ u_char t, sig_follows; + struct sshkey *mkey = NULL; + +- if ((b = sshbuf_from(msg, len)) == NULL) +- fatal("%s: sshbuf_new", __func__); ++ if (userp != NULL) ++ *userp = NULL; ++ if (sess_idp != NULL) ++ *sess_idp = NULL; ++ if ((b = sshbuf_fromb(msg)) == NULL) ++ fatal("%s: sshbuf_fromb", __func__); + + /* SSH userauth request */ +- if ((r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* sess_id */ +- (r = sshbuf_get_u8(b, &m)) == 0 && /* SSH2_MSG_USERAUTH_REQUEST */ +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* server user */ +- (r = sshbuf_get_cstring(b, &cp1, NULL)) == 0 && /* service */ +- (r = sshbuf_get_cstring(b, &cp2, NULL)) == 0 && /* method */ +- (r = sshbuf_get_u8(b, &n)) == 0 && /* sig-follows */ +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* alg */ +- (r = sshkey_froms(b, &mkey)) == 0 && /* key */ +- sshbuf_len(b) == 0) { +- debug("%s: parsed userauth", __func__); +- if (m == SSH2_MSG_USERAUTH_REQUEST && n == 1 && +- strcmp(cp1, "ssh-connection") == 0 && +- strcmp(cp2, "publickey") == 0 && +- sshkey_equal(key, mkey)) { +- debug("%s: well formed userauth", __func__); +- matched = 1; +- } ++ if ((r = sshbuf_froms(b, &sess_id)) != 0) ++ goto out; ++ if (sshbuf_len(sess_id) == 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; + } +- free(cp1); +- free(cp2); +- sshkey_free(mkey); ++ if ((r = sshbuf_get_u8(b, &t)) != 0 || /* SSH2_MSG_USERAUTH_REQUEST */ ++ (r = sshbuf_get_cstring(b, &user, NULL)) != 0 || /* server user */ ++ (r = sshbuf_get_cstring(b, &service, NULL)) != 0 || /* service */ ++ (r = sshbuf_get_cstring(b, &method, NULL)) != 0 || /* method */ ++ (r = sshbuf_get_u8(b, &sig_follows)) != 0 || /* sig-follows */ ++ (r = sshbuf_get_cstring(b, &pkalg, NULL)) != 0 || /* alg */ ++ (r = sshkey_froms(b, &mkey)) != 0) /* key */ ++ goto out; ++ if (t != SSH2_MSG_USERAUTH_REQUEST || ++ sig_follows != 1 || ++ strcmp(service, "ssh-connection") != 0 || ++ !sshkey_equal(expected_key, mkey) || ++ sshkey_type_from_name(pkalg) != expected_key->type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ if (strcmp(method, "publickey") != 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ if (sshbuf_len(b) != 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ /* success */ ++ r = 0; ++ debug("%s: well formed userauth", __func__); ++ if (userp != NULL) { ++ *userp = user; ++ user = NULL; ++ } ++ if (sess_idp != NULL) { ++ *sess_idp = sess_id; ++ sess_id = NULL; ++ } ++ out: + sshbuf_free(b); +- if (matched) +- return 1; ++ sshbuf_free(sess_id); ++ free(user); ++ free(service); ++ free(method); ++ free(pkalg); ++ sshkey_free(mkey); ++ return r; ++} + +- if ((b = sshbuf_from(msg, len)) == NULL) +- fatal("%s: sshbuf_new", __func__); +- cp1 = cp2 = NULL; +- mkey = NULL; +- +- /* SSHSIG */ +- if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) == 0 && +- (r = sshbuf_consume(b, 6)) == 0 && +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* namespace */ +- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* reserved */ +- (r = sshbuf_get_cstring(b, NULL, NULL)) == 0 && /* hashalg */ +- (r = sshbuf_get_string_direct(b, NULL, NULL)) == 0 && /* H(msg) */ +- sshbuf_len(b) == 0) { +- debug("%s: parsed sshsig", __func__); +- matched = 1; +- } ++/* ++ * Attempt to parse the contents of a buffer as a SSHSIG signature request. ++ * Note: does not modify buffer. ++ */ ++static int ++parse_sshsig_request(struct sshbuf *msg) ++{ ++ int r; ++ struct sshbuf *b; + ++ if ((b = sshbuf_fromb(msg)) == NULL) ++ fatal("%s: sshbuf_fromb", __func__); ++ ++ if ((r = sshbuf_cmp(b, 0, "SSHSIG", 6)) != 0 || ++ (r = sshbuf_consume(b, 6)) != 0 || ++ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* namespace */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0 || /* reserved */ ++ (r = sshbuf_get_cstring(b, NULL, NULL)) != 0 || /* hashalg */ ++ (r = sshbuf_get_string_direct(b, NULL, NULL)) != 0) /* H(msg) */ ++ goto out; ++ if (sshbuf_len(b) != 0) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } ++ /* success */ ++ r = 0; ++ out: + sshbuf_free(b); +- if (matched) ++ return r; ++} ++ ++/* ++ * This function inspects a message to be signed by a FIDO key that has a ++ * web-like application string (i.e. one that does not begin with "ssh:". ++ * It checks that the message is one of those expected for SSH operations ++ * (pubkey userauth, sshsig, CA key signing) to exclude signing challenges ++ * for the web. ++ */ ++static int ++check_websafe_message_contents(struct sshkey *key, struct sshbuf *data) ++{ ++ if (parse_userauth_request(data, key, NULL, NULL) == 0) { ++ debug("%s: signed data matches public key userauth request", __func__); + return 1; ++ } ++ if (parse_sshsig_request(data) == 0) { ++ debug("%s: signed data matches SSHSIG signature request", __func__); ++ return 1; ++ } + +- /* XXX CA signature operation */ ++ /* XXX check CA signature operation */ + + error("web-origin key attempting to sign non-SSH message"); + return 0; +@@ -367,21 +427,22 @@ check_websafe_message_contents(struct sshkey *key, + static void + process_sign_request2(SocketEntry *e) + { +- const u_char *data; + u_char *signature = NULL; +- size_t dlen, slen = 0; ++ size_t i, slen = 0; + u_int compat = 0, flags; + int r, ok = -1; + char *fp = NULL; +- struct sshbuf *msg; ++ struct sshbuf *msg = NULL, *data = NULL; + struct sshkey *key = NULL; + struct identity *id; + struct notifier_ctx *notifier = NULL; + +- if ((msg = sshbuf_new()) == NULL) ++ debug("%s: entering", __func__); ++ ++ if ((msg = sshbuf_new()) == NULL | (data = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshkey_froms(e->request, &key)) != 0 || +- (r = sshbuf_get_string_direct(e->request, &data, &dlen)) != 0 || ++ (r = sshbuf_get_stringb(e->request, data)) != 0 || + (r = sshbuf_get_u32(e->request, &flags)) != 0) { + error("%s: couldn't parse request: %s", __func__, ssh_err(r)); + goto send; +@@ -391,13 +452,13 @@ process_sign_request2(SocketEntry *e) + verbose("%s: %s key not found", __func__, sshkey_type(key)); + goto send; + } +- if (id->confirm && confirm_key(id) != 0) { ++ if (id->confirm && confirm_key(id, NULL) != 0) { + verbose("%s: user refused key", __func__); + goto send; + } + if (sshkey_is_sk(id->key)) { + if (strncmp(id->key->sk_application, "ssh:", 4) != 0 && +- !check_websafe_message_contents(key, data, dlen)) { ++ !check_websafe_message_contents(key, data)) { + /* error already logged */ + goto send; + } +@@ -411,7 +472,7 @@ process_sign_request2(SocketEntry *e) + } + } + if ((r = sshkey_sign(id->key, &signature, &slen, +- data, dlen, agent_decode_alg(key, flags), ++ sshbuf_ptr(data), sshbuf_len(data), agent_decode_alg(key, flags), + id->sk_provider, compat)) != 0) { + error("%s: sshkey_sign: %s", __func__, ssh_err(r)); + goto send; +@@ -420,8 +481,7 @@ process_sign_request2(SocketEntry *e) + ok = 0; + send: + notify_complete(notifier); +- sshkey_free(key); +- free(fp); ++ + if (ok == 0) { + if ((r = sshbuf_put_u8(msg, SSH2_AGENT_SIGN_RESPONSE)) != 0 || + (r = sshbuf_put_string(msg, signature, slen)) != 0) +@@ -432,7 +492,10 @@ process_sign_request2(SocketEntry *e) + if ((r = sshbuf_put_stringb(e->output, msg)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + ++ sshbuf_free(data); + sshbuf_free(msg); ++ sshkey_free(key); ++ free(fp); + free(signature); + } + +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch new file mode 100644 index 0000000000..b519ccce42 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-09.patch @@ -0,0 +1,38 @@ +From 7adba46611e5d076d7d12d9f4162dd4cabd5ff50 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 29 Jan 2021 06:28:10 +0000 +Subject: [PATCH 09/12] upstream: give typedef'd struct a struct name; makes + the fuzzer I'm + +writing a bit easier + +OpenBSD-Commit-ID: 1052ab521505a4d8384d67acb3974ef81b8896cb + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/8afaa7d7918419d3da6c0477b83db2159879cb33] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index 7ad323c..c99927c 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.270 2021/01/26 00:53:31 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -108,7 +108,7 @@ typedef enum { + AUTH_CONNECTION + } sock_type; + +-typedef struct { ++typedef struct socket_entry { + int fd; + sock_type type; + struct sshbuf *input; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch new file mode 100644 index 0000000000..27b2eadfae --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-10.patch @@ -0,0 +1,39 @@ +From 343e2a2c0ef754a7a86118016b248f7a73f8d510 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 29 Jan 2021 06:29:46 +0000 +Subject: [PATCH 10/12] upstream: fix the values of enum sock_type + +OpenBSD-Commit-ID: 18d048f4dbfbb159ff500cfc2700b8fb1407facd + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1a4b92758690faa12f49079dd3b72567f909466d] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ssh-agent.c b/ssh-agent.c +index c99927c..7f1e14b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.274 2021/01/29 06:28:10 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -103,9 +103,9 @@ + #define AGENT_RBUF_LEN (4096) + + typedef enum { +- AUTH_UNUSED, +- AUTH_SOCKET, +- AUTH_CONNECTION ++ AUTH_UNUSED = 0, ++ AUTH_SOCKET = 1, ++ AUTH_CONNECTION = 2, + } sock_type; + + typedef struct socket_entry { +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch new file mode 100644 index 0000000000..c300393ebf --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-11.patch @@ -0,0 +1,307 @@ +From 2b3b369c8cf71f9ef5942a5e074e6f86e7ca1e0c Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Sun, 19 Dec 2021 22:09:23 +0000 +Subject: [PATCH 11/12] upstream: ssh-agent side of binding + +record session ID/hostkey/forwarding status for each active socket. + +Attempt to parse data-to-be-signed at signature request time and extract +session ID from the blob if it is a pubkey userauth request. + +ok markus@ + +OpenBSD-Commit-ID: a80fd41e292b18b67508362129e9fed549abd318 + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/4c1e3ce85e183a9d0c955c88589fed18e4d6a058] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + authfd.h | 3 + + ssh-agent.c | 175 +++++++++++++++++++++++++++++++++++++++++++++++++--- + 2 files changed, 170 insertions(+), 8 deletions(-) + +diff --git a/authfd.h b/authfd.h +index c3bf625..9cc9807 100644 +--- a/authfd.h ++++ b/authfd.h +@@ -76,6 +76,9 @@ int ssh_agent_sign(int sock, const struct sshkey *key, + #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 + #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 + ++/* generic extension mechanism */ ++#define SSH_AGENTC_EXTENSION 27 ++ + #define SSH_AGENT_CONSTRAIN_LIFETIME 1 + #define SSH_AGENT_CONSTRAIN_CONFIRM 2 + #define SSH_AGENT_CONSTRAIN_MAXSIGN 3 +diff --git a/ssh-agent.c b/ssh-agent.c +index 7f1e14b..01c7f2b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.275 2021/01/29 06:29:46 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -98,9 +98,15 @@ + #endif + + /* Maximum accepted message length */ +-#define AGENT_MAX_LEN (256*1024) ++#define AGENT_MAX_LEN (256*1024) + /* Maximum bytes to read from client socket */ +-#define AGENT_RBUF_LEN (4096) ++#define AGENT_RBUF_LEN (4096) ++/* Maximum number of recorded session IDs/hostkeys per connection */ ++#define AGENT_MAX_SESSION_IDS 16 ++/* Maximum size of session ID */ ++#define AGENT_MAX_SID_LEN 128 ++ ++/* XXX store hostkey_sid in a refcounted tree */ + + typedef enum { + AUTH_UNUSED = 0, +@@ -108,12 +114,20 @@ typedef enum { + AUTH_CONNECTION = 2, + } sock_type; + ++struct hostkey_sid { ++ struct sshkey *key; ++ struct sshbuf *sid; ++ int forwarded; ++}; ++ + typedef struct socket_entry { + int fd; + sock_type type; + struct sshbuf *input; + struct sshbuf *output; + struct sshbuf *request; ++ size_t nsession_ids; ++ struct hostkey_sid *session_ids; + } SocketEntry; + + u_int sockets_alloc = 0; +@@ -174,10 +188,17 @@ static int restrict_websafe = 1; + static void + close_socket(SocketEntry *e) + { ++ size_t i; ++ + close(e->fd); + sshbuf_free(e->input); + sshbuf_free(e->output); + sshbuf_free(e->request); ++ for (i = 0; i < e->nsession_ids; i++) { ++ sshkey_free(e->session_ids[i].key); ++ sshbuf_free(e->session_ids[i].sid); ++ } ++ free(e->session_ids); + memset(e, '\0', sizeof(*e)); + e->fd = -1; + e->type = AUTH_UNUSED; +@@ -423,6 +444,18 @@ check_websafe_message_contents(struct sshkey *key, struct sshbuf *data) + return 0; + } + ++static int ++buf_equal(const struct sshbuf *a, const struct sshbuf *b) ++{ ++ if (sshbuf_ptr(a) == NULL || sshbuf_ptr(b) == NULL) ++ return SSH_ERR_INVALID_ARGUMENT; ++ if (sshbuf_len(a) != sshbuf_len(b)) ++ return SSH_ERR_INVALID_FORMAT; ++ if (timingsafe_bcmp(sshbuf_ptr(a), sshbuf_ptr(b), sshbuf_len(a)) != 0) ++ return SSH_ERR_INVALID_FORMAT; ++ return 0; ++} ++ + /* ssh2 only */ + static void + process_sign_request2(SocketEntry *e) +@@ -431,8 +464,8 @@ process_sign_request2(SocketEntry *e) + size_t i, slen = 0; + u_int compat = 0, flags; + int r, ok = -1; +- char *fp = NULL; +- struct sshbuf *msg = NULL, *data = NULL; ++ char *fp = NULL, *user = NULL, *sig_dest = NULL; ++ struct sshbuf *msg = NULL, *data = NULL, *sid = NULL; + struct sshkey *key = NULL; + struct identity *id; + struct notifier_ctx *notifier = NULL; +@@ -452,7 +485,33 @@ process_sign_request2(SocketEntry *e) + verbose("%s: %s key not found", __func__, sshkey_type(key)); + goto send; + } +- if (id->confirm && confirm_key(id, NULL) != 0) { ++ /* ++ * If session IDs were recorded for this socket, then use them to ++ * annotate the confirmation messages with the host keys. ++ */ ++ if (e->nsession_ids > 0 && ++ parse_userauth_request(data, key, &user, &sid) == 0) { ++ /* ++ * session ID from userauth request should match the final ++ * ID in the list recorded in the socket, unless the ssh ++ * client at that point lacks the binding extension (or if ++ * an attacker is trying to steal use of the agent). ++ */ ++ i = e->nsession_ids - 1; ++ if (buf_equal(sid, e->session_ids[i].sid) == 0) { ++ if ((fp = sshkey_fingerprint(e->session_ids[i].key, ++ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL) ++ fatal("%s: fingerprint failed", __func__); ++ debug3("%s: destination %s %s (slot %zu)", __func__, ++ sshkey_type(e->session_ids[i].key), fp, i); ++ xasprintf(&sig_dest, "public key request for " ++ "target user \"%s\" to %s %s", user, ++ sshkey_type(e->session_ids[i].key), fp); ++ free(fp); ++ fp = NULL; ++ } ++ }// ++ if (id->confirm && confirm_key(id, sig_dest) != 0) { + verbose("%s: user refused key", __func__); + goto send; + } +@@ -467,8 +526,10 @@ process_sign_request2(SocketEntry *e) + SSH_FP_DEFAULT)) == NULL) + fatal("%s: fingerprint failed", __func__); + notifier = notify_start(0, +- "Confirm user presence for key %s %s", +- sshkey_type(id->key), fp); ++ "Confirm user presence for key %s %s%s%s", ++ sshkey_type(id->key), fp, ++ sig_dest == NULL ? "" : "\n", ++ sig_dest == NULL ? "" : sig_dest); + } + } + if ((r = sshkey_sign(id->key, &signature, &slen, +@@ -492,11 +553,14 @@ process_sign_request2(SocketEntry *e) + if ((r = sshbuf_put_stringb(e->output, msg)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + ++ sshbuf_free(sid); + sshbuf_free(data); + sshbuf_free(msg); + sshkey_free(key); + free(fp); + free(signature); ++ free(sig_dest); ++ free(user); + } + + /* shared */ +@@ -925,6 +989,98 @@ send: + } + #endif /* ENABLE_PKCS11 */ + ++static int ++process_ext_session_bind(SocketEntry *e) ++{ ++ int r, sid_match, key_match; ++ struct sshkey *key = NULL; ++ struct sshbuf *sid = NULL, *sig = NULL; ++ char *fp = NULL; ++ u_char fwd; ++ size_t i; ++ ++ debug2("%s: entering", __func__); ++ if ((r = sshkey_froms(e->request, &key)) != 0 || ++ (r = sshbuf_froms(e->request, &sid)) != 0 || ++ (r = sshbuf_froms(e->request, &sig)) != 0 || ++ (r = sshbuf_get_u8(e->request, &fwd)) != 0) { ++ error("%s: parse: %s", __func__, ssh_err(r)); ++ goto out; ++ } ++ if ((fp = sshkey_fingerprint(key, SSH_FP_HASH_DEFAULT, ++ SSH_FP_DEFAULT)) == NULL) ++ fatal("%s: fingerprint failed", __func__); ++ /* check signature with hostkey on session ID */ ++ if ((r = sshkey_verify(key, sshbuf_ptr(sig), sshbuf_len(sig), ++ sshbuf_ptr(sid), sshbuf_len(sid), NULL, 0, NULL)) != 0) { ++ error("%s: sshkey_verify for %s %s: %s", __func__, sshkey_type(key), fp, ssh_err(r)); ++ goto out; ++ } ++ /* check whether sid/key already recorded */ ++ for (i = 0; i < e->nsession_ids; i++) { ++ sid_match = buf_equal(sid, e->session_ids[i].sid) == 0; ++ key_match = sshkey_equal(key, e->session_ids[i].key); ++ if (sid_match && key_match) { ++ debug("%s: session ID already recorded for %s %s", __func__, ++ sshkey_type(key), fp); ++ r = 0; ++ goto out; ++ } else if (sid_match) { ++ error("%s: session ID recorded against different key " ++ "for %s %s", __func__, sshkey_type(key), fp); ++ r = -1; ++ goto out; ++ } ++ /* ++ * new sid with previously-seen key can happen, e.g. multiple ++ * connections to the same host. ++ */ ++ } ++ /* record new key/sid */ ++ if (e->nsession_ids >= AGENT_MAX_SESSION_IDS) { ++ error("%s: too many session IDs recorded", __func__); ++ goto out; ++ } ++ e->session_ids = xrecallocarray(e->session_ids, e->nsession_ids, ++ e->nsession_ids + 1, sizeof(*e->session_ids)); ++ i = e->nsession_ids++; ++ debug("%s: recorded %s %s (slot %zu of %d)", __func__, sshkey_type(key), fp, i, ++ AGENT_MAX_SESSION_IDS); ++ e->session_ids[i].key = key; ++ e->session_ids[i].forwarded = fwd != 0; ++ key = NULL; /* transferred */ ++ /* can't transfer sid; it's refcounted and scoped to request's life */ ++ if ((e->session_ids[i].sid = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new", __func__); ++ if ((r = sshbuf_putb(e->session_ids[i].sid, sid)) != 0) ++ fatal("%s: sshbuf_putb session ID: %s", __func__, ssh_err(r)); ++ /* success */ ++ r = 0; ++ out: ++ sshkey_free(key); ++ sshbuf_free(sid); ++ sshbuf_free(sig); ++ return r == 0 ? 1 : 0; ++} ++ ++static void ++process_extension(SocketEntry *e) ++{ ++ int r, success = 0; ++ char *name; ++ ++ debug2("%s: entering", __func__); ++ if ((r = sshbuf_get_cstring(e->request, &name, NULL)) != 0) { ++ error("%s: parse: %s", __func__, ssh_err(r)); ++ goto send; ++ } ++ if (strcmp(name, "session-bind@openssh.com") == 0) ++ success = process_ext_session_bind(e); ++ else ++ debug("%s: unsupported extension \"%s\"", __func__, name); ++send: ++ send_status(e, success); ++} + /* + * dispatch incoming message. + * returns 1 on success, 0 for incomplete messages or -1 on error. +@@ -1019,6 +1175,9 @@ process_message(u_int socknum) + process_remove_smartcard_key(e); + break; + #endif /* ENABLE_PKCS11 */ ++ case SSH_AGENTC_EXTENSION: ++ process_extension(e); ++ break; + default: + /* Unknown message. Respond with failure. */ + error("Unknown message %d", type); +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch new file mode 100644 index 0000000000..934775bdec --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-38408-12.patch @@ -0,0 +1,120 @@ +From 4fe3d0fbd3d6dc1f19354e0d73a3231c461ed044 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 19 Jul 2023 13:56:33 +0000 +Subject: [PATCH 12/12] upstream: Disallow remote addition of FIDO/PKCS11 + provider libraries to ssh-agent by default. + +The old behaviour of allowing remote clients from loading providers +can be restored using `ssh-agent -O allow-remote-pkcs11`. + +Detection of local/remote clients requires a ssh(1) that supports +the `session-bind@openssh.com` extension. Forwarding access to a +ssh-agent socket using non-OpenSSH tools may circumvent this control. + +ok markus@ + +OpenBSD-Commit-ID: 4c2bdf79b214ae7e60cc8c39a45501344fa7bd7c + +Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a] +CVE: CVE-2023-38408 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + ssh-agent.1 | 20 ++++++++++++++++++++ + ssh-agent.c | 26 ++++++++++++++++++++++++-- + 2 files changed, 44 insertions(+), 2 deletions(-) + +diff --git a/ssh-agent.1 b/ssh-agent.1 +index fff0db6..a0f1e21 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -97,6 +97,26 @@ The default is + Kill the current agent (given by the + .Ev SSH_AGENT_PID + environment variable). ++Currently two options are supported: ++.Cm allow-remote-pkcs11 ++and ++.Pp ++The ++.Cm allow-remote-pkcs11 ++option allows clients of a forwarded ++.Nm ++to load PKCS#11 or FIDO provider libraries. ++By default only local clients may perform this operation. ++Note that signalling that a ++.Nm ++client remote is performed by ++.Xr ssh 1 , ++and use of other tools to forward access to the agent socket may circumvent ++this restriction. ++.Pp ++The ++.Cm no-restrict-websafe , ++instructs + .It Fl P Ar provider_whitelist + Specify a pattern-list of acceptable paths for PKCS#11 and FIDO authenticator + shared libraries that may be used with the +diff --git a/ssh-agent.c b/ssh-agent.c +index 01c7f2b..40c1b6b 100644 +--- a/ssh-agent.c ++++ b/ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.280 2021/12/19 22:09:23 djm Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.300 2023/07/19 13:56:33 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -167,6 +167,12 @@ char socket_dir[PATH_MAX]; + /* PKCS#11/Security key path whitelist */ + static char *provider_whitelist; + ++/* ++ * Allows PKCS11 providers or SK keys that use non-internal providers to ++ * be added over a remote connection (identified by session-bind@openssh.com). ++ */ ++static int remote_add_provider; ++ + /* locking */ + #define LOCK_SIZE 32 + #define LOCK_SALT_SIZE 16 +@@ -736,6 +742,15 @@ process_add_identity(SocketEntry *e) + if (strcasecmp(sk_provider, "internal") == 0) { + debug("%s: internal provider", __func__); + } else { ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed add of SK provider \"%.100s\": " ++ "remote addition of providers is disabled", ++ sk_provider); ++ free(sk_provider); ++ free(comment); ++ sshkey_free(k); ++ goto send; ++ } + if (realpath(sk_provider, canonical_provider) == NULL) { + verbose("failed provider \"%.100s\": " + "realpath: %s", sk_provider, +@@ -901,6 +916,11 @@ process_add_smartcard_key(SocketEntry *e) + goto send; + } + } ++ if (e->nsession_ids != 0 && !remote_add_provider) { ++ verbose("failed PKCS#11 add of \"%.100s\": remote addition of " ++ "providers is disabled", provider); ++ goto send; ++ } + if (realpath(provider, canonical_provider) == NULL) { + verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", + provider, strerror(errno)); +@@ -1556,7 +1576,9 @@ main(int ac, char **av) + break; + case 'O': + if (strcmp(optarg, "no-restrict-websafe") == 0) +- restrict_websafe = 0; ++ restrict_websafe = 0; ++ else if (strcmp(optarg, "allow-remote-pkcs11") == 0) ++ remote_add_provider = 1; + else + fatal("Unknown -O option"); + break; +-- +2.41.0 diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb index 79dba121ff..bc4b922301 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb @@ -27,6 +27,18 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://CVE-2020-14145.patch \ file://CVE-2021-28041.patch \ file://CVE-2021-41617.patch \ + file://CVE-2023-38408-01.patch \ + file://CVE-2023-38408-02.patch \ + file://CVE-2023-38408-03.patch \ + file://CVE-2023-38408-04.patch \ + file://CVE-2023-38408-05.patch \ + file://CVE-2023-38408-06.patch \ + file://CVE-2023-38408-07.patch \ + file://CVE-2023-38408-08.patch \ + file://CVE-2023-38408-09.patch \ + file://CVE-2023-38408-10.patch \ + file://CVE-2023-38408-11.patch \ + file://CVE-2023-38408-12.patch \ " SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091" SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671" -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 Steve Sakoman ` (10 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Ashish Sharma <asharma@mvista.com> Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980] CVE: CVE-2023-3180 Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-3180.patch | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 2871818cb1..3789d77046 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -139,6 +139,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ file://CVE-2023-0330.patch \ file://CVE-2023-3354.patch \ + file://CVE-2023-3180.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch new file mode 100644 index 0000000000..7144bdca46 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3180.patch @@ -0,0 +1,49 @@ +From 9d38a8434721a6479fe03fb5afb150ca793d3980 Mon Sep 17 00:00:00 2001 +From: zhenwei pi <pizhenwei@bytedance.com> +Date: Thu, 3 Aug 2023 10:43:13 +0800 +Subject: [PATCH] virtio-crypto: verify src&dst buffer length for sym request + +For symmetric algorithms, the length of ciphertext must be as same +as the plaintext. +The missing verification of the src_len and the dst_len in +virtio_crypto_sym_op_helper() may lead buffer overflow/divulged. + +This patch is originally written by Yiming Tao for QEMU-SECURITY, +resend it(a few changes of error message) in qemu-devel. + +Fixes: CVE-2023-3180 +Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler") +Cc: Gonglei <arei.gonglei@huawei.com> +Cc: Mauro Matteo Cascella <mcascell@redhat.com> +Cc: Yiming Tao <taoym@zju.edu.cn> +Signed-off-by: zhenwei pi <pizhenwei@bytedance.com> +Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> + +Upstream-Status: Backport from [https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980] +CVE: CVE-2023-3180 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + hw/virtio/virtio-crypto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 44faf5a522b..13aec771e11 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -634,6 +634,11 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + ++ if (unlikely(src_len != dst_len)) { ++ virtio_error(vdev, "sym request src len is different from dst len"); ++ return NULL; ++ } ++ + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); +-- +GitLab + -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (2 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks Steve Sakoman ` (9 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Vijay Anusuri <vanusuri@mvista.com> A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. Summary of the problem from Peter Maydell: https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com Reference: https://gitlab.com/qemu-project/qemu/-/issues/556 qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330 b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330) a2e1753b80 memory: prevent dma-reentracy issues Included second commit as well as commit log of a2e1753b80 says it resolves CVE-2023-0330 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-devtools/qemu/qemu.inc | 3 +- ...-2023-0330.patch => CVE-2023-0330_1.patch} | 0 .../qemu/qemu/CVE-2023-0330_2.patch | 135 ++++++++++++++++++ 3 files changed, 137 insertions(+), 1 deletion(-) rename meta/recipes-devtools/qemu/qemu/{CVE-2023-0330.patch => CVE-2023-0330_1.patch} (100%) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 3789d77046..2669ba4ec8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -137,7 +137,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2021-3409-4.patch \ file://CVE-2021-3409-5.patch \ file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ - file://CVE-2023-0330.patch \ + file://CVE-2023-0330_1.patch \ + file://CVE-2023-0330_2.patch \ file://CVE-2023-3354.patch \ file://CVE-2023-3180.patch \ " diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch similarity index 100% rename from meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch rename to meta/recipes-devtools/qemu/qemu/CVE-2023-0330_1.patch diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch new file mode 100644 index 0000000000..3b45bc0411 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330_2.patch @@ -0,0 +1,135 @@ +From a2e1753b8054344f32cf94f31c6399a58794a380 Mon Sep 17 00:00:00 2001 +From: Alexander Bulekov <alxndr@bu.edu> +Date: Thu, 27 Apr 2023 17:10:06 -0400 +Subject: [PATCH] memory: prevent dma-reentracy issues + +Add a flag to the DeviceState, when a device is engaged in PIO/MMIO/DMA. +This flag is set/checked prior to calling a device's MemoryRegion +handlers, and set when device code initiates DMA. The purpose of this +flag is to prevent two types of DMA-based reentrancy issues: + +1.) mmio -> dma -> mmio case +2.) bh -> dma write -> mmio case + +These issues have led to problems such as stack-exhaustion and +use-after-frees. + +Summary of the problem from Peter Maydell: +https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/62 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/540 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/541 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/556 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/557 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/827 +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1282 +Resolves: CVE-2023-0330 + +Signed-off-by: Alexander Bulekov <alxndr@bu.edu> +Reviewed-by: Thomas Huth <thuth@redhat.com> +Message-Id: <20230427211013.2994127-2-alxndr@bu.edu> +[thuth: Replace warn_report() with warn_report_once()] +Signed-off-by: Thomas Huth <thuth@redhat.com> + +Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/a2e1753b8054344f32cf94f31c6399a58794a380] +CVE: CVE-2023-0330 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + include/exec/memory.h | 5 +++++ + include/hw/qdev-core.h | 7 +++++++ + memory.c | 16 ++++++++++++++++ + 3 files changed, 28 insertions(+) + +diff --git a/include/exec/memory.h b/include/exec/memory.h +index 2b8bccdd..0c8cdb8e 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -378,6 +378,8 @@ struct MemoryRegion { + bool is_iommu; + RAMBlock *ram_block; + Object *owner; ++ /* owner as TYPE_DEVICE. Used for re-entrancy checks in MR access hotpath */ ++ DeviceState *dev; + + const MemoryRegionOps *ops; + void *opaque; +@@ -400,6 +402,9 @@ struct MemoryRegion { + const char *name; + unsigned ioeventfd_nb; + MemoryRegionIoeventfd *ioeventfds; ++ ++ /* For devices designed to perform re-entrant IO into their own IO MRs */ ++ bool disable_reentrancy_guard; + }; + + struct IOMMUMemoryRegion { +diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h +index 1518495b..206f0a70 100644 +--- a/include/hw/qdev-core.h ++++ b/include/hw/qdev-core.h +@@ -138,6 +138,10 @@ struct NamedGPIOList { + QLIST_ENTRY(NamedGPIOList) node; + }; + ++typedef struct { ++ bool engaged_in_io; ++} MemReentrancyGuard; ++ + /** + * DeviceState: + * @realized: Indicates whether the device has been fully constructed. +@@ -163,6 +167,9 @@ struct DeviceState { + int num_child_bus; + int instance_id_alias; + int alias_required_for_version; ++ ++ /* Is the device currently in mmio/pio/dma? Used to prevent re-entrancy */ ++ MemReentrancyGuard mem_reentrancy_guard; + }; + + struct DeviceListener { +diff --git a/memory.c b/memory.c +index 8cafb86a..94ebcaf9 100644 +--- a/memory.c ++++ b/memory.c +@@ -531,6 +531,18 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_size_max = 4; + } + ++ /* Do not allow more than one simultaneous access to a device's IO Regions */ ++ if (mr->dev && !mr->disable_reentrancy_guard && ++ !mr->ram_device && !mr->ram && !mr->rom_device && !mr->readonly) { ++ if (mr->dev->mem_reentrancy_guard.engaged_in_io) { ++ warn_report_once("Blocked re-entrant IO on MemoryRegion: " ++ "%s at addr: 0x%" HWADDR_PRIX, ++ memory_region_name(mr), addr); ++ return MEMTX_ACCESS_ERROR; ++ } ++ mr->dev->mem_reentrancy_guard.engaged_in_io = true; ++ } ++ + /* FIXME: support unaligned access? */ + access_size = MAX(MIN(size, access_size_max), access_size_min); + access_mask = MAKE_64BIT_MASK(0, access_size * 8); +@@ -545,6 +557,9 @@ static MemTxResult access_with_adjusted_size(hwaddr addr, + access_mask, attrs); + } + } ++ if (mr->dev) { ++ mr->dev->mem_reentrancy_guard.engaged_in_io = false; ++ } + return r; + } + +@@ -1132,6 +1147,7 @@ static void memory_region_do_init(MemoryRegion *mr, + } + mr->name = g_strdup(name); + mr->owner = owner; ++ mr->dev = (DeviceState *) object_dynamic_cast(mr->owner, TYPE_DEVICE); + mr->ram_block = NULL; + + if (name) { +-- +2.25.1 + -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (3 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 Steve Sakoman ` (8 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Priyal Doshi <pdoshi@mvista.com> remove the traling blanks before the ;-delimiter, so one could use "_remove" to avoid running tasks like 'rootfs_update_timestamp', which are currently hardcoded and not bound to any configurable feature flag Signed-off-by: Priyal Doshi <pdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/classes/rootfs-postcommands.bbclass | 6 +++--- meta/classes/rootfsdebugfiles.bbclass | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass index d9e2aeab64..943534c57a 100644 --- a/meta/classes/rootfs-postcommands.bbclass +++ b/meta/classes/rootfs-postcommands.bbclass @@ -1,6 +1,6 @@ # Zap the root password if debug-tweaks feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ; ",d)}' +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password; ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password; ", "",d)}' @@ -12,7 +12,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging; ", "",d)}' # Create /etc/timestamp during image construction to give a reasonably sane default time setting -ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; " +ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; " # Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}' @@ -26,7 +26,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only APPEND_append = '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", " ro", "", d)}' # Generates test data file with data store variables expanded in json format -ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data ; " +ROOTFS_POSTPROCESS_COMMAND += "write_image_test_data; " # Write manifest IMAGE_MANIFEST = "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.manifest" diff --git a/meta/classes/rootfsdebugfiles.bbclass b/meta/classes/rootfsdebugfiles.bbclass index e2ba4e3647..85c7ec7434 100644 --- a/meta/classes/rootfsdebugfiles.bbclass +++ b/meta/classes/rootfsdebugfiles.bbclass @@ -28,7 +28,7 @@ ROOTFS_DEBUG_FILES ?= "" ROOTFS_DEBUG_FILES[doc] = "Lists additional files or directories to be installed with 'cp -a' in the format 'source1 target1;source2 target2;...'" -ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files ;" +ROOTFS_POSTPROCESS_COMMAND += "rootfs_debug_files;" rootfs_debug_files () { #!/bin/sh -e echo "${ROOTFS_DEBUG_FILES}" | sed -e 's/;/\n/g' | while read source target mode; do -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (4 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json Steve Sakoman ` (7 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Michael Halstead <mhalstead@linuxfoundation.org> Add in stable updates to glibc 2.38 to fix malloc bugs Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 39f987fcb20ad7c0e45425b9f508d463c50ce0c1) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/conf/distro/include/yocto-uninative.inc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 6596c0f4a2..eaa3e9b31c 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -7,9 +7,9 @@ # UNINATIVE_MAXGLIBCVERSION = "2.38" -UNINATIVE_VERSION = "4.2" +UNINATIVE_VERSION = "4.3" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "cff40e7bdde50aeda06707af8c001796a71b4cf33c5ae1616e5c47943ff6b94e" -UNINATIVE_CHECKSUM[i686] ?= "a70516447e9a9f1465ffaf1c7f89e79d1692d2356d86fd2a5a63acd908db1ff2" -UNINATIVE_CHECKSUM[x86_64] ?= "6a86d71eeafba4fefec600c9bf8cf4a01324d1eb52788b6e398d3f23c10d19fb" +UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec" +UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd" +UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030" -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (5 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking Steve Sakoman ` (6 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Michael Halstead <mhalstead@linuxfoundation.org> non-release indexes will continue to generate when test output is corrupted. Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1a9157684a6bff8406c9bb470cb2e16ee006bbe9) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- scripts/lib/resulttool/resultutils.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/lib/resulttool/resultutils.py b/scripts/lib/resulttool/resultutils.py index 7666331ba2..c5521d81bd 100644 --- a/scripts/lib/resulttool/resultutils.py +++ b/scripts/lib/resulttool/resultutils.py @@ -58,7 +58,11 @@ def append_resultsdata(results, f, configmap=store_map, configvars=extra_configv testseries = posixpath.basename(posixpath.dirname(url.path)) else: with open(f, "r") as filedata: - data = json.load(filedata) + try: + data = json.load(filedata) + except json.decoder.JSONDecodeError: + print("Cannot decode {}. Possible corruption. Skipping.".format(f)) + data = "" testseries = os.path.basename(os.path.dirname(f)) else: data = f -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (6 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh Steve Sakoman ` (5 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Staffan Rydén <staffan.ryden@axis.com> Due to an oversight in the do_symlink_kernsrc function, the path comparison between "S" and "STAGING_KERNEL_DIR" is broken. The code obtains both variables, but modifies the local copy of "S" before comparing them, causing the comparison to always return false. This can cause the build to fail when the EXTERNALSRC flag is enabled, since the code will try to create a symlink even if one already exists. This patch resolves the issue by comparing the variables before they are modified. Signed-off-by: Staffan Rydén <staffan.ryden@axis.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit afd2038ef8a66a5e6433be31a14e1eb0d9f9a1d3) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/classes/kernel.bbclass | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index 5d8b3b062a..ba5b6cf384 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass @@ -143,13 +143,14 @@ do_unpack[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILD do_clean[cleandirs] += " ${S} ${STAGING_KERNEL_DIR} ${B} ${STAGING_KERNEL_BUILDDIR}" python do_symlink_kernsrc () { s = d.getVar("S") - if s[-1] == '/': - # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as directory name and fail - s=s[:-1] kernsrc = d.getVar("STAGING_KERNEL_DIR") if s != kernsrc: bb.utils.mkdirhier(kernsrc) bb.utils.remove(kernsrc, recurse=True) + if s[-1] == '/': + # drop trailing slash, so that os.symlink(kernsrc, s) doesn't use s as + # directory name and fail + s = s[:-1] if d.getVar("EXTERNALSRC"): # With EXTERNALSRC S will not be wiped so we can symlink to it os.symlink(s, kernsrc) -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (7 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing Steve Sakoman ` (4 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Anuj Mittal <anuj.mittal@intel.com> Dont fill up the test log with ssh warning about having added the host to list of known hosts. Also helps fix a test case failure where stderr log was being compared to a known value. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 63b31ff7e54a171c4c02fca2e6b07aec64a410af) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/recipes-core/glibc/glibc/check-test-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/glibc/glibc/check-test-wrapper b/meta/recipes-core/glibc/glibc/check-test-wrapper index 6ec9b9b29e..5cc993f718 100644 --- a/meta/recipes-core/glibc/glibc/check-test-wrapper +++ b/meta/recipes-core/glibc/glibc/check-test-wrapper @@ -58,7 +58,7 @@ elif targettype == "ssh": user = os.environ.get("SSH_HOST_USER", None) port = os.environ.get("SSH_HOST_PORT", None) - command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no"] + command = ["ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "LogLevel=quiet"] if port: command += ["-p", str(port)] if not host: -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (8 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports Steve Sakoman ` (3 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Anuj Mittal <anuj.mittal@intel.com> Some of the tests trigger OOM and fail. Increase the amount of memory available so we dont run into these issues. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4d22dba482cb19ffcff5abee73f24526ea9d1c2a) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/lib/oeqa/selftest/cases/glibc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py index cf8c92887b..f2ed822bf3 100644 --- a/meta/lib/oeqa/selftest/cases/glibc.py +++ b/meta/lib/oeqa/selftest/cases/glibc.py @@ -61,7 +61,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): bitbake("core-image-minimal") # start runqemu - qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic")) + qemu = s.enter_context(runqemu("core-image-minimal", runqemuparams = "nographic", qemuparams = "-m 1024")) # validate that SSH is working status, _ = qemu.run("uname") -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (9 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP Steve Sakoman ` (2 subsequent siblings) 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Anuj Mittal <anuj.mittal@intel.com> Allows setting up NFS over TCP as well. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e1ff9b9a3b7f7924aea67d2024581bea2e916036) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/lib/oeqa/utils/nfs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/lib/oeqa/utils/nfs.py b/meta/lib/oeqa/utils/nfs.py index a37686c914..c9bac050a4 100644 --- a/meta/lib/oeqa/utils/nfs.py +++ b/meta/lib/oeqa/utils/nfs.py @@ -8,7 +8,7 @@ from oeqa.utils.commands import bitbake, get_bb_var, Command from oeqa.utils.network import get_free_port @contextlib.contextmanager -def unfs_server(directory, logger = None): +def unfs_server(directory, logger = None, udp = True): unfs_sysroot = get_bb_var("RECIPE_SYSROOT_NATIVE", "unfs3-native") if not os.path.exists(os.path.join(unfs_sysroot, "usr", "bin", "unfsd")): # build native tool @@ -22,7 +22,7 @@ def unfs_server(directory, logger = None): exports.write("{0} (rw,no_root_squash,no_all_squash,insecure)\n".format(directory).encode()) # find some ports for the server - nfsport, mountport = get_free_port(udp = True), get_free_port(udp = True) + nfsport, mountport = get_free_port(udp), get_free_port(udp) nenv = dict(os.environ) nenv['PATH'] = "{0}/sbin:{0}/usr/sbin:{0}/usr/bin:".format(unfs_sysroot) + nenv.get('PATH', '') -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (10 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout Steve Sakoman 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Anuj Mittal <anuj.mittal@intel.com> This provides a more reliable test execution when running tests that write a large buffer/file and significantly reduces the localedata test failures. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 97a7612e3959bc9c75116a4e696f47cc31aea75d) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/lib/oeqa/selftest/cases/glibc.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/lib/oeqa/selftest/cases/glibc.py b/meta/lib/oeqa/selftest/cases/glibc.py index f2ed822bf3..c1f6e4c1fb 100644 --- a/meta/lib/oeqa/selftest/cases/glibc.py +++ b/meta/lib/oeqa/selftest/cases/glibc.py @@ -41,7 +41,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): with contextlib.ExitStack() as s: # use the base work dir, as the nfs mount, since the recipe directory may not exist tmpdir = get_bb_var("BASE_WORKDIR") - nfsport, mountport = s.enter_context(unfs_server(tmpdir)) + nfsport, mountport = s.enter_context(unfs_server(tmpdir, udp = False)) # build core-image-minimal with required packages default_installed_packages = [ @@ -70,7 +70,7 @@ class GlibcSelfTestBase(OESelftestTestCase, OEPTestResultTestCase): # setup nfs mount if qemu.run("mkdir -p \"{0}\"".format(tmpdir))[0] != 0: raise Exception("Failed to setup NFS mount directory on target") - mountcmd = "mount -o noac,nfsvers=3,port={0},udp,mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir) + mountcmd = "mount -o noac,nfsvers=3,port={0},mountport={1} \"{2}:{3}\" \"{3}\"".format(nfsport, mountport, qemu.server_ip, tmpdir) status, output = qemu.run(mountcmd) if status != 0: raise Exception("Failed to setup NFS mount on target ({})".format(repr(output))) -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (11 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout Steve Sakoman 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Richard Purdie <richard.purdie@linuxfoundation.org> We have a suspicion that the read() call may return EAGAIN on the non-blocking fd and this may truncate test output leading to some of our intermittent failures. Tweak the code to avoid this potential issue. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a8920c105725431e989cceb616bd04eaa52127ec) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/lib/oeqa/core/target/ssh.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/lib/oeqa/core/target/ssh.py b/meta/lib/oeqa/core/target/ssh.py index af4a67f266..832b6216f6 100644 --- a/meta/lib/oeqa/core/target/ssh.py +++ b/meta/lib/oeqa/core/target/ssh.py @@ -226,6 +226,9 @@ def SSHCall(command, logger, timeout=None, **opts): endtime = time.time() + timeout except InterruptedError: continue + except BlockingIOError: + logger.debug('BlockingIOError') + continue # process hasn't returned yet if not eof: -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman ` (12 preceding siblings ...) 2023-09-12 13:53 ` [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output Steve Sakoman @ 2023-09-12 13:53 ` Steve Sakoman 13 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-09-12 13:53 UTC (permalink / raw) To: openembedded-core From: Richard Purdie <richard.purdie@linuxfoundation.org> On our slower arm server, the tests currently timeout leading to inconsistent test results. Increase the timeout to avoid this and aim to make the test results consistent. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9a8b49208f3c99e184eab426360b137bc773aa31) Signed-off-by: Steve Sakoman <steve@sakoman.com> --- meta/lib/oeqa/runtime/cases/ltp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oeqa/runtime/cases/ltp.py b/meta/lib/oeqa/runtime/cases/ltp.py index a66d5d13d7..879f2a673c 100644 --- a/meta/lib/oeqa/runtime/cases/ltp.py +++ b/meta/lib/oeqa/runtime/cases/ltp.py @@ -67,7 +67,7 @@ class LtpTest(LtpTestBase): def runltp(self, ltp_group): cmd = '/opt/ltp/runltp -f %s -p -q -r /opt/ltp -l /opt/ltp/results/%s -I 1 -d /opt/ltp' % (ltp_group, ltp_group) starttime = time.time() - (status, output) = self.target.run(cmd) + (status, output) = self.target.run(cmd, timeout=1200) endtime = time.time() with open(os.path.join(self.ltptest_log_dir, "%s-raw.log" % ltp_group), 'w') as f: -- 2.34.1 ^ permalink raw reply related [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2023-08-25 2:47 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-08-25 2:47 UTC (permalink / raw) To: openembedded-core Please review this set of changes for dunfell and have comments back by end of day Satuday, August 26. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5779 The following changes since commit b70a8333a7467162b9d148b99f5970c0af2a531f: kernel: skip installing fitImage when using Initramfs bundles (2023-08-12 05:38:11 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Ashish Sharma (1): curl: Backport fix CVE-2023-32001 BELOUARGA Mohamed (1): linux-firmware : Add firmware of RTL8822 serie Chee Yang Lee (1): tiff: CVE-2022-3599.patch also fix CVE-2022-4645 CVE-2023-30774 Dmitry Baryshkov (2): linux-firmware: package firmare for Dragonboard 410c linux-firmware: split platform-specific Adreno shaders to separate packages Jasper Orschulko (1): cve_check: Fix cpe_id generation Kai Kang (1): grub2.inc: remove '-O2' from CFLAGS Michael Halstead (2): yocto-uninative: Update hashes for uninative 4.1 yocto-uninative: Update to 4.2 for glibc 2.38 Ross Burton (1): oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case Trevor Gamblin (1): linux-firmware: upgrade 20230515 -> 20230625 Vijay Anusuri (1): elfutils: Backport fix for CVE-2021-33294 Wang Mingyu (1): libnss-nis: upgrade 3.1 -> 3.2 Yoann Congal (1): recipetool: Fix inherit in created -native* recipes meta/conf/distro/include/yocto-uninative.inc | 10 +-- meta/lib/oe/cve_check.py | 2 +- meta/lib/oeqa/runtime/cases/rpm.py | 4 +- meta/recipes-bsp/grub/grub2.inc | 2 + .../elfutils/elfutils_0.178.bb | 1 + .../elfutils/files/CVE-2021-33294.patch | 72 +++++++++++++++++++ .../recipes-extended/libnss-nis/libnss-nis.bb | 4 +- ...20230515.bb => linux-firmware_20230625.bb} | 37 +++++++--- .../libtiff/files/CVE-2022-3599.patch | 2 +- .../curl/curl/CVE-2023-32001.patch | 38 ++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + scripts/lib/recipetool/create.py | 4 ++ 12 files changed, 158 insertions(+), 19 deletions(-) create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2021-33294.patch rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230515.bb => linux-firmware_20230625.bb} (96%) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-32001.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2023-06-22 15:31 Steve Sakoman 2023-08-02 12:05 ` Marta Rybczynska 0 siblings, 1 reply; 30+ messages in thread From: Steve Sakoman @ 2023-06-22 15:31 UTC (permalink / raw) To: openembedded-core Please review this set of changes for dunfell and have comments back by end of day Monday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493 The following changes since commit 77f6fbfa18b4ad77c3756cfdc45d441a20210781: build-appliance-image: Update to dunfell head revision (2023-06-17 09:47:49 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Abdellatif El Khlifi (1): kernel-fitimage: adding support for Initramfs bundle and u-boot script Andrej Valek (1): kernel-fitimage: use correct kernel image Hitendra Prajapati (1): openssl: CVE-2023-2650 Possible DoS translating ASN.1 object identifiers Ian Ray (1): systemd-systemctl: support instance expansion in WantedBy Jan Vermaete (1): cve-update-nvd2-native: added the missing http import Marta Rybczynska (1): cve-update-nvd2-native: new CVE database fetcher Martin Siegumfeldt (1): systemd-systemctl: fix instance template WantedBy symlink construction Michael Halstead (4): uninative: Upgrade to 3.8.1 to include libgcc uninative: Upgrade to 3.9 to include glibc 2.37 uninative: Upgrade to 3.10 to support gcc 13 uninative: Upgrade to 4.0 to include latest gcc 13.1.1 Richard Purdie (1): uninative: Ensure uninative is enabled in all cases for BuildStarted event Sanjay Chitroda (1): cups: Fix CVE-2023-32324 Steve Sakoman (1): uninative.bbclass: handle read only files outside of patchelf meta/classes/cve-check.bbclass | 4 +- meta/classes/kernel-fitimage.bbclass | 142 ++++++-- meta/classes/uninative.bbclass | 4 + meta/conf/distro/include/yocto-uninative.inc | 10 +- .../openssl/openssl/CVE-2023-2650.patch | 122 +++++++ .../openssl/openssl_1.1.1t.bb | 1 + .../meta/cve-update-nvd2-native.bb | 334 ++++++++++++++++++ .../systemd/systemd-systemctl/systemctl | 8 +- meta/recipes-extended/cups/cups.inc | 1 + .../cups/cups/CVE-2023-32324.patch | 36 ++ 10 files changed, 629 insertions(+), 33 deletions(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [OE-core][dunfell 00/14] Patch review 2023-06-22 15:31 Steve Sakoman @ 2023-08-02 12:05 ` Marta Rybczynska 0 siblings, 0 replies; 30+ messages in thread From: Marta Rybczynska @ 2023-08-02 12:05 UTC (permalink / raw) To: Steve Sakoman; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 2867 bytes --] On Thu, Jun 22, 2023 at 5:31 PM Steve Sakoman <steve@sakoman.com> wrote: > Please review this set of changes for dunfell and have comments back by > end of day Monday. > > Passed a-full on autobuilder: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5493 > > The following changes since commit > 77f6fbfa18b4ad77c3756cfdc45d441a20210781: > > build-appliance-image: Update to dunfell head revision (2023-06-17 > 09:47:49 -1000) > > are available in the Git repository at: > > https://git.openembedded.org/openembedded-core-contrib > stable/dunfell-nut > > http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut > > Abdellatif El Khlifi (1): > kernel-fitimage: adding support for Initramfs bundle and u-boot script > > Andrej Valek (1): > kernel-fitimage: use correct kernel image > > Hitendra Prajapati (1): > openssl: CVE-2023-2650 Possible DoS translating ASN.1 object > identifiers > > Ian Ray (1): > systemd-systemctl: support instance expansion in WantedBy > > Jan Vermaete (1): > cve-update-nvd2-native: added the missing http import > > Marta Rybczynska (1): > cve-update-nvd2-native: new CVE database fetcher > > Martin Siegumfeldt (1): > systemd-systemctl: fix instance template WantedBy symlink construction > > Michael Halstead (4): > uninative: Upgrade to 3.8.1 to include libgcc > uninative: Upgrade to 3.9 to include glibc 2.37 > uninative: Upgrade to 3.10 to support gcc 13 > uninative: Upgrade to 4.0 to include latest gcc 13.1.1 > > Richard Purdie (1): > uninative: Ensure uninative is enabled in all cases for BuildStarted > event > > Sanjay Chitroda (1): > cups: Fix CVE-2023-32324 > > Steve Sakoman (1): > uninative.bbclass: handle read only files outside of patchelf > > meta/classes/cve-check.bbclass | 4 +- > meta/classes/kernel-fitimage.bbclass | 142 ++++++-- > meta/classes/uninative.bbclass | 4 + > meta/conf/distro/include/yocto-uninative.inc | 10 +- > .../openssl/openssl/CVE-2023-2650.patch | 122 +++++++ > .../openssl/openssl_1.1.1t.bb | 1 + > .../meta/cve-update-nvd2-native.bb | 334 ++++++++++++++++++ > .../systemd/systemd-systemctl/systemctl | 8 +- > meta/recipes-extended/cups/cups.inc | 1 + > .../cups/cups/CVE-2023-32324.patch | 36 ++ > 10 files changed, 629 insertions(+), 33 deletions(-) > create mode 100644 > meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch > create mode 100644 meta/recipes-core/meta/cve-update-nvd2-native.bb > create mode 100644 meta/recipes-extended/cups/cups/CVE-2023-32324.patch > > Tested this version for the CVE fetcher backport to dunfell, no unexpected issues seen. Kind regards, Marta [-- Attachment #2: Type: text/html, Size: 4051 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2023-03-21 14:20 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2023-03-21 14:20 UTC (permalink / raw) To: openembedded-core Please review these patches for dunfell and have comments back by end of day Thursday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5073 The following changes since commit efb1a73a13907bed3acac8e06053aef3e2ef57f5: build-appliance-image: Update to dunfell head revision (2023-03-15 23:09:39 +0000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Alban Bedel (1): systemd: Fix systemd when used with busybox less Andrej Valek (1): libarchive: fix CVE-2022-26280 Chee Yang Lee (2): ghostscript: add CVE tag for check-stack-limits-after-function-evalution.patch libksba: fix CVE-2022-3515 Hitendra Prajapati (1): QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead to out-of-bounds read Kenfe-Mickael Laventure (3): buildtools-tarball: Handle spaces within user $PATH toolchain-scripts: Handle spaces within user $PATH populate_sdk_ext: Handle spaces within user $PATH Richard Purdie (4): staging: Separate out different multiconfig manifests staging/multilib: Fix manifest corruption glibc: Add missing binutils dependency base-files: Drop localhost.localdomain from hosts file Ross Burton (2): vim: upgrade to 9.0.1403 vim: set modified-by to the recipe MAINTAINER meta/classes/multilib.bbclass | 1 + meta/classes/populate_sdk_ext.bbclass | 2 +- meta/classes/staging.bbclass | 4 + meta/classes/toolchain-scripts.bbclass | 2 +- meta/recipes-core/base-files/base-files/hosts | 2 +- meta/recipes-core/glibc/glibc.inc | 4 +- meta/recipes-core/meta/buildtools-tarball.bb | 2 +- .../systemd/systemd/systemd-pager.sh | 7 ++ meta/recipes-core/systemd/systemd_244.5.bb | 5 + meta/recipes-devtools/qemu/qemu.inc | 9 +- .../qemu/qemu/CVE-2022-4144.patch | 103 ++++++++++++++++++ ...tack-limits-after-function-evalution.patch | 2 +- .../libarchive/CVE-2022-26280.patch | 29 +++++ .../libarchive/libarchive_3.4.2.bb | 1 + .../libksba/libksba/CVE-2022-3515.patch | 47 ++++++++ meta/recipes-support/libksba/libksba_1.3.5.bb | 1 + meta/recipes-support/vim/vim.inc | 8 +- 17 files changed, 215 insertions(+), 14 deletions(-) create mode 100644 meta/recipes-core/systemd/systemd/systemd-pager.sh create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-26280.patch create mode 100644 meta/recipes-support/libksba/libksba/CVE-2022-3515.patch -- 2.34.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2022-08-29 21:02 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2022-08-29 21:02 UTC (permalink / raw) To: openembedded-core Please review this set of changes for dunfell and have comments back by end of day Wednesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4151 The following changes since commit a3cba15142e98177119ef36c09f553d09acf35ef: build-appliance-image: Update to dunfell head revision (2022-08-22 16:07:02 +0100) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Alexander Kanavin (3): mobile-broadband-provider-info: upgrade 20220511 -> 20220725 tzdata: upgrade 2022a -> 2022b wireless-regdb: upgrade 2022.06.06 -> 2022.08.12 Anuj Mittal (1): cryptodev-module: fix build with 5.11+ kernels Bruce Ashfield (1): linux-yocto/5.4: update to v5.4.210 Ernst Sjöstrand (1): cve-check: Don't use f-strings Hitendra Prajapati (5): libtiff: CVE-2022-34526 A stack overflow was discovered golang: fix CVE-2022-30629 and CVE-2022-30631 golang: fix CVE-2022-30632 and CVE-2022-30633 golang: fix CVE-2022-30635 and CVE-2022-32148 golang: CVE-2022-32189 a denial of service Paul Eggleton (1): relocate_sdk.py: ensure interpreter size error causes relocation to fail Pawan Badganchi (1): libxml2: Add fix for CVE-2016-3709 Richard Purdie (1): vim: Upgrade 9.0.0115 -> 9.0.0242 meta/lib/oe/cve_check.py | 2 +- .../mobile-broadband-provider-info_git.bb | 4 +- .../libxml/libxml2/CVE-2016-3709.patch | 89 ++++++++++++ meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + meta/recipes-devtools/go/go-1.14.inc | 7 + .../go/go-1.14/CVE-2022-30629.patch | 47 +++++++ .../go/go-1.14/CVE-2022-30631.patch | 116 ++++++++++++++++ .../go/go-1.14/CVE-2022-30632.patch | 71 ++++++++++ .../go/go-1.14/CVE-2022-30633.patch | 131 ++++++++++++++++++ .../go/go-1.14/CVE-2022-30635.patch | 120 ++++++++++++++++ .../go/go-1.14/CVE-2022-32148.patch | 49 +++++++ .../go/go-1.14/CVE-2022-32189.patch | 113 +++++++++++++++ meta/recipes-extended/timezone/timezone.inc | 6 +- .../cryptodev/cryptodev-module_1.10.bb | 1 + .../files/fix-build-for-Linux-5.11-rc1.patch | 32 +++++ .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-- ....06.06.bb => wireless-regdb_2022.08.12.bb} | 2 +- .../libtiff/files/CVE-2022-34526.patch | 29 ++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + meta/recipes-support/vim/vim.inc | 4 +- scripts/relocate_sdk.py | 10 +- 23 files changed, 842 insertions(+), 29 deletions(-) create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2016-3709.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30629.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30631.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30632.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30633.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-30635.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32148.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-32189.patch create mode 100644 meta/recipes-kernel/cryptodev/files/fix-build-for-Linux-5.11-rc1.patch rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2022.06.06.bb => wireless-regdb_2022.08.12.bb} (94%) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-34526.patch -- 2.25.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2022-07-07 21:59 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2022-07-07 21:59 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Monday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3880 The following changes since commit b75caf4a985e3c20996531785125eaffdc832104: insane.bbclass: host-user-contaminated: Correct per package home path (2022-06-29 05:15:49 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Anuj Mittal (1): efivar: change branch name to main Bruce Ashfield (2): linux-yocto/5.4: update to v5.4.199 linux-yocto/5.4: update to v5.4.203 Jate Sujjavanich (1): IMAGE_LOCALES_ARCHIVE: add option to prevent locale archive creation Ranjitsinh Rathod (1): openssl: Minor security upgrade 1.1.1o to 1.1.1p Richard Purdie (5): cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm) vim: 8.2.5083 -> 9.0.0005 oeqa/runtime/scp: Disable scp test for dropbear packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation oe-selftest-image: Ensure the image has sftp as well as dropbear Ross Burton (1): cve-check: hook cleanup to the BuildCompleted event, not CookerExit Steve Sakoman (3): openssh: break dependency on base package for -dev package dropbear: break dependency on base package for -dev package qemu: add PACKAGECONFIG for capstone .../recipes-test/images/oe-selftest-image.bb | 2 +- meta/classes/cve-check.bbclass | 2 +- meta/classes/image.bbclass | 5 +- .../distro/include/cve-extra-exclusions.inc | 31 ++- meta/lib/oe/package_manager.py | 13 +- meta/lib/oeqa/runtime/cases/scp.py | 2 +- meta/recipes-bsp/efivar/efivar_37.bb | 2 +- .../openssh/openssh_8.2p1.bb | 5 + ...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 ------------------ ...611887cfac633aacc052b2e71a7f195418b8.patch | 29 --- .../{openssl_1.1.1o.bb => openssl_1.1.1p.bb} | 4 +- meta/recipes-core/dropbear/dropbear.inc | 5 + .../packagegroup-core-ssh-dropbear.bb | 1 + meta/recipes-devtools/qemu/qemu.inc | 1 + .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +- .../vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb} | 0 meta/recipes-support/vim/vim.inc | 6 +- .../vim/{vim_8.2.bb => vim_9.0.bb} | 0 20 files changed, 64 insertions(+), 272 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch rename meta/recipes-connectivity/openssl/{openssl_1.1.1o.bb => openssl_1.1.1p.bb} (97%) rename meta/recipes-support/vim/{vim-tiny_8.2.bb => vim-tiny_9.0.bb} (100%) rename meta/recipes-support/vim/{vim_8.2.bb => vim_9.0.bb} (100%) -- 2.25.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2022-06-08 14:46 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2022-06-08 14:46 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Friday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3760 The following changes since commit 4051d1a3aa5f70da96c381f9dea5f52cd9306939: openssl: Backport fix for ptest cert expiry (2022-06-07 11:33:46 +0100) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Bruce Ashfield (1): linux-yocto/5.4: update to v5.4.196 Hitendra Prajapati (2): e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted filesystem pcre2: CVE-2022-1587 Out-of-bounds read Marta Rybczynska (4): cve-check: move update_symlinks to a library cve-check: write empty fragment files in the text mode cve-check: add coverage statistics on recipes with/without CVEs cve-update-db-native: make it possible to disable database updates Richard Purdie (1): libxslt: Mark CVE-2022-29824 as not applying Robert Joslyn (2): curl: Backport CVE fixes curl: Fix CVE_CHECK_WHITELIST typo Steve Sakoman (3): Revert "openssl: Backport fix for ptest cert expiry" openssl: backport fix for ptest certificate expiration openssl: update the epoch time for ct_test ptest omkar patil (1): libxslt: Fix CVE-2021-30560 meta/classes/cve-check.bbclass | 86 ++- meta/lib/oe/cve_check.py | 10 + ...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 +++++ ...ea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch | 55 -- ...611887cfac633aacc052b2e71a7f195418b8.patch | 29 + .../openssl/openssl_1.1.1o.bb | 3 +- .../recipes-core/meta/cve-update-db-native.bb | 6 +- .../e2fsprogs/e2fsprogs/CVE-2022-1304.patch | 42 ++ .../e2fsprogs/e2fsprogs_1.45.7.bb | 1 + .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +- .../curl/curl/CVE-2022-27774-1.patch | 45 ++ .../curl/curl/CVE-2022-27774-2.patch | 80 +++ .../curl/curl/CVE-2022-27774-3.patch | 83 +++ .../curl/curl/CVE-2022-27774-4.patch | 35 + .../curl/curl/CVE-2022-27781.patch | 46 ++ .../curl/curl/CVE-2022-27782-1.patch | 363 ++++++++++ .../curl/curl/CVE-2022-27782-2.patch | 71 ++ meta/recipes-support/curl/curl_7.69.1.bb | 9 +- .../libpcre/libpcre2/CVE-2022-1587.patch | 660 ++++++++++++++++++ .../recipes-support/libpcre/libpcre2_10.34.bb | 1 + .../libxslt/libxslt/CVE-2021-30560.patch | 201 ++++++ .../recipes-support/libxslt/libxslt_1.1.34.bb | 5 + 24 files changed, 1949 insertions(+), 110 deletions(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch create mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch -- 2.25.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2022-05-11 18:19 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2022-05-11 18:19 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Friday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3648 with the exception of the newly added meta-virt test (which has never worked with dunfell) The following changes since commit 7c0345ab1058a7e29d37f110923ecd368e102ed7: uninative: Upgrade to 3.6 with gcc 12 support (2022-05-09 11:51:55 +0100) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Bruce Ashfield (1): linux-yocto/5.4: update to v5.4.192 Davide Gardenal (3): cve-check: add JSON format to summary output cve-check: fix symlinks where link and output path are equal rootfs-postcommands: fix symlinks where link and output path are equal Marta Rybczynska (2): cve-update-db-native: update the CVE database once a day only cve-update-db-native: let the user to drive the update interval Pawan Badganchi (2): fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310 libinput: Add fix for CVE-2022-1215 Portia (1): volatile-binds: Change DefaultDependencies from false to no Richard Purdie (3): base: Avoid circular references to our own scripts scripts: Make git intercept global scripts/git: Ensure we don't have circular references Ross Burton (1): cve-check: no need to depend on the fetch task Steve Sakoman (1): busybox: fix CVE-2022-28391 meta/classes/base.bbclass | 4 + meta/classes/cve-check.bbclass | 72 ++-- meta/classes/rootfs-postcommands.bbclass | 14 +- ...tr-ensure-only-printable-characters-.patch | 38 ++ ...e-all-printed-strings-with-printable.patch | 64 ++++ meta/recipes-core/busybox/busybox_1.31.1.bb | 2 + .../recipes-core/meta/cve-update-db-native.bb | 13 +- .../files/volatile-binds.service.in | 2 +- .../wayland/libinput/CVE-2022-1215.patch | 360 ++++++++++++++++++ .../wayland/libinput_1.15.2.bb | 1 + .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +- .../fribidi/fribidi/CVE-2022-25308.patch | 50 +++ .../fribidi/fribidi/CVE-2022-25309.patch | 31 ++ .../fribidi/fribidi/CVE-2022-25310.patch | 30 ++ meta/recipes-support/fribidi/fribidi_1.0.9.bb | 3 + scripts/{git-intercept => }/git | 9 +- 18 files changed, 674 insertions(+), 55 deletions(-) create mode 100644 meta/recipes-core/busybox/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch create mode 100644 meta/recipes-core/busybox/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch create mode 100644 meta/recipes-graphics/wayland/libinput/CVE-2022-1215.patch create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25308.patch create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25309.patch create mode 100644 meta/recipes-support/fribidi/fribidi/CVE-2022-25310.patch rename scripts/{git-intercept => }/git (52%) -- 2.25.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2021-12-22 14:12 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2021-12-22 14:12 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Monday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3047 with the exception of a known intermittent autobuilder issue on oe-selftest-centos which passed on subsequent retest: https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/2977 The following changes since commit 90a07178ea26be453d101c2e8b33d3a0f437635d: build-appliance-image: Update to dunfell head revision (2021-12-14 22:49:32 +0000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Anuj Mittal (1): gstreamer1.0: fix failing ptest Bruce Ashfield (5): linux-yocto/5.4: update to v5.4.159 linux-yocto/5.4: update to v5.4.162 linux-yocto/5.4: update to v5.4.163 linux-yocto/5.4: update to v5.4.165 linux-yocto/5.4: update to v5.4.167 Ernst Sjöstrand (1): dropbear: Fix CVE-2020-36254 Marta Rybczynska (1): bluez: fix CVE-2021-0129 Mingli Yu (1): bootchart2: remove wait_boot logic Minjae Kim (2): vim: fix CVE-2021-4069 inetutils: fix CVE-2021-40491 Steve Sakoman (1): selftest: skip virgl test on fedora 34 entirely sana kazi (2): openssh: Fix CVE-2021-41617 openssh: Whitelist CVE-2016-20012 meta/lib/oeqa/selftest/cases/runtime_test.py | 2 + meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/CVE-2021-0129.patch | 109 ++++++++++++++++++ .../inetutils/inetutils/CVE-2021-40491.patch | 67 +++++++++++ .../inetutils/inetutils_1.9.4.bb | 1 + .../openssh/openssh/CVE-2021-41617.patch | 52 +++++++++ .../openssh/openssh_8.2p1.bb | 10 ++ meta/recipes-core/dropbear/dropbear.inc | 4 +- .../dropbear/dropbear/CVE-2020-36254.patch | 29 +++++ ...ake-sure-only-one-bootchartd-process.patch | 68 +++++++++++ .../bootchart2/bootchart2_0.14.9.bb | 1 + .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 ++-- ...-use-too-strict-timeout-for-validati.patch | 33 ++++++ .../gstreamer/gstreamer1.0_1.16.3.bb | 1 + .../vim/files/CVE-2021-4069.patch | 43 +++++++ meta/recipes-support/vim/vim.inc | 1 + 18 files changed, 439 insertions(+), 19 deletions(-) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-0129.patch create mode 100644 meta/recipes-connectivity/inetutils/inetutils/CVE-2021-40491.patch create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2021-41617.patch create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2020-36254.patch create mode 100644 meta/recipes-devtools/bootchart2/bootchart2/0001-bootchartd.in-make-sure-only-one-bootchartd-process.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0/0006-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch create mode 100644 meta/recipes-support/vim/files/CVE-2021-4069.patch -- 2.25.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
[parent not found: <16B6626DB9B02798.14836@lists.openembedded.org>]
* Re: [OE-core][dunfell 00/14] Patch review [not found] <16B6626DB9B02798.14836@lists.openembedded.org> @ 2021-11-11 14:16 ` Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2021-11-11 14:16 UTC (permalink / raw) To: steve; +Cc: openembedded-core On Wed, Nov 10, 2021 at 6:08 PM Steve Sakoman via lists.openembedded.org <steve=sakoman.com@lists.openembedded.org> wrote: > > Please review this set of patches for dunfell and have comments back by end > of day Friday. I forgot to add: Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2910 > > The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744: > > meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000) > > are available in the Git repository at: > > git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut > http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut > > Jose Quaresma (1): > sstate: another fix for touching files inside pseudo > > Joshua Watt (1): > oeqa: reproducible: Fix test not producing diffs > > Khem Raj (1): > webkitgtk: Fix reproducibility in minibrowser > > Marek Vasut (1): > piglit: upgrade to latest revision > > Mark Hatle (1): > reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking > > Mingli Yu (1): > python3-magic: add the missing rdepends > > Richard Purdie (6): > linunistring: Add missing gperf-native dependency > pseudo: Add in ability to flush database with shutdown request > pseudo: Add fcntl64 wrapper > mirrors: Add uninative mirror on kernel.org > sstate: Ensure SDE is accounted for in package task timestamps > sstate: Avoid deploy_source_date_epoch sstate when unneeded > > Steve Sakoman (2): > python3-magic: add missing DEPENDS > selftest/reproducible: add webkitgtk back to exclusion list for > dunfell > > meta/classes/mirrors.bbclass | 1 + > meta/classes/reproducible_build.bbclass | 53 ++++++++++++------- > meta/classes/sstate.bbclass | 34 +++++++++--- > .../oeqa/selftest/cases/diffoscope/A/file.txt | 1 + > .../oeqa/selftest/cases/diffoscope/B/file.txt | 1 + > meta/lib/oeqa/selftest/cases/reproducible.py | 29 +++++++++- > meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +- > .../python/python3-magic_0.4.15.bb | 7 ++- > ...ssing-include-for-htobe32-definition.patch | 27 ++++++++++ > ...file.py-make-test-lists-reproducible.patch | 31 +++++++++++ > ...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++ > ...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++ > ...sort-the-file-list-before-working-on.patch | 28 ++++++++++ > ...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++ > meta/recipes-graphics/piglit/piglit_git.bb | 12 ++++- > .../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++ > meta/recipes-sato/webkit/webkitgtk_2.28.4.bb | 1 + > .../libunistring/libunistring_0.9.10.bb | 1 + > 18 files changed, 333 insertions(+), 30 deletions(-) > create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt > create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt > create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch > create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch > create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch > create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch > create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch > create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch > create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch > > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#158132): https://lists.openembedded.org/g/openembedded-core/message/158132 > Mute This Topic: https://lists.openembedded.org/mt/86975084/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2021-11-11 4:08 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2021-11-11 4:08 UTC (permalink / raw) To: openembedded-core Please review this set of patches for dunfell and have comments back by end of day Friday. The following changes since commit 38fc0807eea14dc12610da4ba73c082d5a4b0744: meta/scripts: Manual git url branch additions (2021-11-03 08:43:53 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Jose Quaresma (1): sstate: another fix for touching files inside pseudo Joshua Watt (1): oeqa: reproducible: Fix test not producing diffs Khem Raj (1): webkitgtk: Fix reproducibility in minibrowser Marek Vasut (1): piglit: upgrade to latest revision Mark Hatle (1): reproducible_build: Remove BUILD_REPRODUCIBLE_BINARIES checking Mingli Yu (1): python3-magic: add the missing rdepends Richard Purdie (6): linunistring: Add missing gperf-native dependency pseudo: Add in ability to flush database with shutdown request pseudo: Add fcntl64 wrapper mirrors: Add uninative mirror on kernel.org sstate: Ensure SDE is accounted for in package task timestamps sstate: Avoid deploy_source_date_epoch sstate when unneeded Steve Sakoman (2): python3-magic: add missing DEPENDS selftest/reproducible: add webkitgtk back to exclusion list for dunfell meta/classes/mirrors.bbclass | 1 + meta/classes/reproducible_build.bbclass | 53 ++++++++++++------- meta/classes/sstate.bbclass | 34 +++++++++--- .../oeqa/selftest/cases/diffoscope/A/file.txt | 1 + .../oeqa/selftest/cases/diffoscope/B/file.txt | 1 + meta/lib/oeqa/selftest/cases/reproducible.py | 29 +++++++++- meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +- .../python/python3-magic_0.4.15.bb | 7 ++- ...ssing-include-for-htobe32-definition.patch | 27 ++++++++++ ...file.py-make-test-lists-reproducible.patch | 31 +++++++++++ ...gen_tcs-tes_input_tests.py-do-not-ha.patch | 44 +++++++++++++++ ...lizer.py-make-.gz-files-reproducible.patch | 30 +++++++++++ ...sort-the-file-list-before-working-on.patch | 28 ++++++++++ ...t-shader.c-do-not-hardcode-build-pat.patch | 30 +++++++++++ meta/recipes-graphics/piglit/piglit_git.bb | 12 ++++- .../0001-MiniBrowser-Fix-reproduciblity.patch | 31 +++++++++++ meta/recipes-sato/webkit/webkitgtk_2.28.4.bb | 1 + .../libunistring/libunistring_0.9.10.bb | 1 + 18 files changed, 333 insertions(+), 30 deletions(-) create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/A/file.txt create mode 100644 meta/lib/oeqa/selftest/cases/diffoscope/B/file.txt create mode 100644 meta/recipes-graphics/piglit/piglit/0001-Add-a-missing-include-for-htobe32-definition.patch create mode 100644 meta/recipes-graphics/piglit/piglit/0001-framework-profile.py-make-test-lists-reproducible.patch create mode 100644 meta/recipes-graphics/piglit/piglit/0001-generated_tests-gen_tcs-tes_input_tests.py-do-not-ha.patch create mode 100644 meta/recipes-graphics/piglit/piglit/0001-serializer.py-make-.gz-files-reproducible.patch create mode 100644 meta/recipes-graphics/piglit/piglit/0001-tests-shader.py-sort-the-file-list-before-working-on.patch create mode 100644 meta/recipes-graphics/piglit/piglit/0002-tests-util-piglit-shader.c-do-not-hardcode-build-pat.patch create mode 100644 meta/recipes-sato/webkit/webkitgtk/0001-MiniBrowser-Fix-reproduciblity.patch -- 2.25.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2021-06-28 15:05 Steve Sakoman 2021-06-29 0:13 ` [dunfell " Minjae Kim 0 siblings, 1 reply; 30+ messages in thread From: Steve Sakoman @ 2021-06-28 15:05 UTC (permalink / raw) To: openembedded-core Please review this next set of patches for dunfell and have comments back by end of day Wednesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2291 The following changes since commit ac8181d9b9ad8360f7dba03aba8b00f008c6ebb4: Revert "python3: fix CVE-2021-23336" (2021-06-19 13:11:58 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Jasper Orschulko (3): expat: fix CVE-2013-0340 libxml2: Fix CVE-2021-3518 libx11: Fix CVE-2021-31535 Michael Halstead (1): uninative: Upgrade to 3.2 (gcc11 support) Tim Orling (10): python3: upgrade 3.8.2 -> 3.8.3 python3: upgrade 3.8.3 -> 3.8.4 python3: upgrade 3.8.4 -> 3.8.5 python3: upgrade 3.8.5 -> 3.8.6 python3: upgrade 3.8.6 -> 3.8.7 python3: upgrade 3.8.7 -> 3.8.8 powertop: fix aclocal error too many loops python3: upgrade 3.8.8 -> 3.8.9 python3: upgrade 3.8.9 -> 3.8.10 python3-ptest: add newly discovered missing rdeps meta/conf/distro/include/yocto-uninative.inc | 8 +- .../expat/expat/CVE-2013-0340.patch | 1758 +++++++++++++++++ .../expat/expat/libtool-tag.patch | 41 +- meta/recipes-core/expat/expat_2.2.9.bb | 12 +- .../libxml/libxml2/CVE-2021-3518.patch | 112 ++ meta/recipes-core/libxml/libxml2_2.9.10.bb | 1 + ...20-8492-Fix-AbstractBasicAuthHandler.patch | 248 --- ...le.py-correct-the-test-output-format.patch | 24 +- .../python/python3/CVE-2019-20907.patch | 44 - .../python/python3/CVE-2020-14422.patch | 77 - .../python/python3/CVE-2020-26116.patch | 104 - .../python/python3/CVE-2020-27619.patch | 70 - .../python/python3/CVE-2021-3177.patch | 191 -- .../{python3_3.8.2.bb => python3_3.8.10.bb} | 19 +- .../xorg-lib/libx11/CVE-2021-31535.patch | 333 ++++ .../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 + ...2-configure.ac-ax_add_fortify_source.patch | 70 + ...003-configure-Use-AX_REQUIRE_DEFINED.patch | 29 + meta/recipes-kernel/powertop/powertop_2.10.bb | 8 +- 19 files changed, 2357 insertions(+), 793 deletions(-) create mode 100644 meta/recipes-core/expat/expat/CVE-2013-0340.patch create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2021-3518.patch delete mode 100644 meta/recipes-devtools/python/python3/0001-bpo-39503-CVE-2020-8492-Fix-AbstractBasicAuthHandler.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2019-20907.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-14422.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2020-27619.patch delete mode 100644 meta/recipes-devtools/python/python3/CVE-2021-3177.patch rename meta/recipes-devtools/python/{python3_3.8.2.bb => python3_3.8.10.bb} (95%) create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2021-31535.patch create mode 100644 meta/recipes-kernel/powertop/powertop/0002-configure.ac-ax_add_fortify_source.patch create mode 100644 meta/recipes-kernel/powertop/powertop/0003-configure-Use-AX_REQUIRE_DEFINED.patch -- 2.25.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [dunfell 00/14] Patch review 2021-06-28 15:05 Steve Sakoman @ 2021-06-29 0:13 ` Minjae Kim 2021-06-29 14:09 ` [OE-core] " Steve Sakoman 0 siblings, 1 reply; 30+ messages in thread From: Minjae Kim @ 2021-06-29 0:13 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 185 bytes --] Hi Steve, How about this patch? I already tested on qemux86-64. https://lists.openembedded.org/g/openembedded-core/message/153284 Do I need more testing? Thanks, Minjae Kim. [-- Attachment #2: Type: text/html, Size: 303 bytes --] ^ permalink raw reply [flat|nested] 30+ messages in thread
* Re: [OE-core] [dunfell 00/14] Patch review 2021-06-29 0:13 ` [dunfell " Minjae Kim @ 2021-06-29 14:09 ` Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2021-06-29 14:09 UTC (permalink / raw) To: Minjae Kim; +Cc: Patches and discussions about the oe-core layer On Mon, Jun 28, 2021 at 2:13 PM Minjae Kim <flowergom@gmail.com> wrote: > How about this patch? I already tested on qemux86-64. > https://lists.openembedded.org/g/openembedded-core/message/153284 > Do I need more testing? It will be in the next set of patches. I haven't seen any issues on the autobuilder. Steve ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2020-10-22 15:51 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2020-10-22 15:51 UTC (permalink / raw) To: openembedded-core Please review this next set of patches for dunfell and have comments back by end of day Monday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1501 The following changes since commit 3ee9590f96cb50e93864db768b254773e2ff9465: uninative: Fix typo in error message (2020-10-19 04:27:15 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Alexander Kanavin (1): selftest/virgl: drop the custom 30 sec timeout Changqing Li (1): toolchain-shar-extract.sh: don't print useless info Khem Raj (1): packagegroup-core-tools-debug: Disable for rv32/glibc as well Lee Chee Yang (3): libproxy: fix CVE-2020-25219 python3: fix CVE-2020-26116 grub2: fix CVE-2020-10713 Martin Jansa (7): arch-armv7a.inc: fix typo arch-mips.inc: remove duplicated mips64el-o32 from PACKAGE_EXTRA_ARCHS_tune-mips64el-o32 tune-mips64r6.inc: fix typo in mipsisa64r6-nf tune-ep9312.inc: add t suffix for thumb to PACKAGE_EXTRA_ARCHS_tune-ep9312 tune-riscv.inc: use nf suffix also for TUNE_PKGARCH siteinfo: Recognize 32bit PPC LE siteinfo: Recognize bigendian sh3be and sh4be Victor Kamensky (1): qemu: change TLBs number to 64 in 34Kf mips cpu model meta-selftest/lib/oeqa/runtime/cases/virgl.py | 2 +- meta/classes/siteinfo.bbclass | 5 + meta/conf/machine/include/arm/arch-armv7a.inc | 2 +- meta/conf/machine/include/mips/arch-mips.inc | 2 +- .../conf/machine/include/riscv/tune-riscv.inc | 4 +- meta/conf/machine/include/tune-ep9312.inc | 3 +- meta/conf/machine/include/tune-mips64r6.inc | 2 +- meta/files/toolchain-shar-extract.sh | 2 +- .../grub/files/CVE-2020-10713.patch | 73 ++++++++++++ meta/recipes-bsp/grub/grub2.inc | 1 + .../packagegroup-core-tools-debug.bb | 2 +- .../python/python3/CVE-2020-26116.patch | 104 ++++++++++++++++++ meta/recipes-devtools/python/python3_3.8.2.bb | 1 + meta/recipes-devtools/qemu/qemu.inc | 1 + ...ease-number-of-TLB-entries-on-the-34.patch | 59 ++++++++++ .../libproxy/libproxy/CVE-2020-25219.patch | 61 ++++++++++ .../libproxy/libproxy_0.4.15.bb | 1 + 17 files changed, 315 insertions(+), 10 deletions(-) create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-10713.patch create mode 100644 meta/recipes-devtools/python/python3/CVE-2020-26116.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0001-target-mips-Increase-number-of-TLB-entries-on-the-34.patch create mode 100644 meta/recipes-support/libproxy/libproxy/CVE-2020-25219.patch -- 2.17.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
* [OE-core][dunfell 00/14] Patch review @ 2020-10-09 14:18 Steve Sakoman 0 siblings, 0 replies; 30+ messages in thread From: Steve Sakoman @ 2020-10-09 14:18 UTC (permalink / raw) To: openembedded-core Please review this next set of patches for dunfell and have comments back by end of day Tuesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1464 The following changes since commit 552739383321bd9b4780bd0026d6107ece530522: perl: fix ptest test count (2020-10-05 04:29:40 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Bruce Ashfield (4): linux-yocto/5.4: fix kprobes build warning linux-yocto/5.4: update to v5.4.67 linux-yocto/5.4: update to v5.4.68 linux-yocto/5.4: update to v5.4.69 Joshua Watt (1): classes/sanity: Bump minimum python version to 3.5 Marek Vasut (4): lttng-modules: update to 2.11.6 lttng-tools: update to 2.11.5 lttng-ust: update to 2.11.1 stress-ng: Upgrade 0.11.01 -> 0.11.17 Richard Purdie (2): glibc: do_stash_locale must not delete files from ${D} libtools-cross/shadow-sysroot: Use nopackages inherit Steve Sakoman (1): Revert "lttng-modules: backport writeback.h changes from 2.12.x to fix kernel 5.4.62+" Victor Kamensky (2): qemu: add 34Kf-64tlb fictitious cpu type qemumips: use 34Kf-64tlb CPU emulation meta/classes/sanity.bbclass | 4 +- meta/conf/machine/qemumips.conf | 2 +- meta/recipes-core/glibc/glibc-package.inc | 1 - .../libtool/libtool-cross_2.4.6.bb | 2 + meta/recipes-devtools/qemu/qemu.inc | 1 + ...tlb-fictitious-cpu-type-like-34Kf-bu.patch | 118 ++++++++++++++++ .../shadow/shadow-sysroot_4.6.bb | 2 + ...ownership-when-installing-example-jo.patch | 2 +- ...ess-ng_0.11.01.bb => stress-ng_0.11.17.bb} | 4 +- .../linux/linux-yocto-rt_5.4.bb | 6 +- .../linux/linux-yocto-tiny_5.4.bb | 8 +- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-- ...ckport-writeback.h-changes-from-2.12.patch | 128 ------------------ ...ules_2.11.2.bb => lttng-modules_2.11.6.bb} | 11 +- ...-tools_2.11.2.bb => lttng-tools_2.11.5.bb} | 4 +- ...ttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} | 4 +- 16 files changed, 156 insertions(+), 163 deletions(-) create mode 100644 meta/recipes-devtools/qemu/qemu/0001-mips-add-34Kf-64tlb-fictitious-cpu-type-like-34Kf-bu.patch rename meta/recipes-extended/stress-ng/{stress-ng_0.11.01.bb => stress-ng_0.11.17.bb} (83%) delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-lttng-modules-backport-writeback.h-changes-from-2.12.patch rename meta/recipes-kernel/lttng/{lttng-modules_2.11.2.bb => lttng-modules_2.11.6.bb} (81%) rename meta/recipes-kernel/lttng/{lttng-tools_2.11.2.bb => lttng-tools_2.11.5.bb} (98%) rename meta/recipes-kernel/lttng/{lttng-ust_2.11.1.bb => lttng-ust_2.11.2.bb} (93%) -- 2.17.1 ^ permalink raw reply [flat|nested] 30+ messages in thread
end of thread, other threads:[~2023-09-12 13:54 UTC | newest] Thread overview: 30+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-09-12 13:53 [OE-core][dunfell 00/14] Patch review Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 01/14] bind: Backport fix for CVE-2023-2828 Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 02/14] openssh: Securiry fix for CVE-2023-38408 Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 03/14] qemu: Backport fix CVE-2023-3180 Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 04/14] qemu: Backport fix for CVE-2023-0330 Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 05/14] rootfs-post: remove traling blanks from tasks Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 06/14] yocto-uninative: Update to 4.3 Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 07/14] resulttool/resultutils: allow index generation despite corrupt json Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 08/14] kernel: Fix path comparison in kernel staging dir symlinking Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 09/14] glibc/check-test-wrapper: don't emit warnings from ssh Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 10/14] selftest/cases/glibc.py: increase the memory for testing Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 11/14] oeqa/utils/nfs: allow requesting non-udp ports Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 12/14] selftest/cases/glibc.py: switch to using NFS over TCP Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 13/14] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output Steve Sakoman 2023-09-12 13:53 ` [OE-core][dunfell 14/14] oeqa/runtime/ltp: Increase ltp test output timeout Steve Sakoman -- strict thread matches above, loose matches on Subject: below -- 2023-08-25 2:47 [OE-core][dunfell 00/14] Patch review Steve Sakoman 2023-06-22 15:31 Steve Sakoman 2023-08-02 12:05 ` Marta Rybczynska 2023-03-21 14:20 Steve Sakoman 2022-08-29 21:02 Steve Sakoman 2022-07-07 21:59 Steve Sakoman 2022-06-08 14:46 Steve Sakoman 2022-05-11 18:19 Steve Sakoman 2021-12-22 14:12 Steve Sakoman [not found] <16B6626DB9B02798.14836@lists.openembedded.org> 2021-11-11 14:16 ` Steve Sakoman 2021-11-11 4:08 Steve Sakoman 2021-06-28 15:05 Steve Sakoman 2021-06-29 0:13 ` [dunfell " Minjae Kim 2021-06-29 14:09 ` [OE-core] " Steve Sakoman 2020-10-22 15:51 [OE-core][dunfell " Steve Sakoman 2020-10-09 14:18 Steve Sakoman
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.