* [OE-core][dunfell 0/8] Patch review
@ 2024-01-26 14:20 Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 1/8] openssh: Fix CVE-2023-51385 Steve Sakoman
` (7 more replies)
0 siblings, 8 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Tuesday, January 30
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6495
The following changes since commit 82e67bd9c77f0c5cbb652ca91071b9e57bdcfb33:
build-appliance-image: Update to dunfell head revision (2024-01-22 03:34:05 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Khem Raj (1):
systemtap: Fix build with gcc-12
Ranjitsinh Rathod (1):
openssh: Fix CVE-2023-51385
Vijay Anusuri (5):
sqlite3: Backport fix for CVE-2023-7104
gnutls: Backport fix for CVE-2023-5981
gnutls: Backport fix for CVE-2024-0553
pam: Fix for CVE-2024-22365
xserver-xorg: Multiple CVE fixes
virendra thakur (1):
opkg: Fix bad memory access error observe in file_read_line_alloc
.../openssh/openssh/CVE-2023-51385.patch | 95 ++++++++
.../openssh/openssh_8.2p1.bb | 1 +
...possible-bad-memory-access-in-file_r.patch | 50 ++++
meta/recipes-devtools/opkg/opkg_0.4.2.bb | 1 +
.../pam/libpam/CVE-2024-22365.patch | 59 +++++
meta/recipes-extended/pam/libpam_1.3.1.bb | 1 +
.../xserver-xorg/CVE-2023-6816.patch | 55 +++++
.../xserver-xorg/CVE-2024-0229-1.patch | 87 +++++++
.../xserver-xorg/CVE-2024-0229-2.patch | 221 ++++++++++++++++++
.../xserver-xorg/CVE-2024-0229-3.patch | 41 ++++
.../xserver-xorg/CVE-2024-0229-4.patch | 45 ++++
.../xserver-xorg/CVE-2024-0408.patch | 64 +++++
.../xserver-xorg/CVE-2024-0409.patch | 46 ++++
.../xserver-xorg/CVE-2024-21885.patch | 113 +++++++++
.../xserver-xorg/CVE-2024-21886-1.patch | 74 ++++++
.../xserver-xorg/CVE-2024-21886-2.patch | 57 +++++
.../xorg-xserver/xserver-xorg_1.20.14.bb | 10 +
...ility-re-tweak-for-rhel6-use-functio.patch | 49 ++++
.../recipes-kernel/systemtap/systemtap_git.bb | 4 +-
.../gnutls/gnutls/CVE-2023-5981.patch | 206 ++++++++++++++++
.../gnutls/gnutls/CVE-2024-0553.patch | 125 ++++++++++
meta/recipes-support/gnutls/gnutls_3.6.14.bb | 2 +
.../sqlite/files/CVE-2023-7104.patch | 46 ++++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
24 files changed, 1452 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
create mode 100644 meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-7104.patch
--
2.34.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][dunfell 1/8] openssh: Fix CVE-2023-51385
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 2/8] sqlite3: Backport fix for CVE-2023-7104 Steve Sakoman
` (6 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
OS command injection might occur if a user name or host name has shell
metacharacters, and this name is referenced by an expansion token in
certain situations. For example, an untrusted Git repository can have a
submodule with shell metacharacters in a user name or host name.
This patch fixes the above issue
Link: http://archive.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_8.2p1-4ubuntu0.11.debian.tar.xz
Link: https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssh/openssh/CVE-2023-51385.patch | 95 +++++++++++++++++++
.../openssh/openssh_8.2p1.bb | 1 +
2 files changed, 96 insertions(+)
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
new file mode 100644
index 0000000000..0ba8c312d0
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/CVE-2023-51385.patch
@@ -0,0 +1,95 @@
+From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Mon, 18 Dec 2023 14:47:44 +0000
+Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
+
+This makes ssh(1) refuse user or host names provided on the
+commandline that contain most shell metacharacters.
+
+Some programs that invoke ssh(1) using untrusted data do not filter
+metacharacters in arguments they supply. This could create
+interactions with user-specified ProxyCommand and other directives
+that allow shell injection attacks to occur.
+
+It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+but getting this stuff right can be tricky, so this should prevent
+most obvious ways of creating risky situations. It however is not
+and cannot be perfect: ssh(1) has no practical way of interpreting
+what shell quoting rules are in use and how they interact with the
+user's specified ProxyCommand.
+
+To allow configurations that use strange user or hostnames to
+continue to work, this strictness is applied only to names coming
+from the commandline. Names specified using User or Hostname
+directives in ssh_config(5) are not affected.
+
+feedback/ok millert@ markus@ dtucker@ deraadt@
+
+OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+
+CVE: CVE-2023-51385
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a]
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+Comment: Hunks refreshed to apply cleanly
+
+---
+ ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/ssh.c b/ssh.c
+index 35c48e62d18..48d93ddf2a9 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -583,6 +583,41 @@ set_addrinfo_port(struct addrinfo *addrs
+ }
+ }
+
++static int
++valid_hostname(const char *s)
++{
++ size_t i;
++
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
++ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
++ return 0;
++ }
++ return 1;
++}
++
++static int
++valid_ruser(const char *s)
++{
++ size_t i;
++
++ if (*s == '-')
++ return 0;
++ for (i = 0; s[i] != 0; i++) {
++ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
++ return 0;
++ /* Disallow '-' after whitespace */
++ if (isspace((u_char)s[i]) && s[i + 1] == '-')
++ return 0;
++ /* Disallow \ in last position */
++ if (s[i] == '\\' && s[i + 1] == '\0')
++ return 0;
++ }
++ return 1;
++}
++
+ /*
+ * Main program for the ssh client.
+ */
+@@ -1069,6 +1104,10 @@ main(int ac, char **av)
+ if (!host)
+ usage();
+
++ if (!valid_hostname(host))
++ fatal("hostname contains invalid characters");
++ if (options.user != NULL && !valid_ruser(options.user))
++ fatal("remote username contains invalid characters");
+ host_arg = xstrdup(host);
+
+ /* Initialize the command to execute on remote host. */
diff --git a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
index eb3089cd8a..9d6cf7da6c 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.2p1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
file://CVE-2023-38408-11.patch \
file://CVE-2023-38408-12.patch \
file://CVE-2023-48795.patch \
+ file://CVE-2023-51385.patch \
"
SRC_URI[md5sum] = "3076e6413e8dbe56d33848c1054ac091"
SRC_URI[sha256sum] = "43925151e6cf6cee1450190c0e9af4dc36b41c12737619edff8bcebdff64e671"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 2/8] sqlite3: Backport fix for CVE-2023-7104
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 1/8] openssh: Fix CVE-2023-51385 Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 3/8] gnutls: Backport fix for CVE-2023-5981 Steve Sakoman
` (5 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Backport https://sqlite.org/src/info/0e4e7a05c4204b47
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../sqlite/files/CVE-2023-7104.patch | 46 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-7104.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
new file mode 100644
index 0000000000..01ff29ff5e
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,46 @@
+From eab426c5fba69d2c77023939f72b4ad446834e3c Mon Sep 17 00:00:00 2001
+From: dan <Dan Kennedy>
+Date: Thu, 7 Sep 2023 13:53:09 +0000
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could occur when processing a corrupt changeset.
+
+Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
+CVE: CVE-2023-7104
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ sqlite3.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 972ef18..c645ac8 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -203301,15 +203301,19 @@ static int sessionReadRecord(
+ }
+ }
+ if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+- sqlite3_int64 v = sessionGetI64(aVal);
+- if( eType==SQLITE_INTEGER ){
+- sqlite3VdbeMemSetInt64(apOut[i], v);
++ if( (pIn->nData-pIn->iNext)<8 ){
++ rc = SQLITE_CORRUPT_BKPT;
+ }else{
+- double d;
+- memcpy(&d, &v, 8);
+- sqlite3VdbeMemSetDouble(apOut[i], d);
++ sqlite3_int64 v = sessionGetI64(aVal);
++ if( eType==SQLITE_INTEGER ){
++ sqlite3VdbeMemSetInt64(apOut[i], v);
++ }else{
++ double d;
++ memcpy(&d, &v, 8);
++ sqlite3VdbeMemSetDouble(apOut[i], d);
++ }
++ pIn->iNext += 8;
+ }
+- pIn->iNext += 8;
+ }
+ }
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index ef12ef0db2..0e7bcfa5a7 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.sqlite.org/2020/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2020-35525.patch \
file://CVE-2020-35527.patch \
file://CVE-2021-20223.patch \
+ file://CVE-2023-7104.patch \
"
SRC_URI[md5sum] = "2d0a553534c521504e3ac3ad3b90f125"
SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b51949ae"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 3/8] gnutls: Backport fix for CVE-2023-5981
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 1/8] openssh: Fix CVE-2023-51385 Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 2/8] sqlite3: Backport fix for CVE-2023-7104 Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 4/8] gnutls: Backport fix for CVE-2024-0553 Steve Sakoman
` (4 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport [import from ubuntu https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
References:
https://ubuntu.com/security/CVE-2023-5981
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../gnutls/gnutls/CVE-2023-5981.patch | 206 ++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 +
2 files changed, 207 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
new file mode 100644
index 0000000000..c518cfa0ac
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2023-5981.patch
@@ -0,0 +1,206 @@
+Backport of:
+
+From 29d6298d0b04cfff970b993915db71ba3f580b6d Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 23 Oct 2023 09:26:57 +0900
+Subject: [PATCH] auth/rsa_psk: side-step potential side-channel
+
+This removes branching that depends on secret data, porting changes
+for regular RSA key exchange from
+4804febddc2ed958e5ae774de2a8f85edeeff538 and
+80a6ce8ddb02477cd724cd5b2944791aaddb702a. This also removes the
+allow_wrong_pms as it was used sorely to control debug output
+depending on the branching.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/gnutls28/3.6.13-2ubuntu1.9/gnutls28_3.6.13-2ubuntu1.9.debian.tar.xz
+Upstream-Commit: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d]
+CVE: CVE-2023-5981
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/auth/rsa.c | 2 +-
+ lib/auth/rsa_psk.c | 90 ++++++++++++++++++----------------------------
+ lib/gnutls_int.h | 4 ---
+ lib/priority.c | 1 -
+ 4 files changed, 35 insertions(+), 62 deletions(-)
+
+--- a/lib/auth/rsa.c
++++ b/lib/auth/rsa.c
+@@ -207,7 +207,7 @@ proc_rsa_client_kx(gnutls_session_t sess
+ session->key.key.size);
+ /* After this point, any conditional on failure that cause differences
+ * in execution may create a timing or cache access pattern side
+- * channel that can be used as an oracle, so treat very carefully */
++ * channel that can be used as an oracle, so tread carefully */
+
+ /* Error handling logic:
+ * In case decryption fails then don't inform the peer. Just use the
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -264,14 +264,13 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+ {
+ gnutls_datum_t username;
+ psk_auth_info_t info;
+- gnutls_datum_t plaintext;
+ gnutls_datum_t ciphertext;
+ gnutls_datum_t pwd_psk = { NULL, 0 };
+ int ret, dsize;
+- int randomize_key = 0;
+ ssize_t data_size = _data_size;
+ gnutls_psk_server_credentials_t cred;
+ gnutls_datum_t premaster_secret = { NULL, 0 };
++ volatile uint8_t ver_maj, ver_min;
+
+ cred = (gnutls_psk_server_credentials_t)
+ _gnutls_get_cred(session, GNUTLS_CRD_PSK);
+@@ -327,71 +326,47 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_se
+ }
+ ciphertext.size = dsize;
+
+- ret =
+- gnutls_privkey_decrypt_data(session->internals.selected_key, 0,
+- &ciphertext, &plaintext);
+- if (ret < 0 || plaintext.size != GNUTLS_MASTER_SIZE) {
+- /* In case decryption fails then don't inform
+- * the peer. Just use a random key. (in order to avoid
+- * attack against pkcs-1 formatting).
+- */
+- gnutls_assert();
+- _gnutls_debug_log
+- ("auth_rsa_psk: Possible PKCS #1 format attack\n");
+- if (ret >= 0) {
+- gnutls_free(plaintext.data);
+- }
+- randomize_key = 1;
+- } else {
+- /* If the secret was properly formatted, then
+- * check the version number.
+- */
+- if (_gnutls_get_adv_version_major(session) !=
+- plaintext.data[0]
+- || (session->internals.allow_wrong_pms == 0
+- && _gnutls_get_adv_version_minor(session) !=
+- plaintext.data[1])) {
+- /* No error is returned here, if the version number check
+- * fails. We proceed normally.
+- * That is to defend against the attack described in the paper
+- * "Attacking RSA-based sessions in SSL/TLS" by Vlastimil Klima,
+- * Ondej Pokorny and Tomas Rosa.
+- */
+- gnutls_assert();
+- _gnutls_debug_log
+- ("auth_rsa: Possible PKCS #1 version check format attack\n");
+- }
+- }
++ ver_maj = _gnutls_get_adv_version_major(session);
++ ver_min = _gnutls_get_adv_version_minor(session);
+
++ premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
++ if (premaster_secret.data == NULL) {
++ gnutls_assert();
++ return GNUTLS_E_MEMORY_ERROR;
++ }
++ premaster_secret.size = GNUTLS_MASTER_SIZE;
+
+- if (randomize_key != 0) {
+- premaster_secret.size = GNUTLS_MASTER_SIZE;
+- premaster_secret.data =
+- gnutls_malloc(premaster_secret.size);
+- if (premaster_secret.data == NULL) {
+- gnutls_assert();
+- return GNUTLS_E_MEMORY_ERROR;
+- }
+-
+- /* we do not need strong random numbers here.
+- */
+- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+- premaster_secret.size);
+- if (ret < 0) {
+- gnutls_assert();
+- goto cleanup;
+- }
+- } else {
+- premaster_secret.data = plaintext.data;
+- premaster_secret.size = plaintext.size;
++ /* Fallback value when decryption fails. Needs to be unpredictable. */
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
++ premaster_secret.size);
++ if (ret < 0) {
++ gnutls_assert();
++ goto cleanup;
+ }
+
++ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
++ &ciphertext, premaster_secret.data,
++ premaster_secret.size);
++ /* After this point, any conditional on failure that cause differences
++ * in execution may create a timing or cache access pattern side
++ * channel that can be used as an oracle, so tread carefully */
++
++ /* Error handling logic:
++ * In case decryption fails then don't inform the peer. Just use the
++ * random key previously generated. (in order to avoid attack against
++ * pkcs-1 formatting).
++ *
++ * If we get version mismatches no error is returned either. We
++ * proceed normally. This is to defend against the attack described
++ * in the paper "Attacking RSA-based sessions in SSL/TLS" by
++ * Vlastimil Klima, Ondej Pokorny and Tomas Rosa.
++ */
++
+ /* This is here to avoid the version check attack
+ * discussed above.
+ */
+-
+- premaster_secret.data[0] = _gnutls_get_adv_version_major(session);
+- premaster_secret.data[1] = _gnutls_get_adv_version_minor(session);
++ premaster_secret.data[0] = ver_maj;
++ premaster_secret.data[1] = ver_min;
+
+ /* find the key of this username
+ */
+--- a/lib/gnutls_int.h
++++ b/lib/gnutls_int.h
+@@ -989,7 +989,6 @@ struct gnutls_priority_st {
+ bool _no_etm;
+ bool _no_ext_master_secret;
+ bool _allow_key_usage_violation;
+- bool _allow_wrong_pms;
+ bool _dumbfw;
+ unsigned int _dh_prime_bits; /* old (deprecated) variable */
+
+@@ -1007,7 +1006,6 @@ struct gnutls_priority_st {
+ (x)->no_etm = 1; \
+ (x)->no_ext_master_secret = 1; \
+ (x)->allow_key_usage_violation = 1; \
+- (x)->allow_wrong_pms = 1; \
+ (x)->dumbfw = 1
+
+ #define ENABLE_PRIO_COMPAT(x) \
+@@ -1016,7 +1014,6 @@ struct gnutls_priority_st {
+ (x)->_no_etm = 1; \
+ (x)->_no_ext_master_secret = 1; \
+ (x)->_allow_key_usage_violation = 1; \
+- (x)->_allow_wrong_pms = 1; \
+ (x)->_dumbfw = 1
+
+ /* DH and RSA parameters types.
+@@ -1141,7 +1138,6 @@ typedef struct {
+ bool no_etm;
+ bool no_ext_master_secret;
+ bool allow_key_usage_violation;
+- bool allow_wrong_pms;
+ bool dumbfw;
+
+ /* old (deprecated) variable. This is used for both srp_prime_bits
+--- a/lib/priority.c
++++ b/lib/priority.c
+@@ -681,7 +681,6 @@ gnutls_priority_set(gnutls_session_t ses
+ COPY_TO_INTERNALS(no_etm);
+ COPY_TO_INTERNALS(no_ext_master_secret);
+ COPY_TO_INTERNALS(allow_key_usage_violation);
+- COPY_TO_INTERNALS(allow_wrong_pms);
+ COPY_TO_INTERNALS(dumbfw);
+ COPY_TO_INTERNALS(dh_prime_bits);
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 0c3392d521..406f0b54c5 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2022-2509.patch \
file://CVE-2021-4209.patch \
file://CVE-2023-0361.patch \
+ file://CVE-2023-5981.patch \
"
SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 4/8] gnutls: Backport fix for CVE-2024-0553
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-01-26 14:20 ` [OE-core][dunfell 3/8] gnutls: Backport fix for CVE-2023-5981 Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 5/8] pam: Fix for CVE-2024-22365 Steve Sakoman
` (3 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../gnutls/gnutls/CVE-2024-0553.patch | 125 ++++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.6.14.bb | 1 +
2 files changed, 126 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
new file mode 100644
index 0000000000..f15c470879
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
@@ -0,0 +1,125 @@
+From 40dbbd8de499668590e8af51a15799fbc430595e Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Wed, 10 Jan 2024 19:13:17 +0900
+Subject: [PATCH] rsa-psk: minimize branching after decryption
+
+This moves any non-trivial code between gnutls_privkey_decrypt_data2
+and the function return in _gnutls_proc_rsa_psk_client_kx up until the
+decryption. This also avoids an extra memcpy to session->key.key.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e]
+CVE: CVE-2024-0553
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/auth/rsa_psk.c | 68 ++++++++++++++++++++++++----------------------
+ 1 file changed, 35 insertions(+), 33 deletions(-)
+
+diff --git a/lib/auth/rsa_psk.c b/lib/auth/rsa_psk.c
+index 93c2dc9..c6cfb92 100644
+--- a/lib/auth/rsa_psk.c
++++ b/lib/auth/rsa_psk.c
+@@ -269,7 +269,6 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ int ret, dsize;
+ ssize_t data_size = _data_size;
+ gnutls_psk_server_credentials_t cred;
+- gnutls_datum_t premaster_secret = { NULL, 0 };
+ volatile uint8_t ver_maj, ver_min;
+
+ cred = (gnutls_psk_server_credentials_t)
+@@ -329,24 +328,48 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ ver_maj = _gnutls_get_adv_version_major(session);
+ ver_min = _gnutls_get_adv_version_minor(session);
+
+- premaster_secret.data = gnutls_malloc(GNUTLS_MASTER_SIZE);
+- if (premaster_secret.data == NULL) {
++ /* Find the key of this username. A random value will be
++ * filled in if the key is not found.
++ */
++ ret = _gnutls_psk_pwd_find_entry(session, info->username,
++ strlen(info->username), &pwd_psk);
++ if (ret < 0)
++ return gnutls_assert_val(ret);
++
++ /* Allocate memory for premaster secret, and fill in the
++ * fields except the decryption result.
++ */
++ session->key.key.size = 2 + GNUTLS_MASTER_SIZE + 2 + pwd_psk.size;
++ session->key.key.data = gnutls_malloc(session->key.key.size);
++ if (session->key.key.data == NULL) {
+ gnutls_assert();
++ _gnutls_free_key_datum(&pwd_psk);
++ /* No need to zeroize, as the secret is not copied in yet */
++ _gnutls_free_datum(&session->key.key);
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+- premaster_secret.size = GNUTLS_MASTER_SIZE;
+
+ /* Fallback value when decryption fails. Needs to be unpredictable. */
+- ret = gnutls_rnd(GNUTLS_RND_NONCE, premaster_secret.data,
+- premaster_secret.size);
++ ret = gnutls_rnd(GNUTLS_RND_NONCE, session->key.key.data + 2,
++ GNUTLS_MASTER_SIZE);
+ if (ret < 0) {
+ gnutls_assert();
+- goto cleanup;
++ _gnutls_free_key_datum(&pwd_psk);
++ /* No need to zeroize, as the secret is not copied in yet */
++ _gnutls_free_datum(&session->key.key);
++ return ret;
+ }
+
++ _gnutls_write_uint16(GNUTLS_MASTER_SIZE, session->key.key.data);
++ _gnutls_write_uint16(pwd_psk.size,
++ &session->key.key.data[2 + GNUTLS_MASTER_SIZE]);
++ memcpy(&session->key.key.data[2 + GNUTLS_MASTER_SIZE + 2], pwd_psk.data,
++ pwd_psk.size);
++ _gnutls_free_key_datum(&pwd_psk);
++
+ gnutls_privkey_decrypt_data2(session->internals.selected_key, 0,
+- &ciphertext, premaster_secret.data,
+- premaster_secret.size);
++ &ciphertext, session->key.key.data + 2,
++ GNUTLS_MASTER_SIZE);
+ /* After this point, any conditional on failure that cause differences
+ * in execution may create a timing or cache access pattern side
+ * channel that can be used as an oracle, so tread carefully */
+@@ -365,31 +388,10 @@ _gnutls_proc_rsa_psk_client_kx(gnutls_session_t session, uint8_t * data,
+ /* This is here to avoid the version check attack
+ * discussed above.
+ */
+- premaster_secret.data[0] = ver_maj;
+- premaster_secret.data[1] = ver_min;
++ session->key.key.data[2] = ver_maj;
++ session->key.key.data[3] = ver_min;
+
+- /* find the key of this username
+- */
+- ret =
+- _gnutls_psk_pwd_find_entry(session, info->username, strlen(info->username), &pwd_psk);
+- if (ret < 0) {
+- gnutls_assert();
+- goto cleanup;
+- }
+-
+- ret =
+- set_rsa_psk_session_key(session, &pwd_psk, &premaster_secret);
+- if (ret < 0) {
+- gnutls_assert();
+- goto cleanup;
+- }
+-
+- ret = 0;
+- cleanup:
+- _gnutls_free_key_datum(&pwd_psk);
+- _gnutls_free_temp_key_datum(&premaster_secret);
+-
+- return ret;
++ return 0;
+ }
+
+ static int
+--
+2.25.1
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 406f0b54c5..a1451daf2c 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -29,6 +29,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://CVE-2021-4209.patch \
file://CVE-2023-0361.patch \
file://CVE-2023-5981.patch \
+ file://CVE-2024-0553.patch \
"
SRC_URI[sha256sum] = "5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 5/8] pam: Fix for CVE-2024-22365
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-01-26 14:20 ` [OE-core][dunfell 4/8] gnutls: Backport fix for CVE-2024-0553 Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 6/8] xserver-xorg: Multiple CVE fixes Steve Sakoman
` (2 subsequent siblings)
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../pam/libpam/CVE-2024-22365.patch | 59 +++++++++++++++++++
meta/recipes-extended/pam/libpam_1.3.1.bb | 1 +
2 files changed, 60 insertions(+)
create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
new file mode 100644
index 0000000000..33ac37b7f0
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
@@ -0,0 +1,59 @@
+From 031bb5a5d0d950253b68138b498dc93be69a64cb Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <matthias.gerstner@suse.de>
+Date: Wed, 27 Dec 2023 14:01:59 +0100
+Subject: [PATCH] pam_namespace: protect_dir(): use O_DIRECTORY to prevent
+ local DoS situations
+
+Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
+being placed in user controlled directories, causing the PAM module to
+block indefinitely during `openat()`.
+
+Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
+refer to a directory.
+
+With this the check whether the final path element is a directory
+becomes unnecessary, drop it.
+
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb]
+CVE: CVE-2024-22365
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ modules/pam_namespace/pam_namespace.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
+index 2528cff86..f72d67189 100644
+--- a/modules/pam_namespace/pam_namespace.c
++++ b/modules/pam_namespace/pam_namespace.c
+@@ -1201,7 +1201,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ int dfd = AT_FDCWD;
+ int dfd_next;
+ int save_errno;
+- int flags = O_RDONLY;
++ int flags = O_RDONLY | O_DIRECTORY;
+ int rv = -1;
+ struct stat st;
+
+@@ -1255,22 +1255,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir,
+ rv = openat(dfd, dir, flags);
+ }
+
+- if (rv != -1) {
+- if (fstat(rv, &st) != 0) {
+- save_errno = errno;
+- close(rv);
+- rv = -1;
+- errno = save_errno;
+- goto error;
+- }
+- if (!S_ISDIR(st.st_mode)) {
+- close(rv);
+- errno = ENOTDIR;
+- rv = -1;
+- goto error;
+- }
+- }
+-
+ if (flags & O_NOFOLLOW) {
+ /* we are inside user-owned dir - protect */
+ if (protect_mount(rv, p, idata) == -1) {
diff --git a/meta/recipes-extended/pam/libpam_1.3.1.bb b/meta/recipes-extended/pam/libpam_1.3.1.bb
index bc72afe6ad..527a368e2d 100644
--- a/meta/recipes-extended/pam/libpam_1.3.1.bb
+++ b/meta/recipes-extended/pam/libpam_1.3.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux
file://pam-security-abstract-securetty-handling.patch \
file://pam-unix-nullok-secure.patch \
file://crypt_configure.patch \
+ file://CVE-2024-22365.patch \
"
SRC_URI[md5sum] = "558ff53b0fc0563ca97f79e911822165"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 6/8] xserver-xorg: Multiple CVE fixes
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
` (4 preceding siblings ...)
2024-01-26 14:20 ` [OE-core][dunfell 5/8] pam: Fix for CVE-2024-22365 Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 7/8] opkg: Fix bad memory access error observe in file_read_line_alloc Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 8/8] systemtap: Fix build with gcc-12 Steve Sakoman
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Fix below CVE's
CVE-2023-6816
CVE-2024-0229
CVE-2024-21885
CVE-2024-21886
CVE-2024-0408
CVE-2024-0409
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xserver-xorg/CVE-2023-6816.patch | 55 +++++
.../xserver-xorg/CVE-2024-0229-1.patch | 87 +++++++
.../xserver-xorg/CVE-2024-0229-2.patch | 221 ++++++++++++++++++
.../xserver-xorg/CVE-2024-0229-3.patch | 41 ++++
.../xserver-xorg/CVE-2024-0229-4.patch | 45 ++++
.../xserver-xorg/CVE-2024-0408.patch | 64 +++++
.../xserver-xorg/CVE-2024-0409.patch | 46 ++++
.../xserver-xorg/CVE-2024-21885.patch | 113 +++++++++
.../xserver-xorg/CVE-2024-21886-1.patch | 74 ++++++
.../xserver-xorg/CVE-2024-21886-2.patch | 57 +++++
.../xorg-xserver/xserver-xorg_1.20.14.bb | 10 +
11 files changed, 813 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
new file mode 100644
index 0000000000..0bfff268e7
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
@@ -0,0 +1,55 @@
+From 9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 14 Dec 2023 11:29:49 +1000
+Subject: [PATCH] dix: allocate enough space for logical button maps
+
+Both DeviceFocusEvent and the XIQueryPointer reply contain a bit for
+each logical button currently down. Since buttons can be arbitrarily mapped
+to anything up to 255 make sure we have enough bits for the maximum mapping.
+
+CVE-2023-6816, ZDI-CAN-22664, ZDI-CAN-22665
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3]
+CVE: CVE-2023-6816
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xiquerypointer.c | 3 +--
+ dix/enterleave.c | 5 +++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Xi/xiquerypointer.c b/Xi/xiquerypointer.c
+index 5b77b1a444..2b05ac5f39 100644
+--- a/Xi/xiquerypointer.c
++++ b/Xi/xiquerypointer.c
+@@ -149,8 +149,7 @@ ProcXIQueryPointer(ClientPtr client)
+ if (pDev->button) {
+ int i;
+
+- rep.buttons_len =
+- bytes_to_int32(bits_to_bytes(pDev->button->numButtons));
++ rep.buttons_len = bytes_to_int32(bits_to_bytes(256)); /* button map up to 255 */
+ rep.length += rep.buttons_len;
+ buttons = calloc(rep.buttons_len, 4);
+ if (!buttons)
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 867ec74363..ded8679d76 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -784,8 +784,9 @@ DeviceFocusEvent(DeviceIntPtr dev, int type, int mode, int detail,
+
+ mouse = IsFloating(dev) ? dev : GetMaster(dev, MASTER_POINTER);
+
+- /* XI 2 event */
+- btlen = (mouse->button) ? bits_to_bytes(mouse->button->numButtons) : 0;
++ /* XI 2 event contains the logical button map - maps are CARD8
++ * so we need 256 bits for the possibly maximum mapping */
++ btlen = (mouse->button) ? bits_to_bytes(256) : 0;
+ btlen = bytes_to_int32(btlen);
+ len = sizeof(xXIFocusInEvent) + btlen * 4;
+
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
new file mode 100644
index 0000000000..80ebc64e59
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
@@ -0,0 +1,87 @@
+From ece23be888a93b741aa1209d1dbf64636109d6a5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 14:27:50 +1000
+Subject: [PATCH] dix: Allocate sufficient xEvents for our DeviceStateNotify
+
+If a device has both a button class and a key class and numButtons is
+zero, we can get an OOB write due to event under-allocation.
+
+This function seems to assume a device has either keys or buttons, not
+both. It has two virtually identical code paths, both of which assume
+they're applying to the first event in the sequence.
+
+A device with both a key and button class triggered a logic bug - only
+one xEvent was allocated but the deviceStateNotify pointer was pushed on
+once per type. So effectively this logic code:
+
+ int count = 1;
+ if (button && nbuttons > 32) count++;
+ if (key && nbuttons > 0) count++;
+ if (key && nkeys > 32) count++; // this is basically always true
+ // count is at 2 for our keys + zero button device
+
+ ev = alloc(count * sizeof(xEvent));
+ FixDeviceStateNotify(ev);
+ if (button)
+ FixDeviceStateNotify(ev++);
+ if (key)
+ FixDeviceStateNotify(ev++); // santa drops into the wrong chimney here
+
+If the device has more than 3 valuators, the OOB is pushed back - we're
+off by one so it will happen when the last deviceValuator event is
+written instead.
+
+Fix this by allocating the maximum number of events we may allocate.
+Note that the current behavior is not protocol-correct anyway, this
+patch fixes only the allocation issue.
+
+Note that this issue does not trigger if the device has at least one
+button. While the server does not prevent a button class with zero
+buttons, it is very unlikely.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/enterleave.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index ded8679d76..17964b00a4 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -675,7 +675,8 @@ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
+ int evcount = 1;
+- deviceStateNotify *ev, *sev;
++ deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
++ deviceStateNotify *ev;
+ deviceKeyStateNotify *kev;
+ deviceButtonStateNotify *bev;
+
+@@ -714,7 +715,7 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ }
+ }
+
+- sev = ev = xallocarray(evcount, sizeof(xEvent));
++ ev = sev;
+ FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+
+ if (b != NULL) {
+@@ -770,7 +771,6 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+
+ DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+ DeviceStateNotifyMask, NullGrab);
+- free(sev);
+ }
+
+ void
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
new file mode 100644
index 0000000000..65df74376b
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
@@ -0,0 +1,221 @@
+From 219c54b8a3337456ce5270ded6a67bcde53553d5 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon, 18 Dec 2023 12:26:20 +1000
+Subject: [PATCH] dix: fix DeviceStateNotify event calculation
+
+The previous code only made sense if one considers buttons and keys to
+be mutually exclusive on a device. That is not necessarily true, causing
+a number of issues.
+
+This function allocates and fills in the number of xEvents we need to
+send the device state down the wire. This is split across multiple
+32-byte devices including one deviceStateNotify event and optional
+deviceKeyStateNotify, deviceButtonStateNotify and (possibly multiple)
+deviceValuator events.
+
+The previous behavior would instead compose a sequence
+of [state, buttonstate, state, keystate, valuator...]. This is not
+protocol correct, and on top of that made the code extremely convoluted.
+
+Fix this by streamlining: add both button and key into the deviceStateNotify
+and then append the key state and button state, followed by the
+valuators. Finally, the deviceValuator events contain up to 6 valuators
+per event but we only ever sent through 3 at a time. Let's double that
+troughput.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/enterleave.c | 121 ++++++++++++++++++++---------------------------
+ 1 file changed, 52 insertions(+), 69 deletions(-)
+
+diff --git a/dix/enterleave.c b/dix/enterleave.c
+index 17964b00a4..7b7ba1098b 100644
+--- a/dix/enterleave.c
++++ b/dix/enterleave.c
+@@ -615,9 +615,15 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+
+ ev->type = DeviceValuator;
+ ev->deviceid = dev->id;
+- ev->num_valuators = nval < 3 ? nval : 3;
++ ev->num_valuators = nval < 6 ? nval : 6;
+ ev->first_valuator = first;
+ switch (ev->num_valuators) {
++ case 6:
++ ev->valuator2 = v->axisVal[first + 5];
++ case 5:
++ ev->valuator2 = v->axisVal[first + 4];
++ case 4:
++ ev->valuator2 = v->axisVal[first + 3];
+ case 3:
+ ev->valuator2 = v->axisVal[first + 2];
+ case 2:
+@@ -626,7 +632,6 @@ FixDeviceValuator(DeviceIntPtr dev, deviceValuator * ev, ValuatorClassPtr v,
+ ev->valuator0 = v->axisVal[first];
+ break;
+ }
+- first += ev->num_valuators;
+ }
+
+ static void
+@@ -646,7 +651,7 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+ ev->num_buttons = b->numButtons;
+ memcpy((char *) ev->buttons, (char *) b->down, 4);
+ }
+- else if (k) {
++ if (k) {
+ ev->classes_reported |= (1 << KeyClass);
+ ev->num_keys = k->xkbInfo->desc->max_key_code -
+ k->xkbInfo->desc->min_key_code;
+@@ -670,15 +675,26 @@ FixDeviceStateNotify(DeviceIntPtr dev, deviceStateNotify * ev, KeyClassPtr k,
+ }
+ }
+
+-
++/**
++ * The device state notify event is split across multiple 32-byte events.
++ * The first one contains the first 32 button state bits, the first 32
++ * key state bits, and the first 3 valuator values.
++ *
++ * If a device has more than that, the server sends out:
++ * - one deviceButtonStateNotify for buttons 32 and above
++ * - one deviceKeyStateNotify for keys 32 and above
++ * - one deviceValuator event per 6 valuators above valuator 4
++ *
++ * All events but the last one have the deviceid binary ORed with MORE_EVENTS,
++ */
+ static void
+ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+ {
++ /* deviceStateNotify, deviceKeyStateNotify, deviceButtonStateNotify
++ * and one deviceValuator for each 6 valuators */
++ deviceStateNotify sev[3 + (MAX_VALUATORS + 6)/6];
+ int evcount = 1;
+- deviceStateNotify sev[6 + (MAX_VALUATORS + 2)/3];
+- deviceStateNotify *ev;
+- deviceKeyStateNotify *kev;
+- deviceButtonStateNotify *bev;
++ deviceStateNotify *ev = sev;
+
+ KeyClassPtr k;
+ ButtonClassPtr b;
+@@ -691,82 +707,49 @@ DeliverStateNotifyEvent(DeviceIntPtr dev, WindowPtr win)
+
+ if ((b = dev->button) != NULL) {
+ nbuttons = b->numButtons;
+- if (nbuttons > 32)
++ if (nbuttons > 32) /* first 32 are encoded in deviceStateNotify */
+ evcount++;
+ }
+ if ((k = dev->key) != NULL) {
+ nkeys = k->xkbInfo->desc->max_key_code - k->xkbInfo->desc->min_key_code;
+- if (nkeys > 32)
++ if (nkeys > 32) /* first 32 are encoded in deviceStateNotify */
+ evcount++;
+- if (nbuttons > 0) {
+- evcount++;
+- }
+ }
+ if ((v = dev->valuator) != NULL) {
+ nval = v->numAxes;
+-
+- if (nval > 3)
+- evcount++;
+- if (nval > 6) {
+- if (!(k && b))
+- evcount++;
+- if (nval > 9)
+- evcount += ((nval - 7) / 3);
+- }
++ /* first three are encoded in deviceStateNotify, then
++ * it's 6 per deviceValuator event */
++ evcount += ((nval - 3) + 6)/6;
+ }
+
+- ev = sev;
+- FixDeviceStateNotify(dev, ev, NULL, NULL, NULL, first);
+-
+- if (b != NULL) {
+- FixDeviceStateNotify(dev, ev++, NULL, b, v, first);
+- first += 3;
+- nval -= 3;
+- if (nbuttons > 32) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- bev = (deviceButtonStateNotify *) ev++;
+- bev->type = DeviceButtonStateNotify;
+- bev->deviceid = dev->id;
+- memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
+- DOWN_LENGTH - 4);
+- }
+- if (nval > 0) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+- first += 3;
+- nval -= 3;
+- }
++ BUG_RETURN(evcount <= ARRAY_SIZE(sev));
++
++ FixDeviceStateNotify(dev, ev, k, b, v, first);
++
++ if (b != NULL && nbuttons > 32) {
++ deviceButtonStateNotify *bev = (deviceButtonStateNotify *) ++ev;
++ (ev - 1)->deviceid |= MORE_EVENTS;
++ bev->type = DeviceButtonStateNotify;
++ bev->deviceid = dev->id;
++ memcpy((char *) &bev->buttons[4], (char *) &b->down[4],
++ DOWN_LENGTH - 4);
+ }
+
+- if (k != NULL) {
+- FixDeviceStateNotify(dev, ev++, k, NULL, v, first);
+- first += 3;
+- nval -= 3;
+- if (nkeys > 32) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- kev = (deviceKeyStateNotify *) ev++;
+- kev->type = DeviceKeyStateNotify;
+- kev->deviceid = dev->id;
+- memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+- }
+- if (nval > 0) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+- first += 3;
+- nval -= 3;
+- }
++ if (k != NULL && nkeys > 32) {
++ deviceKeyStateNotify *kev = (deviceKeyStateNotify *) ++ev;
++ (ev - 1)->deviceid |= MORE_EVENTS;
++ kev->type = DeviceKeyStateNotify;
++ kev->deviceid = dev->id;
++ memmove((char *) &kev->keys[0], (char *) &k->down[4], 28);
+ }
+
++ first = 3;
++ nval -= 3;
+ while (nval > 0) {
+- FixDeviceStateNotify(dev, ev++, NULL, NULL, v, first);
+- first += 3;
+- nval -= 3;
+- if (nval > 0) {
+- (ev - 1)->deviceid |= MORE_EVENTS;
+- FixDeviceValuator(dev, (deviceValuator *) ev++, v, first);
+- first += 3;
+- nval -= 3;
+- }
++ ev->deviceid |= MORE_EVENTS;
++ FixDeviceValuator(dev, (deviceValuator *) ++ev, v, first);
++ first += 6;
++ nval -= 6;
+ }
+
+ DeliverEventsToWindow(dev, win, (xEvent *) sev, evcount,
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
new file mode 100644
index 0000000000..742c122fa8
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
@@ -0,0 +1,41 @@
+From df3c65706eb169d5938df0052059f3e0d5981b74 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 13:48:10 +1000
+Subject: [PATCH] Xi: when creating a new ButtonClass, set the number of
+ buttons
+
+There's a racy sequence where a master device may copy the button class
+from the slave, without ever initializing numButtons. This leads to a
+device with zero buttons but a button class which is invalid.
+
+Let's copy the numButtons value from the source - by definition if we
+don't have a button class yet we do not have any other slave devices
+with more than this number of buttons anyway.
+
+CVE-2024-0229, ZDI-CAN-22678
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/exevents.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Xi/exevents.c b/Xi/exevents.c
+index 54ea11a938..e161714682 100644
+--- a/Xi/exevents.c
++++ b/Xi/exevents.c
+@@ -605,6 +605,7 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to)
+ to->button = calloc(1, sizeof(ButtonClassRec));
+ if (!to->button)
+ FatalError("[Xi] no memory for class shift.\n");
++ to->button->numButtons = from->button->numButtons;
+ }
+ else
+ classes->button = NULL;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
new file mode 100644
index 0000000000..d1a6214793
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
@@ -0,0 +1,45 @@
+From 37539cb0bfe4ed96d4499bf371e6b1a474a740fe Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 21 Dec 2023 14:10:11 +1000
+Subject: [PATCH] Xi: require a pointer and keyboard device for
+ XIAttachToMaster
+
+If we remove a master device and specify which other master devices
+attached slaves should be returned to, enforce that those two are
+indeeed a pointer and a keyboard.
+
+Otherwise we can try to attach the keyboards to pointers and vice versa,
+leading to possible crashes later.
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/37539cb0bfe4ed96d4499bf371e6b1a474a740fe]
+CVE: CVE-2024-0229
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xichangehierarchy.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index 504defe566..d2d985848d 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -270,7 +270,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+ if (rc != Success)
+ goto unwind;
+
+- if (!IsMaster(newptr)) {
++ if (!IsMaster(newptr) || !IsPointerDevice(newptr)) {
+ client->errorValue = r->return_pointer;
+ rc = BadDevice;
+ goto unwind;
+@@ -281,7 +281,7 @@ remove_master(ClientPtr client, xXIRemoveMasterInfo * r, int flags[MAXDEVICES])
+ if (rc != Success)
+ goto unwind;
+
+- if (!IsMaster(newkeybd)) {
++ if (!IsMaster(newkeybd) || !IsKeyboardDevice(newkeybd)) {
+ client->errorValue = r->return_keyboard;
+ rc = BadDevice;
+ goto unwind;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
new file mode 100644
index 0000000000..c8f75d8a7e
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
@@ -0,0 +1,64 @@
+From e5e8586a12a3ec915673edffa10dc8fe5e15dac3 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 12:09:41 +0100
+Subject: [PATCH] glx: Call XACE hooks on the GLX buffer
+
+The XSELINUX code will label resources at creation by checking the
+access mode. When the access mode is DixCreateAccess, it will call the
+function to label the new resource SELinuxLabelResource().
+
+However, GLX buffers do not go through the XACE hooks when created,
+hence leaving the resource actually unlabeled.
+
+When, later, the client tries to create another resource using that
+drawable (like a GC for example), the XSELINUX code would try to use
+the security ID of that object which has never been labeled, get a NULL
+pointer and crash when checking whether the requested permissions are
+granted for subject security ID.
+
+To avoid the issue, make sure to call the XACE hooks when creating the
+GLX buffers.
+
+Credit goes to Donn Seeley <donn@xmission.com> for providing the patch.
+
+CVE-2024-0408
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3]
+CVE: CVE-2024-0408
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ glx/glxcmds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/glx/glxcmds.c b/glx/glxcmds.c
+index fc26a2e345..1e46d0c723 100644
+--- a/glx/glxcmds.c
++++ b/glx/glxcmds.c
+@@ -48,6 +48,7 @@
+ #include "indirect_util.h"
+ #include "protocol-versions.h"
+ #include "glxvndabi.h"
++#include "xace.h"
+
+ static char GLXServerVendorName[] = "SGI";
+
+@@ -1392,6 +1393,13 @@ DoCreatePbuffer(ClientPtr client, int screenNum, XID fbconfigId,
+ if (!pPixmap)
+ return BadAlloc;
+
++ err = XaceHook(XACE_RESOURCE_ACCESS, client, glxDrawableId, RT_PIXMAP,
++ pPixmap, RT_NONE, NULL, DixCreateAccess);
++ if (err != Success) {
++ (*pGlxScreen->pScreen->DestroyPixmap) (pPixmap);
++ return err;
++ }
++
+ /* Assign the pixmap the same id as the pbuffer and add it as a
+ * resource so it and the DRI2 drawable will be reclaimed when the
+ * pbuffer is destroyed. */
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
new file mode 100644
index 0000000000..9763e0b562
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
@@ -0,0 +1,46 @@
+From 2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 6 Dec 2023 11:51:56 +0100
+Subject: [PATCH] ephyr,xwayland: Use the proper private key for cursor
+
+The cursor in DIX is actually split in two parts, the cursor itself and
+the cursor bits, each with their own devPrivates.
+
+The cursor itself includes the cursor bits, meaning that the cursor bits
+devPrivates in within structure of the cursor.
+
+Both Xephyr and Xwayland were using the private key for the cursor bits
+to store the data for the cursor, and when using XSELINUX which comes
+with its own special devPrivates, the data stored in that cursor bits'
+devPrivates would interfere with the XSELINUX devPrivates data and the
+SELINUX security ID would point to some other unrelated data, causing a
+crash in the XSELINUX code when trying to (re)use the security ID.
+
+CVE-2024-0409
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7]
+CVE: CVE-2024-0409
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ hw/kdrive/ephyr/ephyrcursor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/kdrive/ephyr/ephyrcursor.c b/hw/kdrive/ephyr/ephyrcursor.c
+index f991899..3f192d0 100644
+--- a/hw/kdrive/ephyr/ephyrcursor.c
++++ b/hw/kdrive/ephyr/ephyrcursor.c
+@@ -246,7 +246,7 @@ miPointerSpriteFuncRec EphyrPointerSpriteFuncs = {
+ Bool
+ ephyrCursorInit(ScreenPtr screen)
+ {
+- if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR_BITS,
++ if (!dixRegisterPrivateKey(&ephyrCursorPrivateKey, PRIVATE_CURSOR,
+ sizeof(ephyrCursorRec)))
+ return FALSE;
+
+--
+2.25.1
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
new file mode 100644
index 0000000000..7c8fbcc3ec
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
@@ -0,0 +1,113 @@
+From 4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Thu, 4 Jan 2024 10:01:24 +1000
+Subject: [PATCH] Xi: flush hierarchy events after adding/removing master
+ devices
+
+The `XISendDeviceHierarchyEvent()` function allocates space to store up
+to `MAXDEVICES` (256) `xXIHierarchyInfo` structures in `info`.
+
+If a device with a given ID was removed and a new device with the same
+ID added both in the same operation, the single device ID will lead to
+two info structures being written to `info`.
+
+Since this case can occur for every device ID at once, a total of two
+times `MAXDEVICES` info structures might be written to the allocation.
+
+To avoid it, once one add/remove master is processed, send out the
+device hierarchy event for the current state and continue. That event
+thus only ever has exactly one of either added/removed in it (and
+optionally slave attached/detached).
+
+CVE-2024-21885, ZDI-CAN-22744
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1]
+CVE: CVE-2024-21885
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ Xi/xichangehierarchy.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/Xi/xichangehierarchy.c b/Xi/xichangehierarchy.c
+index d2d985848d..72d00451e3 100644
+--- a/Xi/xichangehierarchy.c
++++ b/Xi/xichangehierarchy.c
+@@ -416,6 +416,11 @@ ProcXIChangeHierarchy(ClientPtr client)
+ size_t len; /* length of data remaining in request */
+ int rc = Success;
+ int flags[MAXDEVICES] = { 0 };
++ enum {
++ NO_CHANGE,
++ FLUSH,
++ CHANGED,
++ } changes = NO_CHANGE;
+
+ REQUEST(xXIChangeHierarchyReq);
+ REQUEST_AT_LEAST_SIZE(xXIChangeHierarchyReq);
+@@ -465,8 +470,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+ rc = add_master(client, c, flags);
+ if (rc != Success)
+ goto unwind;
+- }
++ changes = FLUSH;
+ break;
++ }
+ case XIRemoveMaster:
+ {
+ xXIRemoveMasterInfo *r = (xXIRemoveMasterInfo *) any;
+@@ -475,8 +481,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+ rc = remove_master(client, r, flags);
+ if (rc != Success)
+ goto unwind;
+- }
++ changes = FLUSH;
+ break;
++ }
+ case XIDetachSlave:
+ {
+ xXIDetachSlaveInfo *c = (xXIDetachSlaveInfo *) any;
+@@ -485,8 +492,9 @@ ProcXIChangeHierarchy(ClientPtr client)
+ rc = detach_slave(client, c, flags);
+ if (rc != Success)
+ goto unwind;
+- }
++ changes = CHANGED;
+ break;
++ }
+ case XIAttachSlave:
+ {
+ xXIAttachSlaveInfo *c = (xXIAttachSlaveInfo *) any;
+@@ -495,16 +503,25 @@ ProcXIChangeHierarchy(ClientPtr client)
+ rc = attach_slave(client, c, flags);
+ if (rc != Success)
+ goto unwind;
++ changes = CHANGED;
++ break;
+ }
++ default:
+ break;
+ }
+
++ if (changes == FLUSH) {
++ XISendDeviceHierarchyEvent(flags);
++ memset(flags, 0, sizeof(flags));
++ changes = NO_CHANGE;
++ }
++
+ len -= any->length * 4;
+ any = (xXIAnyHierarchyChangeInfo *) ((char *) any + any->length * 4);
+ }
+
+ unwind:
+-
+- XISendDeviceHierarchyEvent(flags);
++ if (changes != NO_CHANGE)
++ XISendDeviceHierarchyEvent(flags);
+ return rc;
+ }
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
new file mode 100644
index 0000000000..1e1c782963
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
@@ -0,0 +1,74 @@
+From bc1fdbe46559dd947674375946bbef54dd0ce36b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jexposit@redhat.com>
+Date: Fri, 22 Dec 2023 18:28:31 +0100
+Subject: [PATCH] Xi: do not keep linked list pointer during recursion
+
+The `DisableDevice()` function is called whenever an enabled device
+is disabled and it moves the device from the `inputInfo.devices` linked
+list to the `inputInfo.off_devices` linked list.
+
+However, its link/unlink operation has an issue during the recursive
+call to `DisableDevice()` due to the `prev` pointer pointing to a
+removed device.
+
+This issue leads to a length mismatch between the total number of
+devices and the number of device in the list, leading to a heap
+overflow and, possibly, to local privilege escalation.
+
+Simplify the code that checked whether the device passed to
+`DisableDevice()` was in `inputInfo.devices` or not and find the
+previous device after the recursion.
+
+CVE-2024-21886, ZDI-CAN-22840
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b]
+CVE: CVE-2024-21886
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/devices.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index dca98c8d1b..389d28a23c 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -453,14 +453,20 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+ {
+ DeviceIntPtr *prev, other;
+ BOOL enabled;
++ BOOL dev_in_devices_list = FALSE;
+ int flags[MAXDEVICES] = { 0 };
+
+ if (!dev->enabled)
+ return TRUE;
+
+- for (prev = &inputInfo.devices;
+- *prev && (*prev != dev); prev = &(*prev)->next);
+- if (*prev != dev)
++ for (other = inputInfo.devices; other; other = other->next) {
++ if (other == dev) {
++ dev_in_devices_list = TRUE;
++ break;
++ }
++ }
++
++ if (!dev_in_devices_list)
+ return FALSE;
+
+ TouchEndPhysicallyActiveTouches(dev);
+@@ -511,6 +517,9 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+ LeaveWindow(dev);
+ SetFocusOut(dev);
+
++ for (prev = &inputInfo.devices;
++ *prev && (*prev != dev); prev = &(*prev)->next);
++
+ *prev = dev->next;
+ dev->next = inputInfo.off_devices;
+ inputInfo.off_devices = dev;
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
new file mode 100644
index 0000000000..af607df4f0
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
@@ -0,0 +1,57 @@
+From 26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Fri, 5 Jan 2024 09:40:27 +1000
+Subject: [PATCH] dix: when disabling a master, float disabled slaved devices
+ too
+
+Disabling a master device floats all slave devices but we didn't do this
+to already-disabled slave devices. As a result those devices kept their
+reference to the master device resulting in access to already freed
+memory if the master device was removed before the corresponding slave
+device.
+
+And to match this behavior, also forcibly reset that pointer during
+CloseDownDevices().
+
+Related to CVE-2024-21886, ZDI-CAN-22840
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8]
+CVE: CVE-2024-21886
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ dix/devices.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 389d28a23c..84a6406d13 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -483,6 +483,13 @@ DisableDevice(DeviceIntPtr dev, BOOL sendevent)
+ flags[other->id] |= XISlaveDetached;
+ }
+ }
++
++ for (other = inputInfo.off_devices; other; other = other->next) {
++ if (!IsMaster(other) && GetMaster(other, MASTER_ATTACHED) == dev) {
++ AttachDevice(NULL, other, NULL);
++ flags[other->id] |= XISlaveDetached;
++ }
++ }
+ }
+ else {
+ for (other = inputInfo.devices; other; other = other->next) {
+@@ -1088,6 +1095,11 @@ CloseDownDevices(void)
+ dev->master = NULL;
+ }
+
++ for (dev = inputInfo.off_devices; dev; dev = dev->next) {
++ if (!IsMaster(dev) && !IsFloating(dev))
++ dev->master = NULL;
++ }
++
+ CloseDeviceList(&inputInfo.devices);
+ CloseDeviceList(&inputInfo.off_devices);
+
+--
+GitLab
+
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
index 4fdf3a0ec3..d6c6c5bd45 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb
@@ -20,6 +20,16 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
file://CVE-2023-5380.patch \
file://CVE-2023-6377.patch \
file://CVE-2023-6478.patch \
+ file://CVE-2023-6816.patch \
+ file://CVE-2024-0229-1.patch \
+ file://CVE-2024-0229-2.patch \
+ file://CVE-2024-0229-3.patch \
+ file://CVE-2024-0229-4.patch \
+ file://CVE-2024-21885.patch \
+ file://CVE-2024-21886-1.patch \
+ file://CVE-2024-21886-2.patch \
+ file://CVE-2024-0408.patch \
+ file://CVE-2024-0409.patch \
"
SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf"
SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 7/8] opkg: Fix bad memory access error observe in file_read_line_alloc
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
` (5 preceding siblings ...)
2024-01-26 14:20 ` [OE-core][dunfell 6/8] xserver-xorg: Multiple CVE fixes Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 8/8] systemtap: Fix build with gcc-12 Steve Sakoman
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: virendra thakur <thakur.virendra1810@gmail.com>
In the case of a zero length string being returned by fgets(), the condition
checking for a trailing new line would perform a bad memory access outside
of `buf`. This might happen when line with a leading null byte is read.
Avoid this case by checking that the string has a length of at least one
byte.
Link: https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...possible-bad-memory-access-in-file_r.patch | 50 +++++++++++++++++++
meta/recipes-devtools/opkg/opkg_0.4.2.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
diff --git a/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
new file mode 100644
index 0000000000..bec21e67f4
--- /dev/null
+++ b/meta/recipes-devtools/opkg/opkg/0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch
@@ -0,0 +1,50 @@
+From 8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba Mon Sep 17 00:00:00 2001
+From: Jo-Philipp Wich <jo@mein.io>
+Date: Wed, 1 Apr 2020 21:47:40 +0200
+Subject: [PATCH 001/104] file_util.c: fix possible bad memory access in
+ file_read_line_alloc()
+
+In the case of a zero length string being returned by fgets(), the condition
+checking for a trailing new line would perform a bad memory access outside
+of `buf`. This might happen when line with a leading null byte is read.
+
+Avoid this case by checking that the string has a length of at least one
+byte. Also change the unsigned int types to size_t to store length values
+while we're at it.
+
+Upstream-Status: Backport [https://github.com/ndmsystems/opkg/commit/8b45a3c4cab95382beea1ecdddeb2e4a9ed14aba]
+
+Signed-off-by: Jo-Philipp Wich <jo@mein.io>
+Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
+Signed-off-by: virendra thakur <virendrak@kpit.com>
+---
+ libopkg/file_util.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/libopkg/file_util.c b/libopkg/file_util.c
+index fbed7b4..ee9f59d 100644
+--- a/libopkg/file_util.c
++++ b/libopkg/file_util.c
+@@ -127,17 +127,14 @@ char *file_readlink_alloc(const char *file_name)
+ */
+ char *file_read_line_alloc(FILE * fp)
+ {
++ size_t buf_len, line_size;
+ char buf[BUFSIZ];
+- unsigned int buf_len;
+ char *line = NULL;
+- unsigned int line_size = 0;
+ int got_nl = 0;
+
+- buf[0] = '\0';
+-
+ while (fgets(buf, BUFSIZ, fp)) {
+ buf_len = strlen(buf);
+- if (buf[buf_len - 1] == '\n') {
++ if (buf_len > 0 && buf[buf_len - 1] == '\n') {
+ buf_len--;
+ buf[buf_len] = '\0';
+ got_nl = 1;
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/opkg/opkg_0.4.2.bb b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
index 55be6547c0..3ebc27c8ee 100644
--- a/meta/recipes-devtools/opkg/opkg_0.4.2.bb
+++ b/meta/recipes-devtools/opkg/opkg_0.4.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz
file://opkg.conf \
file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \
file://sourcedateepoch.patch \
+ file://0001-file_util.c-fix-possible-bad-memory-access-in-file_r.patch \
file://run-ptest \
"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 8/8] systemtap: Fix build with gcc-12
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
` (6 preceding siblings ...)
2024-01-26 14:20 ` [OE-core][dunfell 7/8] opkg: Fix bad memory access error observe in file_read_line_alloc Steve Sakoman
@ 2024-01-26 14:20 ` Steve Sakoman
7 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2024-01-26 14:20 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
Backport a patch to fix
| ../git/util.cxx:1766:56: error: 'std::pointer_to_unary_function<_Arg, _Result> std::ptr_fun(_Result (*)(_Arg)) [with _Arg = int; _Result = int]' is deprecated: use 'std::function' instea
d [-Werror=deprecated-declarations]
| 1766 | std::not1(std::ptr_fun<int, int>(std::isspace))));
| | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b360d12203aafd8bf96433d11221a6ed910a11f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...ility-re-tweak-for-rhel6-use-functio.patch | 49 +++++++++++++++++++
.../recipes-kernel/systemtap/systemtap_git.bb | 4 +-
2 files changed, 52 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
diff --git a/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
new file mode 100644
index 0000000000..f885c44460
--- /dev/null
+++ b/meta/recipes-kernel/systemtap/systemtap/0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch
@@ -0,0 +1,49 @@
+From f199d1982ef8a6c6d5c06c082d057b8793bcc6aa Mon Sep 17 00:00:00 2001
+From: Serhei Makarov <serhei@serhei.io>
+Date: Fri, 21 Jan 2022 18:21:46 -0500
+Subject: [PATCH] gcc12 c++ compatibility re-tweak for rhel6: use function
+ pointer instead of lambdas instead of ptr_fun<>
+
+Saving 2 lines in ltrim/rtrim is probably not a good reason to drop
+compatibility with the RHEL6 system compiler. Actually declaring a
+named function and passing the function pointer is compatible with
+everything.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=systemtap.git;a=commit;h=f199d1982ef8a6c6d5c06c082d057b8793bcc6aa]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ util.cxx | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/util.cxx
++++ b/util.cxx
+@@ -1757,21 +1757,24 @@ flush_to_stream (const string &fname, os
+ return 1; // Failure
+ }
+
++int
++not_isspace(unsigned char c)
++{
++ return !std::isspace(c);
++}
++
+ // trim from start (in place)
+ void
+ ltrim(std::string &s)
+ {
+- s.erase(s.begin(),
+- std::find_if(s.begin(), s.end(),
+- std::not1(std::ptr_fun<int, int>(std::isspace))));
++ s.erase(s.begin(), std::find_if(s.begin(), s.end(), not_isspace));
+ }
+
+ // trim from end (in place)
+ void
+ rtrim(std::string &s)
+ {
+- s.erase(std::find_if(s.rbegin(), s.rend(),
+- std::not1(std::ptr_fun<int, int>(std::isspace))).base(), s.end());
++ s.erase(std::find_if(s.rbegin(), s.rend(), not_isspace).base(), s.end());
+ }
+
+ // trim from both ends (in place)
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb b/meta/recipes-kernel/systemtap/systemtap_git.bb
index bdd8fb83b0..a8b2cf1eac 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap_git.bb
@@ -6,7 +6,9 @@ HOMEPAGE = "https://sourceware.org/systemtap/"
require systemtap_git.inc
-SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch"
+SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch \
+ file://0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch \
+ "
DEPENDS = "elfutils"
--
2.34.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [OE-core][dunfell 0/8] Patch review
@ 2023-01-11 14:34 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2023-01-11 14:34 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back
by end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4774
The following changes since commit deb919a693e4371ace649680ca06ca6b6e3da4e2:
lib/buildstats: fix parsing of trees with reduced_proc_pressure directories (2023-01-06 17:34:50 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Changqing Li (1):
base.bbclass: Fix way to check ccache path
Chee Yang Lee (1):
libksba: fix CVE-2022-47629
Hitendra Prajapati (1):
grub2: Fix CVE-2022-2601 & CVE-2022-3775
Luis (1):
rm_work.bbclass: use HOSTTOOLS 'rm' binary exclusively
Pavel Zhukov (1):
oeqa/rpm.py: Increase timeout and add debug output
Steve Sakoman (3):
ovmf: fix gcc12 warning in GenFfs
ovmf: fix gcc12 warning in LzmaEnc
ovmf: fix gcc12 warning for device path handling
meta/classes/base.bbclass | 2 +-
meta/classes/rm_work.bbclass | 15 ++-
meta/lib/oeqa/runtime/cases/rpm.py | 23 ++--
.../grub/files/CVE-2022-2601.patch | 87 +++++++++++++
.../grub/files/CVE-2022-3775.patch | 97 +++++++++++++++
...erflow-in-grub_font_get_glyph_intern.patch | 117 ++++++++++++++++++
meta/recipes-bsp/grub/grub2.inc | 3 +
...1-Basetools-genffs-fix-gcc12-warning.patch | 49 ++++++++
...-Basetools-lzmaenc-fix-gcc12-warning.patch | 53 ++++++++
...001-Basetools-turn-off-gcc12-warning.patch | 41 ++++++
meta/recipes-core/ovmf/ovmf_git.bb | 3 +
.../libksba/libksba/CVE-2022-47629.patch | 69 +++++++++++
meta/recipes-support/libksba/libksba_1.3.5.bb | 4 +-
13 files changed, 545 insertions(+), 18 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-2601.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-3775.patch
create mode 100644 meta/recipes-bsp/grub/files/font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-Basetools-genffs-fix-gcc12-warning.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-Basetools-lzmaenc-fix-gcc12-warning.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-Basetools-turn-off-gcc12-warning.patch
create mode 100644 meta/recipes-support/libksba/libksba/CVE-2022-47629.patch
--
2.25.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][dunfell 0/8] Patch review
@ 2022-11-06 16:03 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2022-11-06 16:03 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4435
The following changes since commit 54bbfe94ae4514386c572564bf221edfdbb2ce38:
selftest: skip virgl test on all Alma Linux (2022-10-21 06:28:52 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
tzdata: update to 2022d
Bartosz Golaszewski (1):
bluez5: add dbus to RDEPENDS
Daniel McGregor (1):
coreutils: add openssl PACKAGECONFIG
Frank de Brabander (1):
cve-update-db-native: add timeout to urlopen() calls
Hitendra Prajapati (2):
golang: CVE-2022-2880 ReverseProxy should not forward unparseable
query parameters
libX11: CVE-2022-3554 Fix memory leak
Ranjitsinh Rathod (1):
expat: Fix CVE-2022-43680 for expat
Teoh Jay Shen (1):
vim: Upgrade 9.0.0598 -> 9.0.0614
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
meta/recipes-core/coreutils/coreutils_8.31.bb | 1 +
.../expat/expat/CVE-2022-43680.patch | 33 ++++
meta/recipes-core/expat/expat_2.2.9.bb | 1 +
.../recipes-core/meta/cve-update-db-native.bb | 9 +-
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-2880.patch | 164 ++++++++++++++++++
meta/recipes-extended/timezone/timezone.inc | 6 +-
.../xorg-lib/libx11/CVE-2022-3554.patch | 58 +++++++
.../recipes-graphics/xorg-lib/libx11_1.6.9.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
11 files changed, 272 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-core/expat/expat/CVE-2022-43680.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-2880.patch
create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2022-3554.patch
--
2.25.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][dunfell 0/8] Patch review
@ 2022-04-04 2:30 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2022-04-04 2:30 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3472
The following changes since commit aa2bb4f62dd7e5c6fdf220264c3d62fbf2cc7d16:
xserver-xorg: update to 1.20.14 (2022-03-29 11:43:54 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Davide Gardenal (1):
go: backport patch fix for CVE-2021-38297
Martin Jansa (1):
boost: fix native build with glibc-2.34
Oleksandr Kravchuk (1):
tzdata: update to 2022a
Peter Kjellerstedt (1):
python3-jinja2: Correct HOMEPAGE
Ralph Siemsen (2):
bluez5: fix CVE-2022-0204
bind: update to 9.11.37
Richard Purdie (1):
mirrors: Add missing gitsm entries for yocto/oe mirrors
Ross Burton (1):
grub: ignore CVE-2021-46705
meta/classes/mirrors.bbclass | 2 +
meta/recipes-bsp/grub/grub2.inc | 2 +
.../bind/{bind_9.11.36.bb => bind_9.11.37.bb} | 4 +-
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/CVE-2022-0204.patch | 66 +++++++++++++
meta/recipes-devtools/go/go-1.14.inc | 4 +
.../go/go-1.14/CVE-2021-38297.patch | 97 +++++++++++++++++++
.../python/python3-jinja2_2.11.3.bb | 2 +-
meta/recipes-extended/timezone/timezone.inc | 6 +-
...e-warning-with-glibc-2.34-on-Linux-p.patch | 32 ++++++
...-elide-a-warning-that-caused-Solaris.patch | 24 +++++
meta/recipes-support/boost/boost_1.72.0.bb | 2 +
12 files changed, 236 insertions(+), 6 deletions(-)
rename meta/recipes-connectivity/bind/{bind_9.11.36.bb => bind_9.11.37.bb} (97%)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2022-0204.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2021-38297.patch
create mode 100644 meta/recipes-support/boost/boost/0001-Fix-Wsign-compare-warning-with-glibc-2.34-on-Linux-p.patch
create mode 100644 meta/recipes-support/boost/boost/0001-Revert-change-to-elide-a-warning-that-caused-Solaris.patch
--
2.25.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][dunfell 0/8] Patch review
@ 2020-12-28 14:35 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2020-12-28 14:35 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1700
The following changes since commit 02870c7fbaaa1c3869ecb439f5c58fcf40a533be:
binutils: fix CVE-2020-16592/16598 (2020-12-14 05:58:27 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (2):
selftest/reproducible: enable world reproducibility test
selftest/reproducible: add an exclusion list for items that are not
yet reproducible
Richard Purdie (5):
grub: Fix build reproducibility issue
grub: Add second fix for determinism issue
u-boot-tools: Fix reproducibility issue
groff: Fix reproducibility issue
man-db: Avoid reproducibility failures after fixing groff-native
Steve Sakoman (1):
selftest/reproducible: add packages to exclusion list for dunfell
meta/lib/oeqa/selftest/cases/reproducible.py | 96 ++++++++++++++++++-
meta/recipes-bsp/grub/files/determinism.patch | 40 ++++++++
meta/recipes-bsp/grub/grub2.inc | 1 +
meta/recipes-bsp/u-boot/u-boot-tools.inc | 15 +++
meta/recipes-extended/groff/groff_1.22.4.bb | 2 +-
meta/recipes-extended/man-db/man-db_2.9.0.bb | 5 +
6 files changed, 154 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/determinism.patch
--
2.17.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][dunfell 0/8] Patch review
@ 2020-10-15 14:15 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2020-10-15 14:15 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1478
The following changes since commit 656d2070f8448681cb69a3d43dbae84a681c1a75:
linux-yocto/5.4: update to v5.4.69 (2020-10-07 13:41:09 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Armin Kuster (1):
timezone: update to 2020b
Naoki Hayama (1):
uninative: Fix typo in error message
Richard Purdie (2):
scripts/oe-build-perf-report: Allow operation with no buildstats
oe-build-perf-report: Ensure correct data is shown for multiple branch
options
Steve Sakoman (1):
Revert "package: get_package_mapping: avoid dependency mapping if
renamed package provides original name"
Victor Kamensky (2):
qemu: add 34Kf-64tlb fictitious cpu type
qemumips: use 34Kf-64tlb CPU emulation
Yoann Congal (1):
bitbake-bblayers/create: Make the example recipe print its message
meta/classes/package.bbclass | 16 +--
meta/classes/uninative.bbclass | 2 +-
meta/conf/machine/qemumips.conf | 2 +-
meta/lib/bblayers/templates/example.bb | 4 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
...tlb-fictitious-cpu-type-like-34Kf-bu.patch | 118 ++++++++++++++++++
meta/recipes-extended/timezone/timezone.inc | 8 +-
meta/recipes-extended/timezone/tzdata.bb | 8 +-
scripts/oe-build-perf-report | 6 +-
9 files changed, 137 insertions(+), 28 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-mips-add-34Kf-64tlb-fictitious-cpu-type-like-34Kf-bu.patch
--
2.17.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][dunfell 0/8] Patch review
@ 2020-06-02 0:12 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2020-06-02 0:12 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.
Passed a-full build on the autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1029
The following changes since commit e2658a7d73b6f21939e644e533718cd05b288766:
qemuarm: check serial consoles vs /proc/consoles (2020-06-01 07:02:44 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (8):
linux-yocto/5.4: update to v5.4.38
linux-yocto/5.4: update to v5.4.40
kernel/reproducibility: kernel modules need SOURCE_DATE_EPOCH export
linux-yocto/5.4: update to v5.4.42
linux-yocto-rt/5.4: update to rt24
linux-yocto/5.4: temporarily revert IKHEADERS in standard kernels
linux-yocto: gather reproducibility configs into a fragment
linux-yocto/5.4: update to v5.4.43
meta/classes/kernel.bbclass | 15 +++++++++++++
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
4 files changed, 33 insertions(+), 18 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 16+ messages in thread
* [OE-core][dunfell 0/8] Patch review
@ 2020-05-11 14:38 Steve Sakoman
0 siblings, 0 replies; 16+ messages in thread
From: Steve Sakoman @ 2020-05-11 14:38 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.
Clean a-full build on autobuilder (oe-selftest-fedora not run due to no
available fedora builders over the weekend):
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/941
The following changes since commit 12f0cbf348d5acb0a7913bb5dc98e7fccc5ec34f:
icu: CVE-2020-10531 (2020-05-04 05:34:18 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Benjamin Fair (1):
util-linux: fix build error in kill
Bruce Ashfield (3):
linux-yocto/5.4: update to v5.4.28
linux-yocto/5.4: update to v5.4.32
linux-yocto/5.4: update to v5.4.34
Khem Raj (1):
musl: Remove spurious unused patch
Pierre-Jean Texier (1):
timezone: upgrade 2019c -> 2020a
Sakib Sajal (1):
sqlite: backport CVE fixes
Vyacheslav Yurkov (1):
os-release: sanitize required fields
...move-using-.end-directive-with-clang.patch | 36 ----------
meta/recipes-core/os-release/os-release.bb | 14 ++--
.../0001-include-cleanup-pidfd-inckudes.patch | 42 +++++++++++
...-types.h-before-checking-SYS_pidfd_s.patch | 64 +++++++++++++++++
.../util-linux/util-linux_2.35.1.bb | 2 +
meta/recipes-extended/timezone/timezone.inc | 10 +--
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +--
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++---
.../sqlite/files/CVE-2020-11655.patch | 32 +++++++++
.../sqlite/files/CVE-2020-11656.patch | 70 +++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 2 +
12 files changed, 244 insertions(+), 64 deletions(-)
delete mode 100644 meta/recipes-core/musl/0001-Remove-using-.end-directive-with-clang.patch
create mode 100644 meta/recipes-core/util-linux/util-linux/0001-include-cleanup-pidfd-inckudes.patch
create mode 100644 meta/recipes-core/util-linux/util-linux/0001-kill-include-sys-types.h-before-checking-SYS_pidfd_s.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-11655.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2020-11656.patch
--
2.17.1
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2024-01-26 14:21 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-01-26 14:20 [OE-core][dunfell 0/8] Patch review Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 1/8] openssh: Fix CVE-2023-51385 Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 2/8] sqlite3: Backport fix for CVE-2023-7104 Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 3/8] gnutls: Backport fix for CVE-2023-5981 Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 4/8] gnutls: Backport fix for CVE-2024-0553 Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 5/8] pam: Fix for CVE-2024-22365 Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 6/8] xserver-xorg: Multiple CVE fixes Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 7/8] opkg: Fix bad memory access error observe in file_read_line_alloc Steve Sakoman
2024-01-26 14:20 ` [OE-core][dunfell 8/8] systemtap: Fix build with gcc-12 Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2023-01-11 14:34 [OE-core][dunfell 0/8] Patch review Steve Sakoman
2022-11-06 16:03 Steve Sakoman
2022-04-04 2:30 Steve Sakoman
2020-12-28 14:35 Steve Sakoman
2020-10-15 14:15 Steve Sakoman
2020-06-02 0:12 Steve Sakoman
2020-05-11 14:38 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.