* [OE-core][dunfell 0/7] Patch review
@ 2024-04-03 3:11 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman
` (6 more replies)
0 siblings, 7 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Thursday, April 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6757
The following changes since commit d0811b98fa3847dbbfcfe6a80694509bb29aaf9c:
yocto-uninative: Update to 4.4 for glibc 2.39 (2024-03-18 11:44:32 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Steve Sakoman (2):
tar: bump PR to deal with sstate corruption on autobuilder
perf: bump PR to deal with sstate corruption on autobuilder
Vijay Anusuri (4):
libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356
go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785
tar: Fix for CVE-2023-39804
curl: backport Debian patch for CVE-2024-2398
virendra thakur (1):
openssl: Fix CVE-2024-0727
.../openssl/openssl/CVE-2024-0727.patch | 122 ++++++++
.../openssl/openssl_1.1.1w.bb | 1 +
meta/recipes-devtools/go/go-1.14.inc | 3 +
.../go/go-1.14/CVE-2023-45289.patch | 121 ++++++++
.../go/go-1.14/CVE-2023-45290.patch | 271 ++++++++++++++++++
.../go/go-1.14/CVE-2024-24785.patch | 197 +++++++++++++
.../tar/tar/CVE-2023-39804.patch | 64 +++++
meta/recipes-extended/tar/tar_1.32.bb | 3 +
meta/recipes-kernel/perf/perf.bb | 2 +-
.../libtiff/files/CVE-2023-52356.patch | 53 ++++
.../libtiff/files/CVE-2023-6277-1.patch | 191 ++++++++++++
.../libtiff/files/CVE-2023-6277-2.patch | 152 ++++++++++
.../libtiff/files/CVE-2023-6277-3.patch | 46 +++
.../libtiff/files/CVE-2023-6277-4.patch | 94 ++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 5 +
.../curl/curl/CVE-2024-2398.patch | 88 ++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
17 files changed, 1413 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
create mode 100644 meta/recipes-extended/tar/tar/CVE-2023-39804.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
@ 2024-04-03 3:11 ` Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 Steve Sakoman
` (5 subsequent siblings)
6 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
import patches from ubuntu to fix
CVE-2023-6277
CVE-2023-52356
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a
&
https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa
&
https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3
&
https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a
&
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libtiff/files/CVE-2023-52356.patch | 53 +++++
.../libtiff/files/CVE-2023-6277-1.patch | 191 ++++++++++++++++++
.../libtiff/files/CVE-2023-6277-2.patch | 152 ++++++++++++++
.../libtiff/files/CVE-2023-6277-3.patch | 46 +++++
.../libtiff/files/CVE-2023-6277-4.patch | 94 +++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 5 +
6 files changed, 541 insertions(+)
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
new file mode 100644
index 0000000000..1b651e6529
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-52356.patch
@@ -0,0 +1,53 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFErrorExt instead of TIFFErrorExtR (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 51558511bdbbcffdce534db21dbaf5d54b31638a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 15:58:41 +0100
+Subject: [PATCH] TIFFReadRGBAStrip/TIFFReadRGBATile: add more validation of
+ col/row (fixes #622)
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-52356.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a]
+CVE: CVE-2023-52356
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_getimage.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_getimage.c
++++ tiff-4.1.0+git191117/libtiff/tif_getimage.c
+@@ -2926,6 +2926,13 @@ TIFFReadRGBAStripExt(TIFF* tif, uint32 r
+ }
+
+ if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop_on_error, emsg)) {
++ if (row >= img.height)
++ {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++ "Invalid row passed to TIFFReadRGBAStrip().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
+
+ img.row_offset = row;
+ img.col_offset = 0;
+@@ -3002,6 +3009,14 @@ TIFFReadRGBATileExt(TIFF* tif, uint32 co
+ return( 0 );
+ }
+
++ if (col >= img.width || row >= img.height)
++ {
++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif),
++ "Invalid row/col passed to TIFFReadRGBATile().");
++ TIFFRGBAImageEnd(&img);
++ return (0);
++ }
++
+ /*
+ * The TIFFRGBAImageGet() function doesn't allow us to get off the
+ * edge of the image, even to fill an otherwise valid tile. So we
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
new file mode 100644
index 0000000000..e955b3f2e4
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-1.patch
@@ -0,0 +1,191 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . included inttypes.h header to support PRIu32 and PRIu64;
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+ . calls to the check size, that is the idea of the patch, were added before
+ _TIFFCheckMalloc and may note match the original patch methods;
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 5320c9d89c054fa805d037d84c57da874470b01a Mon Sep 17 00:00:00 2001
+From: Su Laus <sulau@freenet.de>
+Date: Tue, 31 Oct 2023 15:43:29 +0000
+Subject: [PATCH] Prevent some out-of-memory attacks
+
+Some small fuzzer files fake large amounts of data and provoke out-of-memory situations. For non-compressed data content / tags, out-of-memory can be prevented by comparing with the file size.
+
+At image reading, data size of some tags / data structures (StripByteCounts, StripOffsets, StripArray, TIFF directory) is compared with file size to prevent provoked out-of-memory attacks.
+
+See issue https://gitlab.com/libtiff/libtiff/-/issues/614#note_1602683857
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-1.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 92 ++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 90 insertions(+), 2 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -37,6 +37,7 @@
+ #include "tiffiop.h"
+ #include <float.h>
+ #include <stdlib.h>
++#include <inttypes.h>
+
+ #define FAILED_FII ((uint32) -1)
+
+@@ -863,6 +864,21 @@ static enum TIFFReadDirEntryErr TIFFRead
+ datasize=(*count)*typesize;
+ assert((tmsize_t)datasize>0);
+
++ /* Before allocating a huge amount of memory for corrupted files, check if
++ * size of requested memory is not greater than file size.
++ */
++ uint64 filesize = TIFFGetFileSize(tif);
++ if (datasize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++ "Requested memory size for tag %d (0x%x) %" PRIu32
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated, tag not read",
++ direntry->tdir_tag, direntry->tdir_tag, datasize,
++ filesize);
++ return (TIFFReadDirEntryErrAlloc);
++ }
++
+ if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+ return TIFFReadDirEntryErrIo;
+
+@@ -4534,6 +4550,20 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ if( !_TIFFFillStrilesInternal( tif, 0 ) )
+ return -1;
+
++ /* Before allocating a huge amount of memory for corrupted files, check if
++ * size of requested memory is not greater than file size. */
++ uint64 filesize = TIFFGetFileSize(tif);
++ uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "Requested memory size for StripByteCounts of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ return -1;
++ }
++
+ if (td->td_stripbytecount_p)
+ _TIFFfree(td->td_stripbytecount_p);
+ td->td_stripbytecount_p = (uint64*)
+@@ -4544,9 +4574,7 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+
+ if (td->td_compression != COMPRESSION_NONE) {
+ uint64 space;
+- uint64 filesize;
+ uint16 n;
+- filesize = TIFFGetFileSize(tif);
+ if (!(tif->tif_flags&TIFF_BIGTIFF))
+ space=sizeof(TIFFHeaderClassic)+2+dircount*12+4;
+ else
+@@ -4854,6 +4882,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ dircount16 = (uint16)dircount64;
+ dirsize = 20;
+ }
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ uint64 filesize = TIFFGetFileSize(tif);
++ uint64 allocsize = (uint64)dircount16 * dirsize;
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for TIFF directory of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated, TIFF directory not read",
++ allocsize, filesize);
++ return 0;
++ }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize, "to read TIFF directory");
+ if (origdir == NULL)
+@@ -4957,6 +4999,20 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ "Sanity check on directory count failed, zero tag directories not supported");
+ return 0;
+ }
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ uint64 filesize = TIFFGetFileSize(tif);
++ uint64 allocsize = (uint64)dircount16 * dirsize;
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for TIFF directory of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated, TIFF directory not read",
++ allocsize, filesize);
++ return 0;
++ }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize,
+ "to read TIFF directory");
+@@ -5000,6 +5056,8 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ }
+ }
+ }
++ /* No check against filesize needed here because "dir" should have same size
++ * than "origdir" checked above. */
+ dir = (TIFFDirEntry*)_TIFFCheckMalloc(tif, dircount16,
+ sizeof(TIFFDirEntry),
+ "to read TIFF directory");
+@@ -5769,7 +5827,20 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ _TIFFfree(data);
+ return(0);
+ }
+-
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ uint64 filesize = TIFFGetFileSize(tif);
++ uint64 allocsize = (uint64)nstrips * sizeof(uint64);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, module,
++ "Requested memory size for StripArray of %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ _TIFFfree(data);
++ return (0);
++ }
+ resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
+ if (resizeddata==0) {
+ _TIFFfree(data);
+@@ -5865,6 +5936,23 @@ static void allocChoppedUpStripArrays(TI
+ }
+ bytecount = last_offset + last_bytecount - offset;
+
++ /* Before allocating a huge amount of memory for corrupted files, check if
++ * size of StripByteCount and StripOffset tags is not greater than
++ * file size.
++ */
++ uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
++ uint64 filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++ "Requested memory size for StripByteCount and "
++ "StripOffsets %" PRIu64
++ " is greather than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ return;
++ }
++
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
+ "for chopped \"StripByteCounts\" array");
+ newoffsets = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
new file mode 100644
index 0000000000..644b3fdb3f
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-2.patch
@@ -0,0 +1,152 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From 0b025324711213a75e38b52f7e7ba60235f108aa Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 19:47:22 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+Ammends 5320c9d89c054fa805d037d84c57da874470b01a
+
+This fixes a performance regression caught by the GDAL regression test
+suite.
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-2.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/0b025324711213a75e38b52f7e7ba60235f108aa]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 83 +++++++++++++++++++++++++------------------
+ 1 file changed, 48 insertions(+), 35 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -864,19 +864,22 @@ static enum TIFFReadDirEntryErr TIFFRead
+ datasize=(*count)*typesize;
+ assert((tmsize_t)datasize>0);
+
+- /* Before allocating a huge amount of memory for corrupted files, check if
+- * size of requested memory is not greater than file size.
+- */
+- uint64 filesize = TIFFGetFileSize(tif);
+- if (datasize > filesize)
++ if (datasize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
+- "Requested memory size for tag %d (0x%x) %" PRIu32
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated, tag not read",
+- direntry->tdir_tag, direntry->tdir_tag, datasize,
+- filesize);
+- return (TIFFReadDirEntryErrAlloc);
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size.
++ */
++ const uint64 filesize = TIFFGetFileSize(tif);
++ if (datasize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "ReadDirEntryArray",
++ "Requested memory size for tag %d (0x%x) %" PRIu32
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated, tag not read",
++ direntry->tdir_tag, direntry->tdir_tag, datasize,
++ filesize);
++ return (TIFFReadDirEntryErrAlloc);
++ }
+ }
+
+ if( isMapped(tif) && datasize > (uint32)tif->tif_size )
+@@ -4550,18 +4553,22 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ if( !_TIFFFillStrilesInternal( tif, 0 ) )
+ return -1;
+
+- /* Before allocating a huge amount of memory for corrupted files, check if
+- * size of requested memory is not greater than file size. */
+- uint64 filesize = TIFFGetFileSize(tif);
+- uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
+- if (allocsize > filesize)
++ const uint64 allocsize = (uint64)td->td_nstrips * sizeof(uint64);
++ uint64 filesize = 0;
++ if (allocsize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(tif->tif_clientdata, module,
+- "Requested memory size for StripByteCounts of %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated",
+- allocsize, filesize);
+- return -1;
++ /* Before allocating a huge amount of memory for corrupted files, check
++ * if size of requested memory is not greater than file size. */
++ filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for StripByteCounts of %" PRIu64
++ " is greater than filesize %" PRIu64 ". Memory not allocated",
++ allocsize, filesize);
++ return -1;
++ }
+ }
+
+ if (td->td_stripbytecount_p)
+@@ -4608,11 +4615,13 @@ EstimateStripByteCounts(TIFF* tif, TIFFD
+ return -1;
+ space+=datasize;
+ }
++ if (filesize == 0)
++ filesize = TIFFGetFileSize(tif);
+ if( filesize < space )
+- /* we should perhaps return in error ? */
+- space = filesize;
+- else
+- space = filesize - space;
++ /* we should perhaps return in error ? */
++ space = filesize;
++ else
++ space = filesize - space;
+ if (td->td_planarconfig == PLANARCONFIG_SEPARATE)
+ space /= td->td_samplesperpixel;
+ for (strip = 0; strip < td->td_nstrips; strip++)
+@@ -4882,19 +4891,23 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ dircount16 = (uint16)dircount64;
+ dirsize = 20;
+ }
+- /* Before allocating a huge amount of memory for corrupted files, check
+- * if size of requested memory is not greater than file size. */
+- uint64 filesize = TIFFGetFileSize(tif);
+- uint64 allocsize = (uint64)dircount16 * dirsize;
+- if (allocsize > filesize)
++ const uint64 allocsize = (uint64)dircount16 * dirsize;
++ if (allocsize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(
+- tif->tif_clientdata, module,
+- "Requested memory size for TIFF directory of %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated, TIFF directory not read",
+- allocsize, filesize);
+- return 0;
++ /* Before allocating a huge amount of memory for corrupted files,
++ * check if size of requested memory is not greater than file size.
++ */
++ const uint64 filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for TIFF directory of %" PRIu64
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated, TIFF directory not read",
++ allocsize, filesize);
++ return 0;
++ }
+ }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize, "to read TIFF directory");
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
new file mode 100644
index 0000000000..ed7d7e7b96
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-3.patch
@@ -0,0 +1,46 @@
+Backport of:
+
+From de7bfd7d4377c266f81849579f696fa1ad5ba6c3 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 20:13:45 +0100
+Subject: [PATCH] TIFFFetchDirectory(): remove useless allocsize vs filesize
+ check
+
+CoverityScan rightly points that the max value for dircount16 * dirsize
+is 4096 * 20. That's small enough not to do any check
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-3.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/de7bfd7d4377c266f81849579f696fa1ad5ba6c3]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -4891,24 +4891,6 @@ TIFFFetchDirectory(TIFF* tif, uint64 dir
+ dircount16 = (uint16)dircount64;
+ dirsize = 20;
+ }
+- const uint64 allocsize = (uint64)dircount16 * dirsize;
+- if (allocsize > 100 * 1024 * 1024)
+- {
+- /* Before allocating a huge amount of memory for corrupted files,
+- * check if size of requested memory is not greater than file size.
+- */
+- const uint64 filesize = TIFFGetFileSize(tif);
+- if (allocsize > filesize)
+- {
+- TIFFWarningExt(
+- tif->tif_clientdata, module,
+- "Requested memory size for TIFF directory of %" PRIu64
+- " is greater than filesize %" PRIu64
+- ". Memory not allocated, TIFF directory not read",
+- allocsize, filesize);
+- return 0;
+- }
+- }
+ origdir = _TIFFCheckMalloc(tif, dircount16,
+ dirsize, "to read TIFF directory");
+ if (origdir == NULL)
diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
new file mode 100644
index 0000000000..1a43fd3230
--- /dev/null
+++ b/meta/recipes-multimedia/libtiff/files/CVE-2023-6277-4.patch
@@ -0,0 +1,94 @@
+[Ubuntu note: Backport of the following patch from upstream, with a few changes
+to match the current version of the file in the present Ubuntu release:
+ . using TIFFWarningExt instead of TIFFWarningExtR (the latter did not exist yet);
+ . using uint64 instead of uint64_t to preserve the current code usage;
+ . calling _TIFFfree(data) instead of _TIFFfreeExt(tif, data) (the latter did not exist yet);
+-- Rodrigo Figueiredo Zaiden]
+
+Backport of:
+
+From dbb825a8312f30e63a06c272010967d51af5c35a Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Tue, 31 Oct 2023 21:30:58 +0100
+Subject: [PATCH] tif_dirread.c: only issue TIFFGetFileSize() for large enough
+ RAM requests
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/tiff/tree/debian/patches/CVE-2023-6277-4.patch?h=ubuntu/focal-security
+Upstream commit https://gitlab.com/libtiff/libtiff/-/commit/dbb825a8312f30e63a06c272010967d51af5c35a]
+CVE: CVE-2023-6277
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libtiff/tif_dirread.c | 54 +++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 23 deletions(-)
+
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -5822,19 +5822,24 @@ TIFFFetchStripThing(TIFF* tif, TIFFDirEn
+ _TIFFfree(data);
+ return(0);
+ }
+- /* Before allocating a huge amount of memory for corrupted files, check
+- * if size of requested memory is not greater than file size. */
+- uint64 filesize = TIFFGetFileSize(tif);
+- uint64 allocsize = (uint64)nstrips * sizeof(uint64);
+- if (allocsize > filesize)
++ const uint64 allocsize = (uint64)nstrips * sizeof(uint64);
++ if (allocsize > 100 * 1024 * 1024)
+ {
+- TIFFWarningExt(tif->tif_clientdata, module,
+- "Requested memory size for StripArray of %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated",
+- allocsize, filesize);
+- _TIFFfree(data);
+- return (0);
++ /* Before allocating a huge amount of memory for corrupted files,
++ * check if size of requested memory is not greater than file size.
++ */
++ const uint64 filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(
++ tif->tif_clientdata, module,
++ "Requested memory size for StripArray of %" PRIu64
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ _TIFFfree(data);
++ return (0);
++ }
+ }
+ resizeddata=(uint64*)_TIFFCheckMalloc(tif,nstrips,sizeof(uint64),"for strip array");
+ if (resizeddata==0) {
+@@ -5935,17 +5940,20 @@ static void allocChoppedUpStripArrays(TI
+ * size of StripByteCount and StripOffset tags is not greater than
+ * file size.
+ */
+- uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
+- uint64 filesize = TIFFGetFileSize(tif);
+- if (allocsize > filesize)
+- {
+- TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
+- "Requested memory size for StripByteCount and "
+- "StripOffsets %" PRIu64
+- " is greather than filesize %" PRIu64
+- ". Memory not allocated",
+- allocsize, filesize);
+- return;
++ const uint64 allocsize = (uint64)nstrips * sizeof(uint64) * 2;
++ if (allocsize > 100 * 1024 * 1024)
++ {
++ const uint64 filesize = TIFFGetFileSize(tif);
++ if (allocsize > filesize)
++ {
++ TIFFWarningExt(tif->tif_clientdata, "allocChoppedUpStripArrays",
++ "Requested memory size for StripByteCount and "
++ "StripOffsets %" PRIu64
++ " is greater than filesize %" PRIu64
++ ". Memory not allocated",
++ allocsize, filesize);
++ return;
++ }
+ }
+
+ newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
index c739f3a7fa..7efaba3a38 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb
@@ -49,6 +49,11 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
file://CVE-2023-41175.patch \
file://CVE-2022-40090.patch \
file://CVE-2023-6228.patch \
+ file://CVE-2023-6277-1.patch \
+ file://CVE-2023-6277-2.patch \
+ file://CVE-2023-6277-3.patch \
+ file://CVE-2023-6277-4.patch \
+ file://CVE-2023-52356.patch \
"
SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424"
SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman
@ 2024-04-03 3:11 ` Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 Steve Sakoman
` (4 subsequent siblings)
6 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport
[https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1
&
https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0
&
https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/go/go-1.14.inc | 3 +
.../go/go-1.14/CVE-2023-45289.patch | 121 ++++++++
.../go/go-1.14/CVE-2023-45290.patch | 271 ++++++++++++++++++
.../go/go-1.14/CVE-2024-24785.patch | 197 +++++++++++++
4 files changed, 592 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc
index 4fbf9d7590..69b65f3eb2 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -88,6 +88,9 @@ SRC_URI += "\
file://CVE-2023-45287-pre2.patch \
file://CVE-2023-45287-pre3.patch \
file://CVE-2023-45287.patch \
+ file://CVE-2023-45289.patch \
+ file://CVE-2023-45290.patch \
+ file://CVE-2024-24785.patch \
"
SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
new file mode 100644
index 0000000000..13d3510504
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45289.patch
@@ -0,0 +1,121 @@
+From 20586c0dbe03d144f914155f879fa5ee287591a1 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Thu, 11 Jan 2024 11:31:57 -0800
+Subject: [PATCH] [release-branch.go1.21] net/http, net/http/cookiejar: avoid
+ subdomain matches on IPv6 zones
+
+When deciding whether to forward cookies or sensitive headers
+across a redirect, do not attempt to interpret an IPv6 address
+as a domain name.
+
+Avoids a case where a maliciously-crafted redirect to an
+IPv6 address with a scoped addressing zone could be
+misinterpreted as a within-domain redirect. For example,
+we could interpret "::1%.www.example.com" as a subdomain
+of "www.example.com".
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes CVE-2023-45289
+Fixes #65385
+For #65065
+
+Change-Id: I8f463f59f0e700c8a18733d2b264a8bcb3a19599
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2131938
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173775
+Reviewed-by: Carlos Amedee <amedee@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569239
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/20586c0dbe03d144f914155f879fa5ee287591a1]
+CVE: CVE-2023-45289
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/net/http/client.go | 6 ++++++
+ src/net/http/client_test.go | 1 +
+ src/net/http/cookiejar/jar.go | 7 +++++++
+ src/net/http/cookiejar/jar_test.go | 10 ++++++++++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/src/net/http/client.go b/src/net/http/client.go
+index a496f1c..2031834 100644
+--- a/src/net/http/client.go
++++ b/src/net/http/client.go
+@@ -973,6 +973,12 @@ func isDomainOrSubdomain(sub, parent string) bool {
+ if sub == parent {
+ return true
+ }
++ // If sub contains a :, it's probably an IPv6 address (and is definitely not a hostname).
++ // Don't check the suffix in this case, to avoid matching the contents of a IPv6 zone.
++ // For example, "::1%.www.example.com" is not a subdomain of "www.example.com".
++ if strings.ContainsAny(sub, ":%") {
++ return false
++ }
+ // If sub is "foo.example.com" and parent is "example.com",
+ // that means sub must end in "."+parent.
+ // Do it without allocating.
+diff --git a/src/net/http/client_test.go b/src/net/http/client_test.go
+index 2b4f53f..442fe35 100644
+--- a/src/net/http/client_test.go
++++ b/src/net/http/client_test.go
+@@ -1703,6 +1703,7 @@ func TestShouldCopyHeaderOnRedirect(t *testing.T) {
+ {"cookie2", "http://foo.com/", "http://bar.com/", false},
+ {"authorization", "http://foo.com/", "http://bar.com/", false},
+ {"www-authenticate", "http://foo.com/", "http://bar.com/", false},
++ {"authorization", "http://foo.com/", "http://[::1%25.foo.com]/", false},
+
+ // But subdomains should work:
+ {"www-authenticate", "http://foo.com/", "http://foo.com/", true},
+diff --git a/src/net/http/cookiejar/jar.go b/src/net/http/cookiejar/jar.go
+index 9f19917..18cbfc2 100644
+--- a/src/net/http/cookiejar/jar.go
++++ b/src/net/http/cookiejar/jar.go
+@@ -356,6 +356,13 @@ func jarKey(host string, psl PublicSuffixList) string {
+
+ // isIP reports whether host is an IP address.
+ func isIP(host string) bool {
++ if strings.ContainsAny(host, ":%") {
++ // Probable IPv6 address.
++ // Hostnames can't contain : or %, so this is definitely not a valid host.
++ // Treating it as an IP is the more conservative option, and avoids the risk
++ // of interpeting ::1%.www.example.com as a subtomain of www.example.com.
++ return true
++ }
+ return net.ParseIP(host) != nil
+ }
+
+diff --git a/src/net/http/cookiejar/jar_test.go b/src/net/http/cookiejar/jar_test.go
+index 47fb1ab..fd8d40e 100644
+--- a/src/net/http/cookiejar/jar_test.go
++++ b/src/net/http/cookiejar/jar_test.go
+@@ -251,6 +251,7 @@ var isIPTests = map[string]bool{
+ "127.0.0.1": true,
+ "1.2.3.4": true,
+ "2001:4860:0:2001::68": true,
++ "::1%zone": true,
+ "example.com": false,
+ "1.1.1.300": false,
+ "www.foo.bar.net": false,
+@@ -613,6 +614,15 @@ var basicsTests = [...]jarTest{
+ {"http://www.host.test:1234/", "a=1"},
+ },
+ },
++ {
++ "IPv6 zone is not treated as a host.",
++ "https://example.com/",
++ []string{"a=1"},
++ "a=1",
++ []query{
++ {"https://[::1%25.example.com]:80/", ""},
++ },
++ },
+ }
+
+ func TestBasics(t *testing.T) {
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
new file mode 100644
index 0000000000..ddc2f67c96
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-45290.patch
@@ -0,0 +1,271 @@
+From bf80213b121074f4ad9b449410a4d13bae5e9be0 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 16 Jan 2024 15:37:52 -0800
+Subject: [PATCH] [release-branch.go1.21] net/textproto, mime/multipart: avoid
+ unbounded read in MIME header
+
+mime/multipart.Reader.ReadForm allows specifying the maximum amount
+of memory that will be consumed by the form. While this limit is
+correctly applied to the parsed form data structure, it was not
+being applied to individual header lines in a form.
+
+For example, when presented with a form containing a header line
+that never ends, ReadForm will continue to read the line until it
+runs out of memory.
+
+Limit the amount of data consumed when reading a header.
+
+Fixes CVE-2023-45290
+Fixes #65389
+For #65383
+
+Change-Id: I7f9264d25752009e95f6b2c80e3d76aaf321d658
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2134435
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2173776
+Reviewed-by: Carlos Amedee <amedee@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/569240
+Auto-Submit: Michael Knyszek <mknyszek@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/bf80213b121074f4ad9b449410a4d13bae5e9be0]
+CVE: CVE-2023-45290
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/mime/multipart/formdata_test.go | 42 +++++++++++++++++++++++++
+ src/net/textproto/reader.go | 48 ++++++++++++++++++++---------
+ src/net/textproto/reader_test.go | 12 ++++++++
+ 3 files changed, 87 insertions(+), 15 deletions(-)
+
+diff --git a/src/mime/multipart/formdata_test.go b/src/mime/multipart/formdata_test.go
+index c78eeb7..f729da6 100644
+--- a/src/mime/multipart/formdata_test.go
++++ b/src/mime/multipart/formdata_test.go
+@@ -421,6 +421,48 @@ func TestReadFormLimits(t *testing.T) {
+ }
+ }
+
++func TestReadFormEndlessHeaderLine(t *testing.T) {
++ for _, test := range []struct {
++ name string
++ prefix string
++ }{{
++ name: "name",
++ prefix: "X-",
++ }, {
++ name: "value",
++ prefix: "X-Header: ",
++ }, {
++ name: "continuation",
++ prefix: "X-Header: foo\r\n ",
++ }} {
++ t.Run(test.name, func(t *testing.T) {
++ const eol = "\r\n"
++ s := `--boundary` + eol
++ s += `Content-Disposition: form-data; name="a"` + eol
++ s += `Content-Type: text/plain` + eol
++ s += test.prefix
++ fr := io.MultiReader(
++ strings.NewReader(s),
++ neverendingReader('X'),
++ )
++ r := NewReader(fr, "boundary")
++ _, err := r.ReadForm(1 << 20)
++ if err != ErrMessageTooLarge {
++ t.Fatalf("ReadForm(1 << 20): %v, want ErrMessageTooLarge", err)
++ }
++ })
++ }
++}
++
++type neverendingReader byte
++
++func (r neverendingReader) Read(p []byte) (n int, err error) {
++ for i := range p {
++ p[i] = byte(r)
++ }
++ return len(p), nil
++}
++
+ func BenchmarkReadForm(b *testing.B) {
+ for _, test := range []struct {
+ name string
+diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
+index ad2d777..cea6613 100644
+--- a/src/net/textproto/reader.go
++++ b/src/net/textproto/reader.go
+@@ -17,6 +17,10 @@ import (
+ "sync"
+ )
+
++// TODO: This should be a distinguishable error (ErrMessageTooLarge)
++// to allow mime/multipart to detect it.
++var errMessageTooLarge = errors.New("message too large")
++
+ // A Reader implements convenience methods for reading requests
+ // or responses from a text protocol network connection.
+ type Reader struct {
+@@ -38,13 +42,13 @@ func NewReader(r *bufio.Reader) *Reader {
+ // ReadLine reads a single line from r,
+ // eliding the final \n or \r\n from the returned string.
+ func (r *Reader) ReadLine() (string, error) {
+- line, err := r.readLineSlice()
++ line, err := r.readLineSlice(-1)
+ return string(line), err
+ }
+
+ // ReadLineBytes is like ReadLine but returns a []byte instead of a string.
+ func (r *Reader) ReadLineBytes() ([]byte, error) {
+- line, err := r.readLineSlice()
++ line, err := r.readLineSlice(-1)
+ if line != nil {
+ buf := make([]byte, len(line))
+ copy(buf, line)
+@@ -53,7 +57,10 @@ func (r *Reader) ReadLineBytes() ([]byte, error) {
+ return line, err
+ }
+
+-func (r *Reader) readLineSlice() ([]byte, error) {
++// readLineSlice reads a single line from r,
++// up to lim bytes long (or unlimited if lim is less than 0),
++// eliding the final \r or \r\n from the returned string.
++func (r *Reader) readLineSlice(lim int64) ([]byte, error) {
+ r.closeDot()
+ var line []byte
+ for {
+@@ -61,6 +68,9 @@ func (r *Reader) readLineSlice() ([]byte, error) {
+ if err != nil {
+ return nil, err
+ }
++ if lim >= 0 && int64(len(line))+int64(len(l)) > lim {
++ return nil, errMessageTooLarge
++ }
+ // Avoid the copy if the first call produced a full line.
+ if line == nil && !more {
+ return l, nil
+@@ -93,7 +103,7 @@ func (r *Reader) readLineSlice() ([]byte, error) {
+ // A line consisting of only white space is never continued.
+ //
+ func (r *Reader) ReadContinuedLine() (string, error) {
+- line, err := r.readContinuedLineSlice(noValidation)
++ line, err := r.readContinuedLineSlice(-1, noValidation)
+ return string(line), err
+ }
+
+@@ -114,7 +124,7 @@ func trim(s []byte) []byte {
+ // ReadContinuedLineBytes is like ReadContinuedLine but
+ // returns a []byte instead of a string.
+ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) {
+- line, err := r.readContinuedLineSlice(noValidation)
++ line, err := r.readContinuedLineSlice(-1, noValidation)
+ if line != nil {
+ buf := make([]byte, len(line))
+ copy(buf, line)
+@@ -127,13 +137,14 @@ func (r *Reader) ReadContinuedLineBytes() ([]byte, error) {
+ // returning a byte slice with all lines. The validateFirstLine function
+ // is run on the first read line, and if it returns an error then this
+ // error is returned from readContinuedLineSlice.
+-func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([]byte, error) {
++// It reads up to lim bytes of data (or unlimited if lim is less than 0).
++func (r *Reader) readContinuedLineSlice(lim int64, validateFirstLine func([]byte) error) ([]byte, error) {
+ if validateFirstLine == nil {
+ return nil, fmt.Errorf("missing validateFirstLine func")
+ }
+
+ // Read the first line.
+- line, err := r.readLineSlice()
++ line, err := r.readLineSlice(lim)
+ if err != nil {
+ return nil, err
+ }
+@@ -161,13 +172,21 @@ func (r *Reader) readContinuedLineSlice(validateFirstLine func([]byte) error) ([
+ // copy the slice into buf.
+ r.buf = append(r.buf[:0], trim(line)...)
+
++ if lim < 0 {
++ lim = math.MaxInt64
++ }
++ lim -= int64(len(r.buf))
++
+ // Read continuation lines.
+ for r.skipSpace() > 0 {
+- line, err := r.readLineSlice()
++ r.buf = append(r.buf, ' ')
++ if int64(len(r.buf)) >= lim {
++ return nil, errMessageTooLarge
++ }
++ line, err := r.readLineSlice(lim - int64(len(r.buf)))
+ if err != nil {
+ break
+ }
+- r.buf = append(r.buf, ' ')
+ r.buf = append(r.buf, trim(line)...)
+ }
+ return r.buf, nil
+@@ -512,7 +531,8 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+
+ // The first line cannot start with a leading space.
+ if buf, err := r.R.Peek(1); err == nil && (buf[0] == ' ' || buf[0] == '\t') {
+- line, err := r.readLineSlice()
++ const errorLimit = 80 // arbitrary limit on how much of the line we'll quote
++ line, err := r.readLineSlice(errorLimit)
+ if err != nil {
+ return m, err
+ }
+@@ -520,7 +540,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+ }
+
+ for {
+- kv, err := r.readContinuedLineSlice(mustHaveFieldNameColon)
++ kv, err := r.readContinuedLineSlice(maxMemory, mustHaveFieldNameColon)
+ if len(kv) == 0 {
+ return m, err
+ }
+@@ -541,7 +561,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+
+ maxHeaders--
+ if maxHeaders < 0 {
+- return nil, errors.New("message too large")
++ return nil, errMessageTooLarge
+ }
+
+ // backport 5c55ac9bf1e5f779220294c843526536605f42ab
+@@ -567,9 +587,7 @@ func readMIMEHeader(r *Reader, maxMemory, maxHeaders int64) (MIMEHeader, error)
+ }
+ maxMemory -= int64(len(value))
+ if maxMemory < 0 {
+- // TODO: This should be a distinguishable error (ErrMessageTooLarge)
+- // to allow mime/multipart to detect it.
+- return m, errors.New("message too large")
++ return m, errMessageTooLarge
+ }
+ if vv == nil && len(strs) > 0 {
+ // More than likely this will be a single-element key.
+diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
+index 3ae0de1..db1ed91 100644
+--- a/src/net/textproto/reader_test.go
++++ b/src/net/textproto/reader_test.go
+@@ -34,6 +34,18 @@ func TestReadLine(t *testing.T) {
+ }
+ }
+
++func TestReadLineLongLine(t *testing.T) {
++ line := strings.Repeat("12345", 10000)
++ r := reader(line + "\r\n")
++ s, err := r.ReadLine()
++ if err != nil {
++ t.Fatalf("Line 1: %v", err)
++ }
++ if s != line {
++ t.Fatalf("%v-byte line does not match expected %v-byte line", len(s), len(line))
++ }
++}
++
+ func TestReadContinuedLine(t *testing.T) {
+ r := reader("line1\nline\n 2\nline3\n")
+ s, err := r.ReadContinuedLine()
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
new file mode 100644
index 0000000000..1398a2ca48
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2024-24785.patch
@@ -0,0 +1,197 @@
+From 3643147a29352ca2894fd5d0d2069bc4b4335a7e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 14 Feb 2024 17:18:36 -0800
+Subject: [PATCH] [release-branch.go1.21] html/template: escape additional
+ tokens in MarshalJSON errors
+
+Escape "</script" and "<!--" in errors returned from MarshalJSON errors
+when attempting to marshal types in script blocks. This prevents any
+user controlled content from prematurely terminating the script block.
+
+Updates #65697
+Fixes #65968
+
+Change-Id: Icf0e26c54ea7d9c1deed0bff11b6506c99ddef1b
+Reviewed-on: https://go-review.googlesource.com/c/go/+/564196
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+(cherry picked from commit ccbc725f2d678255df1bd326fa511a492aa3a0aa)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/567515
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+
+Upstream-Status: Backport [https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e]
+CVE: CVE-2024-24785
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/html/template/js.go | 22 ++++++++-
+ src/html/template/js_test.go | 96 ++++++++++++++++++++----------------
+ 2 files changed, 74 insertions(+), 44 deletions(-)
+
+diff --git a/src/html/template/js.go b/src/html/template/js.go
+index 35994f0..4d3b25d 100644
+--- a/src/html/template/js.go
++++ b/src/html/template/js.go
+@@ -171,13 +171,31 @@ func jsValEscaper(args ...interface{}) string {
+ // cyclic data. This may be an unacceptable DoS risk.
+ b, err := json.Marshal(a)
+ if err != nil {
+- // Put a space before comment so that if it is flush against
++ // While the standard JSON marshaller does not include user controlled
++ // information in the error message, if a type has a MarshalJSON method,
++ // the content of the error message is not guaranteed. Since we insert
++ // the error into the template, as part of a comment, we attempt to
++ // prevent the error from either terminating the comment, or the script
++ // block itself.
++ //
++ // In particular we:
++ // * replace "*/" comment end tokens with "* /", which does not
++ // terminate the comment
++ // * replace "</script" with "\x3C/script", and "<!--" with
++ // "\x3C!--", which prevents confusing script block termination
++ // semantics
++ //
++ // We also put a space before the comment so that if it is flush against
+ // a division operator it is not turned into a line comment:
+ // x/{{y}}
+ // turning into
+ // x//* error marshaling y:
+ // second line of error message */null
+- return fmt.Sprintf(" /* %s */null ", strings.ReplaceAll(err.Error(), "*/", "* /"))
++ errStr := err.Error()
++ errStr = strings.ReplaceAll(errStr, "*/", "* /")
++ errStr = strings.ReplaceAll(errStr, "</script", `\x3C/script`)
++ errStr = strings.ReplaceAll(errStr, "<!--", `\x3C!--`)
++ return fmt.Sprintf(" /* %s */null ", errStr)
+ }
+
+ // TODO: maybe post-process output to prevent it from containing
+diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go
+index de9ef28..3fc3baf 100644
+--- a/src/html/template/js_test.go
++++ b/src/html/template/js_test.go
+@@ -5,6 +5,7 @@
+ package template
+
+ import (
++ "errors"
+ "bytes"
+ "math"
+ "strings"
+@@ -104,61 +105,72 @@ func TestNextJsCtx(t *testing.T) {
+ }
+ }
+
++type jsonErrType struct{}
++
++func (e *jsonErrType) MarshalJSON() ([]byte, error) {
++ return nil, errors.New("beep */ boop </script blip <!--")
++}
++
+ func TestJSValEscaper(t *testing.T) {
+ tests := []struct {
+- x interface{}
+- js string
++ x interface{}
++ js string
++ skipNest bool
+ }{
+- {int(42), " 42 "},
+- {uint(42), " 42 "},
+- {int16(42), " 42 "},
+- {uint16(42), " 42 "},
+- {int32(-42), " -42 "},
+- {uint32(42), " 42 "},
+- {int16(-42), " -42 "},
+- {uint16(42), " 42 "},
+- {int64(-42), " -42 "},
+- {uint64(42), " 42 "},
+- {uint64(1) << 53, " 9007199254740992 "},
++ {int(42), " 42 ", false},
++ {uint(42), " 42 ", false},
++ {int16(42), " 42 ", false},
++ {uint16(42), " 42 ", false},
++ {int32(-42), " -42 ", false},
++ {uint32(42), " 42 ", false},
++ {int16(-42), " -42 ", false},
++ {uint16(42), " 42 ", false},
++ {int64(-42), " -42 ", false},
++ {uint64(42), " 42 ", false},
++ {uint64(1) << 53, " 9007199254740992 ", false},
+ // ulp(1 << 53) > 1 so this loses precision in JS
+ // but it is still a representable integer literal.
+- {uint64(1)<<53 + 1, " 9007199254740993 "},
+- {float32(1.0), " 1 "},
+- {float32(-1.0), " -1 "},
+- {float32(0.5), " 0.5 "},
+- {float32(-0.5), " -0.5 "},
+- {float32(1.0) / float32(256), " 0.00390625 "},
+- {float32(0), " 0 "},
+- {math.Copysign(0, -1), " -0 "},
+- {float64(1.0), " 1 "},
+- {float64(-1.0), " -1 "},
+- {float64(0.5), " 0.5 "},
+- {float64(-0.5), " -0.5 "},
+- {float64(0), " 0 "},
+- {math.Copysign(0, -1), " -0 "},
+- {"", `""`},
+- {"foo", `"foo"`},
++ {uint64(1)<<53 + 1, " 9007199254740993 ", false},
++ {float32(1.0), " 1 ", false},
++ {float32(-1.0), " -1 ", false},
++ {float32(0.5), " 0.5 ", false},
++ {float32(-0.5), " -0.5 ", false},
++ {float32(1.0) / float32(256), " 0.00390625 ", false},
++ {float32(0), " 0 ", false},
++ {math.Copysign(0, -1), " -0 ", false},
++ {float64(1.0), " 1 ", false},
++ {float64(-1.0), " -1 ", false},
++ {float64(0.5), " 0.5 ", false},
++ {float64(-0.5), " -0.5 ", false},
++ {float64(0), " 0 ", false},
++ {math.Copysign(0, -1), " -0 ", false},
++ {"", `""`, false},
++ {"foo", `"foo"`, false},
+ // Newlines.
+- {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`},
++ {"\r\n\u2028\u2029", `"\r\n\u2028\u2029"`, false},
+ // "\v" == "v" on IE 6 so use "\u000b" instead.
+- {"\t\x0b", `"\t\u000b"`},
+- {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`},
+- {[]interface{}{}, "[]"},
+- {[]interface{}{42, "foo", nil}, `[42,"foo",null]`},
+- {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`},
+- {"<!--", `"\u003c!--"`},
+- {"-->", `"--\u003e"`},
+- {"<![CDATA[", `"\u003c![CDATA["`},
+- {"]]>", `"]]\u003e"`},
+- {"</script", `"\u003c/script"`},
+- {"\U0001D11E", "\"\U0001D11E\""}, // or "\uD834\uDD1E"
+- {nil, " null "},
++ {"\t\x0b", `"\t\u000b"`, false},
++ {struct{ X, Y int }{1, 2}, `{"X":1,"Y":2}`, false},
++ {[]interface{}{}, "[]", false},
++ {[]interface{}{42, "foo", nil}, `[42,"foo",null]`, false},
++ {[]string{"<!--", "</script>", "-->"}, `["\u003c!--","\u003c/script\u003e","--\u003e"]`, false},
++ {"<!--", `"\u003c!--"`, false},
++ {"-->", `"--\u003e"`, false},
++ {"<![CDATA[", `"\u003c![CDATA["`, false},
++ {"]]>", `"]]\u003e"`, false},
++ {"</script", `"\u003c/script"`, false},
++ {"\U0001D11E", "\"\U0001D11E\"", false}, // or "\uD834\uDD1E"
++ {nil, " null ", false},
++ {&jsonErrType{}, " /* json: error calling MarshalJSON for type *template.jsonErrType: beep * / boop \\x3C/script blip \\x3C!-- */null ", true},
+ }
+
+ for _, test := range tests {
+ if js := jsValEscaper(test.x); js != test.js {
+ t.Errorf("%+v: want\n\t%q\ngot\n\t%q", test.x, test.js, js)
+ }
++ if test.skipNest {
++ continue
++ }
+ // Make sure that escaping corner cases are not broken
+ // by nesting.
+ a := []interface{}{test.x}
+--
+2.25.1
+
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 Steve Sakoman
@ 2024-04-03 3:11 ` Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman
` (3 subsequent siblings)
6 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../tar/tar/CVE-2023-39804.patch | 64 +++++++++++++++++++
meta/recipes-extended/tar/tar_1.32.bb | 1 +
2 files changed, 65 insertions(+)
create mode 100644 meta/recipes-extended/tar/tar/CVE-2023-39804.patch
diff --git a/meta/recipes-extended/tar/tar/CVE-2023-39804.patch b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
new file mode 100644
index 0000000000..f550928540
--- /dev/null
+++ b/meta/recipes-extended/tar/tar/CVE-2023-39804.patch
@@ -0,0 +1,64 @@
+From a339f05cd269013fa133d2f148d73f6f7d4247e4 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4]
+CVE: CVE-2023-39804
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/xheader.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b2..3cd694d 100644
+--- a/src/xheader.c
++++ b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+ struct xhdr_tab const *p;
+-
+ for (p = xhdr_tab; p->keyword; p++)
+ if (p->prefix)
+ {
+- if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++ size_t kwlen = strlen (p->keyword);
++ if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 0)
+ return p;
+ }
+ else
+@@ -1716,19 +1716,20 @@ xattr_decoder (struct tar_stat_info *st,
+ char const *keyword, char const *arg, size_t size)
+ {
+ char *xstr, *xkey;
+-
++
+ /* copy keyword */
+- size_t klen_raw = strlen (keyword);
+- xkey = alloca (klen_raw + 1);
+- memcpy (xkey, keyword, klen_raw + 1) /* including null-terminating */;
++ xkey = xstrdup (keyword);
+
+ /* copy value */
+- xstr = alloca (size + 1);
++ xstr = xmalloc (size + 1);
+ memcpy (xstr, arg, size + 1); /* separator included, for GNU tar '\n' */;
+
+ xattr_decode_keyword (xkey);
+
+- xheader_xattr_add (st, xkey + strlen("SCHILY.xattr."), xstr, size);
++ xheader_xattr_add (st, xkey + strlen ("SCHILY.xattr."), xstr, size);
++
++ free (xkey);
++ free (xstr);
+ }
+
+ static void
+--
+cgit v1.1
+
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index 1246f01256..c560741599 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
file://musl_dirent.patch \
file://CVE-2021-20193.patch \
file://CVE-2022-48303.patch \
+ file://CVE-2023-39804.patch \
"
SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
` (2 preceding siblings ...)
2024-04-03 3:11 ` [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 Steve Sakoman
@ 2024-04-03 3:11 ` Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 Steve Sakoman
` (2 subsequent siblings)
6 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
import patch from ubuntu to fix
CVE-2024-2398
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/?h=ubuntu%2Ffocal-security
Upstream commit
https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../curl/curl/CVE-2024-2398.patch | 88 +++++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 89 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2024-2398.patch b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
new file mode 100644
index 0000000000..a3840336f0
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2024-2398.patch
@@ -0,0 +1,88 @@
+Backport of:
+
+From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <stefan@eissing.org>
+Date: Wed, 6 Mar 2024 09:36:08 +0100
+Subject: [PATCH] http2: push headers better cleanup
+
+- provide common cleanup method for push headers
+
+Closes #13054
+
+Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/curl/tree/debian/patches/CVE-2024-2398.patch?h=ubuntu/focal-security
+Upstream commit https://github.com/curl/curl/commit/deca8039991886a559b67bcd6701db800a5cf764]
+CVE: CVE-2024-2398
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/http2.c | 34 +++++++++++++++-------------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -515,6 +515,15 @@ static struct Curl_easy *duphandle(struc
+ }
+
+
++static void free_push_headers(struct HTTP *stream)
++{
++ size_t i;
++ for(i = 0; i<stream->push_headers_used; i++)
++ free(stream->push_headers[i]);
++ Curl_safefree(stream->push_headers);
++ stream->push_headers_used = 0;
++}
++
+ static int push_promise(struct Curl_easy *data,
+ struct connectdata *conn,
+ const nghttp2_push_promise *frame)
+@@ -528,7 +537,6 @@ static int push_promise(struct Curl_easy
+ struct curl_pushheaders heads;
+ CURLMcode rc;
+ struct http_conn *httpc;
+- size_t i;
+ /* clone the parent */
+ struct Curl_easy *newhandle = duphandle(data);
+ if(!newhandle) {
+@@ -557,11 +565,7 @@ static int push_promise(struct Curl_easy
+ Curl_set_in_callback(data, false);
+
+ /* free the headers again */
+- for(i = 0; i<stream->push_headers_used; i++)
+- free(stream->push_headers[i]);
+- free(stream->push_headers);
+- stream->push_headers = NULL;
+- stream->push_headers_used = 0;
++ free_push_headers(stream);
+
+ if(rv) {
+ /* denied, kill off the new handle again */
+@@ -995,10 +999,10 @@ static int on_header(nghttp2_session *se
+ stream->push_headers_alloc) {
+ char **headp;
+ stream->push_headers_alloc *= 2;
+- headp = Curl_saferealloc(stream->push_headers,
+- stream->push_headers_alloc * sizeof(char *));
++ headp = realloc(stream->push_headers,
++ stream->push_headers_alloc * sizeof(char *));
+ if(!headp) {
+- stream->push_headers = NULL;
++ free_push_headers(stream);
+ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
+ }
+ stream->push_headers = headp;
+@@ -1179,14 +1183,7 @@ void Curl_http2_done(struct Curl_easy *d
+ if(http->header_recvbuf) {
+ Curl_add_buffer_free(&http->header_recvbuf);
+ Curl_add_buffer_free(&http->trailer_recvbuf);
+- if(http->push_headers) {
+- /* if they weren't used and then freed before */
+- for(; http->push_headers_used > 0; --http->push_headers_used) {
+- free(http->push_headers[http->push_headers_used - 1]);
+- }
+- free(http->push_headers);
+- http->push_headers = NULL;
+- }
++ free_push_headers(http);
+ }
+
+ if(!httpc->h2) /* not HTTP/2 ? */
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 980b4224a8..2f351d585a 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -58,6 +58,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2023-28321.patch \
file://CVE-2023-28322.patch \
file://CVE-2023-46218.patch \
+ file://CVE-2024-2398.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
` (3 preceding siblings ...)
2024-04-03 3:11 ` [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman
@ 2024-04-03 3:11 ` Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 7/7] perf: " Steve Sakoman
6 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
From: virendra thakur <thakur.virendra1810@gmail.com>
PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
optional and can be NULL even if the "type" is a valid value. OpenSSL
was not properly accounting for this and a NULL dereference can occur
causing a crash.
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../openssl/openssl/CVE-2024-0727.patch | 122 ++++++++++++++++++
.../openssl/openssl_1.1.1w.bb | 1 +
2 files changed, 123 insertions(+)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
new file mode 100644
index 0000000000..3da6879ccb
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch
@@ -0,0 +1,122 @@
+Backport of:
+
+From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 19 Jan 2024 11:28:58 +0000
+Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
+
+PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+optional and can be NULL even if the "type" is a valid value. OpenSSL
+was not properly accounting for this and a NULL dereference can occur
+causing a crash.
+
+CVE-2024-0727
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23362)
+
+(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c]
+
+CVE: CVE-2024-0727
+
+Signed-off-by: virendra thakur <virendrak@kpit.com>
+---
+ crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++
+ crypto/pkcs12/p12_mutl.c | 5 +++++
+ crypto/pkcs12/p12_npas.c | 5 +++--
+ crypto/pkcs7/pk7_mime.c | 7 +++++--
+ 4 files changed, 31 insertions(+), 4 deletions(-)
+
+--- a/crypto/pkcs12/p12_add.c
++++ b/crypto/pkcs12/p12_add.c
+@@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
+ PKCS12_R_CONTENT_TYPE_NOT_DATA);
+ return NULL;
+ }
++
++ if (p7->d.data == NULL) {
++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,
++ PKCS12_R_DECODE_ERROR);
++ return NULL;
++ }
++
+ return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
+ }
+
+@@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_
+ {
+ if (!PKCS7_type_is_encrypted(p7))
+ return NULL;
++
++ if (p7->d.encrypted == NULL) {
++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR);
++ return NULL;
++ }
++
+ return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm,
+ ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
+ pass, passlen,
+@@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes
+ PKCS12_R_CONTENT_TYPE_NOT_DATA);
+ return NULL;
+ }
++
++ if (p12->authsafes->d.data == NULL) {
++ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,
++ PKCS12_R_DECODE_ERROR);
++ return NULL;
++ }
++
+ return ASN1_item_unpack(p12->authsafes->d.data,
+ ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
+ }
+--- a/crypto/pkcs12/p12_mutl.c
++++ b/crypto/pkcs12/p12_mutl.c
+@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c
+ return 0;
+ }
+
++ if (p12->authsafes->d.data == NULL) {
++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR);
++ return 0;
++ }
++
+ salt = p12->mac->salt->data;
+ saltlen = p12->mac->salt->length;
+ if (!p12->mac->iter)
+--- a/crypto/pkcs12/p12_npas.c
++++ b/crypto/pkcs12/p12_npas.c
+@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons
+ bags = PKCS12_unpack_p7data(p7);
+ } else if (bagnid == NID_pkcs7_encrypted) {
+ bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
+- if (!alg_get(p7->d.encrypted->enc_data->algorithm,
+- &pbe_nid, &pbe_iter, &pbe_saltlen))
++ if (p7->d.encrypted == NULL
++ || !alg_get(p7->d.encrypted->enc_data->algorithm,
++ &pbe_nid, &pbe_iter, &pbe_saltlen))
+ goto err;
+ } else {
+ continue;
+--- a/crypto/pkcs7/pk7_mime.c
++++ b/crypto/pkcs7/pk7_mime.c
+@@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p
+ {
+ STACK_OF(X509_ALGOR) *mdalgs;
+ int ctype_nid = OBJ_obj2nid(p7->type);
+- if (ctype_nid == NID_pkcs7_signed)
++ if (ctype_nid == NID_pkcs7_signed) {
++ if (p7->d.sign == NULL)
++ return 0;
+ mdalgs = p7->d.sign->md_algs;
+- else
++ } else {
+ mdalgs = NULL;
++ }
+
+ flags ^= SMIME_OLDMIME;
+
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
index 8a53b06862..0e490eabc3 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://reproducibility.patch \
file://0001-Configure-add-2-missing-key-sorts.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
+ file://CVE-2024-0727.patch \
"
SRC_URI_append_class-nativesdk = " \
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
` (4 preceding siblings ...)
2024-04-03 3:11 ` [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 Steve Sakoman
@ 2024-04-03 3:11 ` Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 7/7] perf: " Steve Sakoman
6 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-extended/tar/tar_1.32.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb
index c560741599..9297480e85 100644
--- a/meta/recipes-extended/tar/tar_1.32.bb
+++ b/meta/recipes-extended/tar/tar_1.32.bb
@@ -6,6 +6,8 @@ SECTION = "base"
LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
+PR = "r1"
+
SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \
file://musl_dirent.patch \
file://CVE-2021-20193.patch \
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 7/7] perf: bump PR to deal with sstate corruption on autobuilder
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
` (5 preceding siblings ...)
2024-04-03 3:11 ` [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder Steve Sakoman
@ 2024-04-03 3:11 ` Steve Sakoman
6 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:11 UTC (permalink / raw)
To: openembedded-core
Testing of an SPDX patch corrupted sstate, so bump PR to work around the issue
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-kernel/perf/perf.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index 91bf648caa..42621e47d3 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -9,7 +9,7 @@ HOMEPAGE = "https://perf.wiki.kernel.org/index.php/Main_Page"
LICENSE = "GPLv2"
-PR = "r9"
+PR = "r10"
PACKAGECONFIG ??= "scripting tui libunwind"
PACKAGECONFIG[dwarf] = ",NO_DWARF=1"
--
2.34.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2024-02-13 21:43 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2024-02-13 21:43 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Thursday, February 15
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6564
The following changes since commit 18ae4fea4bf8681f9138d21124589918e336ff6b:
systemtap: Fix build with gcc-12 (2024-01-25 03:58:24 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Matthias Schmitz (1):
rsync: Fix rsync hanging when used with --relative
Ming Liu (1):
go: add a complementary fix for CVE-2023-29406
Peter Marko (1):
curl: ignore CVE-2023-42915
Vijay Anusuri (1):
ghostscript: Backport fix for CVE-2020-36773
Zahir Hussain (1):
cmake: Unset CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES
virendra thakur (2):
perl: Whitelist CVE-2023-47039
ncurses: Fix CVE-2023-29491
.../ncurses/files/CVE-2023-29491.patch | 45 +++++++
meta/recipes-core/ncurses/ncurses_6.2.bb | 3 +-
.../cmake/cmake/OEToolchainConfig.cmake | 3 +
meta/recipes-devtools/go/go-1.14.inc | 3 +-
...023-29406.patch => CVE-2023-29406-1.patch} | 0
.../go/go-1.14/CVE-2023-29406-2.patch | 114 ++++++++++++++++++
meta/recipes-devtools/perl/perl_5.30.1.bb | 4 +
...lative-when-copying-an-absolute-path.patch | 31 +++++
meta/recipes-devtools/rsync/rsync_3.1.3.bb | 1 +
.../ghostscript/CVE-2020-36773.patch | 109 +++++++++++++++++
.../ghostscript/ghostscript_9.52.bb | 1 +
meta/recipes-support/curl/curl_7.69.1.bb | 3 +
12 files changed, 315 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-29491.patch
rename meta/recipes-devtools/go/go-1.14/{CVE-2023-29406.patch => CVE-2023-29406-1.patch} (100%)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29406-2.patch
create mode 100644 meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2020-36773.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2023-09-26 14:12 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-09-26 14:12 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for dunfell and have comments back by
end of day Thursday, September 28
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5947
The following changes since commit 8b91c463fb3546836789e1890b3c68acf69c162a:
build-appliance-image: Update to dunfell head revision (2023-09-16 11:16:49 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Archana Polampalli (1):
vim: upgrade 9.0.1592 -> 9.0.1664
Michael Opdenacker (1):
flac: fix CVE-2020-22219
Richard Purdie (1):
vim: Upgrade 9.0.1664 -> 9.0.1894
Ross Burton (1):
gcc: Fix -fstack-protector issue on aarch64
Siddharth Doshi (2):
gdb: Fix CVE-2023-39128
libxml2: Fix CVE-2023-39615
Vijay Anusuri (1):
go: Backport fix for CVE-2022-41725 and CVE-2023-24536
.../libxml/libxml2/CVE-2023-39615-0001.patch | 36 +
.../libxml/libxml2/CVE-2023-39615-0002.patch | 71 +
.../libxml/libxml2/CVE-2023-39615-pre.patch | 44 +
meta/recipes-core/libxml/libxml2_2.9.10.bb | 3 +
meta/recipes-devtools/gcc/gcc-9.5.inc | 1 +
.../gcc/gcc-9.5/CVE-2023-4039.patch | 1506 +++++++++++++++++
meta/recipes-devtools/gdb/gdb-9.1.inc | 1 +
.../gdb/gdb/0012-CVE-2023-39128.patch | 75 +
meta/recipes-devtools/go/go-1.14.inc | 7 +
.../go/go-1.14/CVE-2022-41725-pre1.patch | 85 +
.../go/go-1.14/CVE-2022-41725-pre2.patch | 97 ++
.../go/go-1.14/CVE-2022-41725-pre3.patch | 98 ++
.../go/go-1.14/CVE-2022-41725.patch | 660 ++++++++
.../go/go-1.14/CVE-2023-24536_1.patch | 134 ++
.../go/go-1.14/CVE-2023-24536_2.patch | 184 ++
.../go/go-1.14/CVE-2023-24536_3.patch | 349 ++++
.../flac/files/CVE-2020-22219.patch | 197 +++
meta/recipes-multimedia/flac/flac_1.3.3.bb | 1 +
meta/recipes-support/vim/vim.inc | 6 +-
19 files changed, 3552 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-pre.patch
create mode 100644 meta/recipes-devtools/gcc/gcc-9.5/CVE-2023-4039.patch
create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39128.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre1.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre2.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725-pre3.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41725.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_1.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_2.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24536_3.patch
create mode 100644 meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2023-05-11 21:28 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-05-11 21:28 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5294
The following changes since commit fd4cc8d7b5156c43d162a1a5a809fae507457ef4:
build-appliance-image: Update to dunfell head revision (2023-05-03 12:29:24 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Arturo Buzarra (1):
run-postinsts: Set dependency for ldconfig to avoid boot issues
Ashish Sharma (1):
connman: Fix CVE-2023-28488 DoS in client.c
Peter Marko (1):
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Ranjitsinh Rathod (1):
libbsd: Add correct license for all packages
Shubham Kulkarni (1):
go: Security fix for CVE-2023-24538
Vivek Kumbhar (1):
freetype: fix CVE-2023-2004 integer overflowin in
tt_hvadvance_adjust() in src/truetype/ttgxvar.c
Yoann Congal (1):
linux-yocto: Exclude 294 CVEs already fixed upstream
.../connman/connman/CVE-2023-28488.patch | 54 +
.../connman/connman_1.37.bb | 1 +
.../libxml/libxml2/CVE-2023-28484.patch | 79 +
.../libxml/libxml2/CVE-2023-29469.patch | 42 +
meta/recipes-core/libxml/libxml2_2.9.10.bb | 2 +
meta/recipes-devtools/go/go-1.14.inc | 3 +
.../go/go-1.14/CVE-2023-24538-1.patch | 125 ++
.../go/go-1.14/CVE-2023-24538-2.patch | 196 ++
.../go/go-1.14/CVE-2023-24538-3.patch | 208 ++
.../run-postinsts/run-postinsts.service | 2 +-
.../freetype/freetype/CVE-2023-2004.patch | 40 +
.../freetype/freetype_2.10.1.bb | 1 +
meta/recipes-kernel/linux/cve-exclusion.inc | 1840 +++++++++++++++++
meta/recipes-kernel/linux/linux-yocto.inc | 3 +
meta/recipes-support/libbsd/libbsd_0.10.0.bb | 6 +
15 files changed, 2601 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch
create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2023-04-22 15:57 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-04-22 15:57 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5210
The following changes since commit 9aefb4e46cf4fbf14b46f9adaf3771854553e7f3:
curl: CVE-2023-27534 SFTP path ~ resolving discrepancy (2023-04-14 07:14:33 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Hitendra Prajapati (2):
curl: CVE-2023-27538 fix SSH connection too eager reuse
screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
Peter Marko (1):
go: ignore CVE-2022-41716
Shubham Kulkarni (2):
go-runtime: Security fix for CVE-2022-41722
go: Security fix for CVE-2020-29510
Vivek Kumbhar (1):
go: fix CVE-2023-24537 Infinite loop in parsing
rajmohan r (1):
systemd: Fix CVE-2023-26604
.../systemd/systemd/CVE-2023-26604-1.patch | 115 ++++++++
.../systemd/systemd/CVE-2023-26604-2.patch | 264 ++++++++++++++++++
.../systemd/systemd/CVE-2023-26604-3.patch | 182 ++++++++++++
.../systemd/systemd/CVE-2023-26604-4.patch | 32 +++
meta/recipes-core/systemd/systemd_244.5.bb | 4 +
meta/recipes-devtools/go/go-1.14.inc | 7 +
.../go/go-1.14/CVE-2020-29510.patch | 65 +++++
.../go/go-1.14/CVE-2022-41722-1.patch | 53 ++++
.../go/go-1.14/CVE-2022-41722-2.patch | 104 +++++++
.../go/go-1.14/CVE-2023-24537.patch | 76 +++++
.../screen/screen/CVE-2023-24626.patch | 40 +++
meta/recipes-extended/screen/screen_4.8.0.bb | 1 +
.../curl/curl/CVE-2023-27538.patch | 31 ++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
14 files changed, 975 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2023-04-04 2:39 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2023-04-04 2:39 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5141
The following changes since commit 1c7d555379c4b0962bccd018870989050d87675f:
classes/package: Use gzip for extended package data (2023-03-27 16:29:20 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Geoffrey GIRY (1):
cve-check: Fix false negative version issue
Hitendra Prajapati (2):
curl: CVE-2023-23916 HTTP multi-header compression denial of service
qemu: fix compile error which imported by CVE-2022-4144
Martin Jansa (1):
bmap-tools: switch to main branch
Randy MacLeod (1):
vim: upgrade 9.0.1403 -> 9.0.1429
Shubham Kulkarni (1):
go-runtime: Security fix for CVE-2022-41723
Vijay Anusuri (1):
git: Security fix for CVE-2023-22490 and CVE-2023-23946
meta/classes/cve-check.bbclass | 5 +-
meta/lib/oe/cve_check.py | 37 +++
meta/lib/oeqa/selftest/cases/cve_check.py | 19 ++
.../git/files/CVE-2023-22490-1.patch | 179 +++++++++++++
.../git/files/CVE-2023-22490-2.patch | 122 +++++++++
.../git/files/CVE-2023-22490-3.patch | 154 ++++++++++++
.../git/files/CVE-2023-23946.patch | 184 ++++++++++++++
meta/recipes-devtools/git/git.inc | 4 +
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2022-41723.patch | 156 ++++++++++++
meta/recipes-devtools/qemu/qemu.inc | 1 +
...ass-requested-buffer-size-to-qxl_phy.patch | 236 ++++++++++++++++++
.../bmap-tools/bmap-tools_3.5.bb | 2 +-
.../curl/curl/CVE-2023-23916.patch | 231 +++++++++++++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
16 files changed, 1332 insertions(+), 4 deletions(-)
create mode 100644 meta/recipes-devtools/git/files/CVE-2023-22490-1.patch
create mode 100644 meta/recipes-devtools/git/files/CVE-2023-22490-2.patch
create mode 100644 meta/recipes-devtools/git/files/CVE-2023-22490-3.patch
create mode 100644 meta/recipes-devtools/git/files/CVE-2023-23946.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41723.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch
--
2.34.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2022-12-01 15:25 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-12-01 15:25 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4565
The following changes since commit 408bf1b4bb4f4ed126c17fb3676f9fa0513065ba:
sstate: Account for reserved characters when shortening sstate filenames (2022-11-23 00:26:19 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Alexander Kanavin (1):
linux-firmware: upgrade 20220913 -> 20221012
Chen Qi (1):
kernel.bbclass: make KERNEL_DEBUG_TIMESTAMPS work at rebuild
Dmitry Baryshkov (1):
linux-firmware: upgrade 20221012 -> 20221109
Mike Crowe (1):
kernel: improve transformation from KERNEL_IMAGETYPE_FOR_MAKE
Ross Burton (1):
pixman: backport fix for CVE-2022-44638
Vivek Kumbhar (1):
qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead
to guest crash
Wang Mingyu (1):
mobile-broadband-provider-info: upgrade 20220725 -> 20221107
meta/classes/kernel.bbclass | 29 ++++++++-
.../mobile-broadband-provider-info_git.bb | 4 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2021-20196.patch | 62 +++++++++++++++++++
.../xorg-lib/pixman/CVE-2022-44638.patch | 34 ++++++++++
.../xorg-lib/pixman_0.38.4.bb | 1 +
...20220913.bb => linux-firmware_20221109.bb} | 6 +-
7 files changed, 129 insertions(+), 8 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-20196.patch
create mode 100644 meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220913.bb => linux-firmware_20221109.bb} (99%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2022-10-24 14:24 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-10-24 14:24 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4364
The following changes since commit aa9d0c2b777c10bb6c68b0232d54cbcd1af1493f:
qemu: Avoid accidental librdmacm linkage (2022-10-12 05:13:44 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (2):
linux-yocto/5.4: update to v5.4.216
linux-yocto/5.4: update to v5.4.219
Omkar (1):
dbus: upgrade 1.12.22 -> 1.12.24
Paul Eggleton (1):
classes/kernel-fitimage: add ability to add additional signing options
Steve Sakoman (2):
devtool: add HostKeyAlgorithms option to ssh and scp commands
selftest: skip virgl test on all Alma Linux
wangmy (1):
dbus: upgrade 1.12.20 -> 1.12.22
meta/classes/kernel-fitimage.bbclass | 6 ++++-
meta/lib/oeqa/selftest/cases/devtool.py | 2 +-
meta/lib/oeqa/selftest/cases/runtime_test.py | 4 ++--
...s-test_1.12.20.bb => dbus-test_1.12.24.bb} | 0
meta/recipes-core/dbus/dbus.inc | 3 +--
.../dbus/{dbus_1.12.20.bb => dbus_1.12.24.bb} | 0
.../linux/linux-yocto-rt_5.4.bb | 6 ++---
.../linux/linux-yocto-tiny_5.4.bb | 8 +++----
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++----------
scripts/lib/devtool/deploy.py | 8 +++----
10 files changed, 31 insertions(+), 28 deletions(-)
rename meta/recipes-core/dbus/{dbus-test_1.12.20.bb => dbus-test_1.12.24.bb} (100%)
rename meta/recipes-core/dbus/{dbus_1.12.20.bb => dbus_1.12.24.bb} (100%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2022-09-08 2:28 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-09-08 2:28 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Friday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4200
The following changes since commit 345193f36d08cfe4899c65e8edf3f79db09c50d2:
relocate_sdk.py: ensure interpreter size error causes relocation to fail (2022-08-29 05:02:16 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Hitendra Prajapati (1):
sqlite: CVE-2022-35737 assertion failure
Joshua Watt (1):
classes: cve-check: Get shared database lock
Ranjitsinh Rathod (2):
libarchive: Fix CVE-2021-23177 issue
libarchive: Fix CVE-2021-31566 issue
Richard Purdie (1):
vim: Upgrade 9.0.0242 -> 9.0.0341
Robert Joslyn (1):
curl: Backport patch for CVE-2022-35252
Ross Burton (1):
cve-check: close cursors as soon as possible
meta/classes/cve-check.bbclass | 36 ++--
.../recipes-core/meta/cve-update-db-native.bb | 51 ++---
.../libarchive/CVE-2021-23177.patch | 183 ++++++++++++++++++
.../libarchive/CVE-2021-31566-01.patch | 23 +++
.../libarchive/CVE-2021-31566-02.patch | 172 ++++++++++++++++
.../libarchive/libarchive_3.4.2.bb | 3 +
.../curl/curl/CVE-2022-35252.patch | 72 +++++++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
.../sqlite/files/CVE-2022-35737.patch | 29 +++
meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 1 +
meta/recipes-support/vim/vim.inc | 4 +-
11 files changed, 535 insertions(+), 40 deletions(-)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-23177.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-01.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2021-31566-02.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-35252.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2022-35737.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2022-07-29 15:24 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-07-29 15:24 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3993
The following changes since commit 3f40d5f095ceb099b604750db96058df00fcd49e:
build-appliance-image: Update to dunfell head revision (2022-07-25 15:09:15 +0100)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Hitendra Prajapati (5):
gnupg: CVE-2022-34903 possible signature forgery via injection into
the status line
grub2: Fix buffer underflow write in the heap
qemu: CVE-2022-35414 can perform an uninitialized read on the
translate_fail path, leading to an io_readx or io_writex crash
libTiff: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 DoS from Divide By
Zero Error
libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections
LUIS ENRIQUEZ (1):
kernel-fitimage.bbclass: add padding algorithm property in config
nodes
Sana.Kazi (1):
libjpeg-turbo: Fix CVE-2021-46822
meta/classes/kernel-fitimage.bbclass | 5 +
.../grub/files/CVE-2021-3695.patch | 178 +++++++++++++++++
.../grub/files/CVE-2021-3696.patch | 46 +++++
.../grub/files/CVE-2021-3697.patch | 82 ++++++++
meta/recipes-bsp/grub/grub2.inc | 5 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2022-35414.patch | 53 +++++
.../libtirpc/libtirpc/CVE-2021-46828.patch | 155 +++++++++++++++
.../libtirpc/libtirpc_1.2.6.bb | 4 +-
.../jpeg/files/CVE-2021-46822.patch | 133 +++++++++++++
.../jpeg/libjpeg-turbo_2.0.4.bb | 1 +
...022-2056-CVE-2022-2057-CVE-2022-2058.patch | 183 ++++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 +
.../gnupg/gnupg/CVE-2022-34903.patch | 44 +++++
meta/recipes-support/gnupg/gnupg_2.2.27.bb | 1 +
15 files changed, 890 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696.patch
create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch
create mode 100644 meta/recipes-extended/libtirpc/libtirpc/CVE-2021-46828.patch
create mode 100644 meta/recipes-graphics/jpeg/files/CVE-2021-46822.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-2056-CVE-2022-2057-CVE-2022-2058.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2022-34903.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2022-03-30 2:27 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2022-03-30 2:27 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for dunfell and have comments back by end
of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3445
The following changes since commit da5cba5ec56cc437ede46d8aa71219a2a34cbe9e:
oeqa/selftest/tinfoil: Fix intermittent event loss issue in test (2022-03-26 16:25:24 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Steve Sakoman (7):
util-linux: fix CVE-2022-0563
xserver-xorg: update to 1.20.9
xserver-xorg: update to 1.20.10
xserver-xorg: update to 1.20.11
xserver-xorg: update to 1.20.12
xserver-xorg: update to 1.20.13
xserver-xorg: update to 1.20.14
.../util-linux/util-linux/CVE-2022-0563.patch | 161 ++++++++++++++++
.../util-linux/util-linux_2.35.1.bb | 1 +
.../xorg-xserver/xserver-xorg.inc | 2 +-
.../xserver-xorg/CVE-2020-14345.patch | 182 ------------------
.../xserver-xorg/CVE-2020-14346.patch | 36 ----
.../xserver-xorg/CVE-2020-14347.patch | 38 ----
.../xserver-xorg/CVE-2020-14360.patch | 132 -------------
.../xserver-xorg/CVE-2020-14361.patch | 36 ----
.../xserver-xorg/CVE-2020-14362.patch | 70 -------
.../xserver-xorg/CVE-2020-25712.patch | 102 ----------
...xorg_1.20.8.bb => xserver-xorg_1.20.14.bb} | 11 +-
11 files changed, 165 insertions(+), 606 deletions(-)
create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2022-0563.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14345.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14346.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14347.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14360.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14361.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-14362.patch
delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2020-25712.patch
rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_1.20.8.bb => xserver-xorg_1.20.14.bb} (73%)
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [OE-core][dunfell 0/7] Patch review
2021-07-15 14:07 Steve Sakoman
@ 2021-07-15 14:16 ` Andrej Valek
0 siblings, 0 replies; 22+ messages in thread
From: Andrej Valek @ 2021-07-15 14:16 UTC (permalink / raw)
To: steve; +Cc: openembedded-core
Hello Steve,
Busybox patch looks fine.
Cheers,
Andrej
> Please review this next set of patches for dunfell and have comments back by end of day Monday.
>
> Passed a-full on autobuilder:
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fautobuilder.yoctoproject.org%2Ftyphoon%2F%23%2Fbuilders%2F83%2Fbuilds%2F2350&data=04%7C01%7Candrej.valek%40siemens.com%> 7C0b3180079754416d5b4808d9479a07ea%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637619549152185601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lHIY6jrIIjgQrMFGZI5aGHjaqK4A5Y17uptGKbI%2ByXQ%3D&reserved=0
>
> The following changes since commit cfd74f2bae51413d9c327e0f08ecf751325c2d74:
>
> report-error: Drop pointless inherit (2021-07-11 06:19:43 -1000)
>
> are available in the Git repository at:
>
> git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcgit.openembedded.org%2Fopenembedded-core-contrib%2Flog%2F%3Fh%3Dstable%2Fdunfell-nut&data=04%7C01%7Candrej.valek%40siemens.com%7C0b3180079754416d5b4808d9479a07ea%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637619549152185601%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=RqxpOBjsL%2B6GJnZwWtQ7KHLi%2FAcp1A0KZza9ow9p%2FPc%3D&reserved=0
> Andrej Valek (1):
> busybox: add tmpdir option into mktemp applet
>
> Richard Purdie (3):
> pseudo: Add uninative configuration sanity check
> pseudo: Update to latest version including statx fix
> sstate: Drop pseudo exclusion
>
> Steve Sakoman (3):
> bluez: fix CVE-2021-3588
> gstreamer-plugins-base: ignore CVE-2021-3522 since it is fixed
> gstreamer-plugins-good: ignore CVE-2021-3497/8 since they are fixed
>
> meta/classes/sstate.bbclass | 2 -
> meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
> .../bluez5/bluez5/CVE-2021-3588.patch | 34 ++++++++
> .../0001-mktemp-add-tmpdir-option.patch | 81 +++++++++++++++++++
> meta/recipes-core/busybox/busybox_1.31.1.bb | 1 +
> meta/recipes-devtools/pseudo/pseudo.inc | 13 +++
> meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
> .../gstreamer1.0-plugins-base_1.16.3.bb | 4 +
> .../gstreamer1.0-plugins-good_1.16.3.bb | 5 ++
> 9 files changed, 140 insertions(+), 3 deletions(-) create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-> 2021-3588.patch
> create mode 100644 meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
>
> --
> 2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2021-07-15 14:07 Steve Sakoman
2021-07-15 14:16 ` Andrej Valek
0 siblings, 1 reply; 22+ messages in thread
From: Steve Sakoman @ 2021-07-15 14:07 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2350
The following changes since commit cfd74f2bae51413d9c327e0f08ecf751325c2d74:
report-error: Drop pointless inherit (2021-07-11 06:19:43 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Andrej Valek (1):
busybox: add tmpdir option into mktemp applet
Richard Purdie (3):
pseudo: Add uninative configuration sanity check
pseudo: Update to latest version including statx fix
sstate: Drop pseudo exclusion
Steve Sakoman (3):
bluez: fix CVE-2021-3588
gstreamer-plugins-base: ignore CVE-2021-3522 since it is fixed
gstreamer-plugins-good: ignore CVE-2021-3497/8 since they are fixed
meta/classes/sstate.bbclass | 2 -
meta/recipes-connectivity/bluez5/bluez5.inc | 1 +
.../bluez5/bluez5/CVE-2021-3588.patch | 34 ++++++++
.../0001-mktemp-add-tmpdir-option.patch | 81 +++++++++++++++++++
meta/recipes-core/busybox/busybox_1.31.1.bb | 1 +
meta/recipes-devtools/pseudo/pseudo.inc | 13 +++
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
.../gstreamer1.0-plugins-base_1.16.3.bb | 4 +
.../gstreamer1.0-plugins-good_1.16.3.bb | 5 ++
9 files changed, 140 insertions(+), 3 deletions(-)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2021-3588.patch
create mode 100644 meta/recipes-core/busybox/busybox/0001-mktemp-add-tmpdir-option.patch
--
2.25.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2020-09-18 16:15 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2020-09-18 16:15 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Monday.
The following changes since commit b98e50f08b2bcf61fbc75ea1b0ad83a17c0a736a:
cve-check: avoid FileNotFoundError if no do_cve_check task has run (2020-09-14 04:26:37 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Christophe GUIBOUT (1):
initramfs-framework: support kernel cmdline with double quotes
Geoff Parker (1):
systemd-serialgetty: Replace sed quoting using ' with " to allow var
expansion
Khem Raj (1):
populate_sdk_ext: Do not assume local.conf will always exist
Michael Gloff (1):
sysvinit: Remove ${B} assignment
Pierre-Jean Texier (1):
libubootenv: upgrade 0.3 -> 0.3.1
Rahul Kumar (1):
systemd-serialgetty: Fix sed expression quoting
Steve Sakoman (1):
Revert "kernel.bbclass: run do_symlink_kernsrc before do_patch"
meta/classes/kernel.bbclass | 2 +-
meta/classes/populate_sdk_ext.bbclass | 5 +++--
.../{libubootenv_0.3.bb => libubootenv_0.3.1.bb} | 2 +-
.../initrdscripts/initramfs-framework/init | 13 +++++++++++++
meta/recipes-core/systemd/systemd-serialgetty.bb | 4 ++--
meta/recipes-core/sysvinit/sysvinit_2.96.bb | 1 -
6 files changed, 20 insertions(+), 7 deletions(-)
rename meta/recipes-bsp/u-boot/{libubootenv_0.3.bb => libubootenv_0.3.1.bb} (94%)
--
2.17.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [OE-core][dunfell 0/7] Patch review
@ 2020-08-17 15:11 Steve Sakoman
0 siblings, 0 replies; 22+ messages in thread
From: Steve Sakoman @ 2020-08-17 15:11 UTC (permalink / raw)
To: openembedded-core
Please review this next set of patches for dunfell and have comments back
by end of day Wednesday.
Passed a-full on autobuilder (other than 500 server error posting report for qemumips-alt):
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/1265
The following changes since commit b95d6aeafb70765e22d2e1254e749a48f508d489:
uninative: Handle PREMIRRORS generically (2020-08-09 09:26:54 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Bruce Ashfield (3):
linux-yocto-rt/5.4: update to rt32
linux-yocto/5.4: update to v5.4.56
linux-yocto/5.4: update to v5.4.57
Khem Raj (4):
glibc: Bring in CVE fixes and other bugfixes from 2.31 release branch
gcc-9.3.inc: Mark CVE-2019-15847 as fixed
go: update 1.14.4 -> 1.14.6
go: Upgrade to 1.14.7
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../glibc/0016-Add-unused-attribute.patch | 31 ---
.../glibc/glibc/CVE-2020-6096.patch | 112 ----------
.../glibc/glibc/CVE-2020-6096_2.patch | 194 ------------------
meta/recipes-core/glibc/glibc_2.31.bb | 5 +-
meta/recipes-devtools/gcc/gcc-9.3.inc | 2 +
meta/recipes-devtools/go/go-1.14.inc | 5 +-
.../linux/linux-yocto-rt_5.4.bb | 6 +-
.../linux/linux-yocto-tiny_5.4.bb | 8 +-
meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +-
10 files changed, 24 insertions(+), 363 deletions(-)
delete mode 100644 meta/recipes-core/glibc/glibc/0016-Add-unused-attribute.patch
delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096.patch
delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2020-6096_2.patch
--
2.17.1
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2024-04-03 3:12 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-03 3:11 [OE-core][dunfell 0/7] Patch review Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 1/7] libtiff: backport Debian patch for CVE-2023-6277 & CVE-2023-52356 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 2/7] go: Fix for CVE-2023-45289 CVE-2023-45290 & CVE-2024-24785 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 3/7] tar: Fix for CVE-2023-39804 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 4/7] curl: backport Debian patch for CVE-2024-2398 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 5/7] openssl: Fix CVE-2024-0727 Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 6/7] tar: bump PR to deal with sstate corruption on autobuilder Steve Sakoman
2024-04-03 3:11 ` [OE-core][dunfell 7/7] perf: " Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2024-02-13 21:43 [OE-core][dunfell 0/7] Patch review Steve Sakoman
2023-09-26 14:12 Steve Sakoman
2023-05-11 21:28 Steve Sakoman
2023-04-22 15:57 Steve Sakoman
2023-04-04 2:39 Steve Sakoman
2022-12-01 15:25 Steve Sakoman
2022-10-24 14:24 Steve Sakoman
2022-09-08 2:28 Steve Sakoman
2022-07-29 15:24 Steve Sakoman
2022-03-30 2:27 Steve Sakoman
2021-07-15 14:07 Steve Sakoman
2021-07-15 14:16 ` Andrej Valek
2020-09-18 16:15 Steve Sakoman
2020-08-17 15:11 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.