[hardknott 0/7] Patch review July 15th

[hardknott 0/7] Patch review July 15th

[Armin Kuster]

Please have comments back by Friday

The following changes since commit c51e79dd854460c6f6949a187970d05362152e84:

  python3-django: upgrade 2.2.23 -> 2.2.24 (2021-06-27 07:50:20 -0700)

are available in the Git repository at:

  git://git.openembedded.org/meta-openembedded-contrib stable/hardknott-nut
  http://cgit.openembedded.org/meta-openembedded-contrib/log/?h=stable/hardknott-nut

Adrian Zaharia (1):
  ntp: fix ntpdate to wait for subprocesses

Akifumi Chikazawa (1):
  openvpn: add CVE-2020-7224 and CVE-2020-27569 to allowlist

Changqing Li (1):
  nginx: fix CVE-2021-23017

Li Wang (1):
  apache2: fix CVE-2020-13950 CVE-2020-35452 CVE-2021-26690
    CVE-2021-26691 CVE-2021-30641

Masaki Ambai (1):
  nss: add CVE-2006-5201 to allowlist

Sam Van Den Berge (1):
  libiio: fix installing libiio when python3 bindings are enabled

massimo toscanelli (1):
  sysbench: fix memory test

 .../recipes-support/ntp/ntp/ntpdate           |  5 ++
 .../recipes-support/openvpn/openvpn_2.5.2.bb  |  3 +
 ...modifier-to-tmp-variable-in-memory-t.patch | 40 +++++++++++
 .../sysbench/sysbench_0.4.12.bb               |  4 +-
 ...rify-whether-libiio-is-installed-whe.patch | 37 +++++++++++
 meta-oe/recipes-support/libiio/libiio_git.bb  |  4 +-
 meta-oe/recipes-support/nss/nss_3.64.bb       |  3 +
 .../apache2/apache2/CVE-2020-13950.patch      | 45 +++++++++++++
 .../apache2/apache2/CVE-2020-35452.patch      | 49 ++++++++++++++
 .../apache2/apache2/CVE-2021-26690.patch      | 39 +++++++++++
 .../apache2/apache2/CVE-2021-26691.patch      | 35 ++++++++++
 .../apache2/apache2/CVE-2021-30641.patch      | 66 +++++++++++++++++++
 .../recipes-httpd/apache2/apache2_2.4.46.bb   |  5 ++
 .../nginx/files/CVE-2021-23017.patch          | 46 +++++++++++++
 meta-webserver/recipes-httpd/nginx/nginx.inc  |  1 +
 15 files changed, 380 insertions(+), 2 deletions(-)
 create mode 100644 meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch
 create mode 100644 meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch
 create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch

-- 
2.25.1

[hardknott 1/7] nginx: fix CVE-2021-23017

[Armin Kuster]

From: Changqing Li <changqing.li@windriver.com>

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../nginx/files/CVE-2021-23017.patch          | 46 +++++++++++++++++++
 meta-webserver/recipes-httpd/nginx/nginx.inc  |  1 +
 2 files changed, 47 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch

diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch
new file mode 100644
index 0000000000..a708033775
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-23017.patch
@@ -0,0 +1,46 @@
+From 7199ebc203f74fd9e44595474de6bdc41740c5cf Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 25 May 2021 15:17:36 +0300
+Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy().
+
+Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
+
+Upstream-Status: Backport
+CVE: CVE-2021-23017
+
+Reference to upstream patch:
+https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/core/ngx_resolver.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index 79390701..63b26193 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4008,15 +4008,15 @@ done:
+             n = *src++;
+ 
+         } else {
++            if (dst != name->data) {
++                *dst++ = '.';
++            }
++
+             ngx_strlow(dst, src, n);
+             dst += n;
+             src += n;
+ 
+             n = *src++;
+-
+-            if (n != 0) {
+-                *dst++ = '.';
+-            }
+         }
+ 
+         if (n == 0) {
+-- 
+2.17.1
+
diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc
index de080a2b01..a4583ed8f8 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx.inc
+++ b/meta-webserver/recipes-httpd/nginx/nginx.inc
@@ -22,6 +22,7 @@ SRC_URI = " \
     file://nginx-volatile.conf \
     file://nginx.service \
     file://nginx-fix-pidfile.patch \
+    file://CVE-2021-23017.patch \
 "
 
 inherit siteinfo update-rc.d useradd systemd
-- 
2.25.1

[hardknott 2/7] apache2: fix CVE-2020-13950 CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641

[Armin Kuster]

From: Li Wang <li.wang@windriver.com>

CVE-2020-13950:
Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be
made to crash (NULL pointer dereference) with specially crafted
requests using both Content-Length and Transfer-Encoding headers,
leading to a Denial of Service

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-13950

Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966738
https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b

CVE-2020-35452:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Digest nonce can cause a stack overflow in
mod_auth_digest. There is no report of this overflow
being exploitable, nor the Apache HTTP Server team could
create one, though some particular compiler and/or
compilation option might make it possible, with limited
consequences anyway due to the size (a single byte) and
the value (zero byte) of the overflow

References:
https://nvd.nist.gov/vuln/detail/CVE-2020-35452

Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2020-35452
https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b

CVE-2021-26690:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially
crafted Cookie header handled by mod_session can cause
a NULL pointer dereference and crash, leading to a
possible Denial Of Service

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26690

Upstream patches:
https://security-tracker.debian.org/tracker/CVE-2021-26690
https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8

CVE-2021-26691:
In Apache HTTP Server versions 2.4.0 to 2.4.46 a
specially crafted SessionHeader sent by an origin server
could cause a heap overflow

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26691

Upstream patches:
https://bugzilla.redhat.com/show_bug.cgi?id=1966732
https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b

CVE-2021-30641:
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected
matching behavior with 'MergeSlashes OFF'

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30641

Upstream patches:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../apache2/apache2/CVE-2020-13950.patch      | 45 +++++++++++++
 .../apache2/apache2/CVE-2020-35452.patch      | 49 ++++++++++++++
 .../apache2/apache2/CVE-2021-26690.patch      | 39 +++++++++++
 .../apache2/apache2/CVE-2021-26691.patch      | 35 ++++++++++
 .../apache2/apache2/CVE-2021-30641.patch      | 66 +++++++++++++++++++
 .../recipes-httpd/apache2/apache2_2.4.46.bb   |  5 ++
 6 files changed, 239 insertions(+)
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
 create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch

diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
new file mode 100644
index 0000000000..4eb6b85b1a
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
@@ -0,0 +1,45 @@
+From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 11 May 2015 15:48:58 +0000
+Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection
+ may be NULL during prefetch, don't try to dereference it! Still
+ origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2020-35504
+
+Reference to upstream patch:
+https://bugzilla.redhat.com/show_bug.cgi?id=1966738
+https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/proxy/mod_proxy_http.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index ec1e042..5f507d5 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+     apr_off_t bytes;
+     int force10, rv;
+     apr_read_type_e block;
+-    conn_rec *origin = p_conn->connection;
+ 
+     if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+         if (req->expecting_100) {
+@@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
+                       "chunked body with Content-Length (C-L ignored)",
+                       c->client_ip, c->remote_host ? c->remote_host: "");
+         req->old_cl_val = NULL;
+-        origin->keepalive = AP_CONN_CLOSE;
+         p_conn->close = 1;
+     }
+ 
+-- 
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
new file mode 100644
index 0000000000..001ca9252d
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
@@ -0,0 +1,49 @@
+From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 18 Jan 2021 17:39:12 +0000
+Subject: [PATCH] Merge r1885659 from trunk:
+
+mod_auth_digest: Fast validation of the nonce's base64 to fail early if
+                 the format can't match anyway.
+
+Submitted by: ylavic
+Reviewed by: ylavic, covener, jailletc36
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2020-35452
+
+Reference to upstream patch:
+https://security-tracker.debian.org/tracker/CVE-2020-35452
+https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/aaa/mod_auth_digest.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
+index b760941..0825b1b 100644
+--- a/modules/aaa/mod_auth_digest.c
++++ b/modules/aaa/mod_auth_digest.c
+@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
+     time_rec nonce_time;
+     char tmp, hash[NONCE_HASH_LEN+1];
+ 
+-    if (strlen(resp->nonce) != NONCE_LEN) {
++    /* Since the time part of the nonce is a base64 encoding of an
++     * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
++     */
++    if (strlen(resp->nonce) != NONCE_LEN
++            || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+-                      "invalid nonce %s received - length is not %d",
++                      "invalid nonce '%s' received - length is not %d "
++                      "or time encoding is incorrect",
+                       resp->nonce, NONCE_LEN);
+         note_digest_auth_failure(r, conf, resp, 1);
+         return HTTP_UNAUTHORIZED;
+-- 
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
new file mode 100644
index 0000000000..d3aea9e122
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
@@ -0,0 +1,39 @@
+From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:07:08 +0000
+Subject: [PATCH] mod_session: save one apr_strtok() in
+ session_identity_decode().
+
+When the encoding is invalid (missing '='), no need to parse further.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2021-26690
+
+Reference to upstream patch:
+https://security-tracker.debian.org/tracker/CVE-2021-26690
+https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/session/mod_session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index ebd05b0..af70f6b 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
+         char *plast = NULL;
+         const char *psep = "=";
+         char *key = apr_strtok(pair, psep, &plast);
+-        char *val = apr_strtok(NULL, psep, &plast);
+         if (key && *key) {
++            char *val = apr_strtok(NULL, sep, &plast);
+             if (!val || !*val) {
+                 apr_table_unset(z->entries, key);
+             }
+-- 
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
new file mode 100644
index 0000000000..f9cf868d01
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
@@ -0,0 +1,35 @@
+From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 1 Mar 2021 20:13:54 +0000
+Subject: [PATCH] mod_session: account for the '&' in identity_concat().
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2021-26691
+
+Reference to upstream patch:
+https://bugzilla.redhat.com/show_bug.cgi?id=1966732
+https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ modules/session/mod_session.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
+index 7ee477c..ebd05b0 100644
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
+ static int identity_count(void *v, const char *key, const char *val)
+ {
+     int *count = v;
+-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
++    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+     return 1;
+ }
+ 
+-- 
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch
new file mode 100644
index 0000000000..7f74c85e33
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch
@@ -0,0 +1,66 @@
+From 6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 21 Apr 2021 01:02:11 +0000
+Subject: [PATCH] legacy default slash-matching behavior w/ 'MergeSlashes OFF'
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889036 13f79535-47bb-0310-9956-ffa450edef68
+
+Upstream-Status: Backport
+CVE: CVE-2021-30641
+
+Reference to upstream patch:
+https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
+https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ server/request.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/server/request.c b/server/request.c
+index d5c558a..18625af 100644
+--- a/server/request.c
++++ b/server/request.c
+@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+ 
+     cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
+     cached = (cache->cached != NULL);
+-    entry_uri = r->uri;
++
++   /*
++    * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
++    * have not been merged. But for Location walks we always go with merged
++    * slashes no matter what merge_slashes is set to.
++    */
++    if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
++        entry_uri = r->uri;
++    }
++    else {
++        char *uri = apr_pstrdup(r->pool, r->uri);
++        ap_no2slash(uri);
++        entry_uri = uri;
++    }
+ 
+     /* If we have an cache->cached location that matches r->uri,
+      * and the vhost's list of locations hasn't changed, we can skip
+@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+                     pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
+                 }
+ 
+-                if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
++                if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
+                     continue;
+                 }
+ 
+@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
+                         apr_table_setn(r->subprocess_env,
+                                        ((const char **)entry_core->refs->elts)[i],
+                                        apr_pstrndup(r->pool,
+-                                       entry_uri + pmatch[i].rm_so,
++                                       r->uri + pmatch[i].rm_so,
+                                        pmatch[i].rm_eo - pmatch[i].rm_so));
+                     }
+                 }
+-- 
+2.7.4
+
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
index 197cb83e64..4fc1f16317 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
@@ -15,6 +15,11 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
            file://0007-apache2-allow-to-disable-selinux-support.patch \
            file://apache-configure_perlbin.patch \
            file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \
+           file://CVE-2020-13950.patch \
+           file://CVE-2020-35452.patch \
+           file://CVE-2021-26690.patch \
+           file://CVE-2021-26691.patch \
+           file://CVE-2021-30641.patch \
           "
 
 SRC_URI_append_class-target = " \
-- 
2.25.1

[hardknott 3/7] openvpn: add CVE-2020-7224 and CVE-2020-27569 to allowlist

[Armin Kuster]

From: Akifumi Chikazawa <chikazawa.akifu@fujitsu.com>

CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client,
not for openvpn.

Signed-off-by: Akifumi Chikazawa <chikazawa.akifu@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d49e96aac4616c439a2d778b95a793037dac884e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb b/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb
index f82107dbee..646f0387ad 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.5.2.bb
@@ -17,6 +17,9 @@ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
 SRC_URI[md5sum] = "7643f135b49aee49df7d83c1f434dc4e"
 SRC_URI[sha256sum] = "b9d295988b34e39964ac475b619c3585d667b36c350cf1adec19e5e3c843ba11"
 
+# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
+CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569"
+
 SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service"
 SYSTEMD_AUTO_ENABLE = "disable"
 
-- 
2.25.1

[hardknott 4/7] nss: add CVE-2006-5201 to allowlist

[Armin Kuster]

From: Masaki Ambai <ambai.masaki@fujitsu.com>

CVE-2006-5201 affects only using an RSA key with exponent 3 on Sun Solaris.

Signed-off-by: Masaki Ambai <ambai.masaki@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 44113dcb5feea5522696d43d00909db41e5e6dbc)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-oe/recipes-support/nss/nss_3.64.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta-oe/recipes-support/nss/nss_3.64.bb b/meta-oe/recipes-support/nss/nss_3.64.bb
index 9c4c03df99..97193aff5c 100644
--- a/meta-oe/recipes-support/nss/nss_3.64.bb
+++ b/meta-oe/recipes-support/nss/nss_3.64.bb
@@ -282,3 +282,6 @@ FILES_${PN}-dev = "\
 RDEPENDS_${PN}-smime = "perl"
 
 BBCLASSEXTEND = "native nativesdk"
+
+# CVE-2006-5201 affects only Sun Solaris
+CVE_CHECK_WHITELIST += "CVE-2006-5201"
-- 
2.25.1

[hardknott 5/7] ntp: fix ntpdate to wait for subprocesses

[Armin Kuster]

From: Adrian Zaharia <Adrian.Zaharia@windriver.com>

When using systemd, ntpdate-sync script will start in background
triggering the start of ntpd without actually exiting.
This results in an bind error in ntpd startup.

Add wait at the end of ntpdate script to ensure that when the ntpdate.service
is marked as finished the oneshot script ntpdate-sync finished and unbind the
ntp port

Fixes #386

Signed-off-by: Adrian Zaharia <Adrian.Zaharia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 73d5cd5e8d9d8a922b6a8a9d90adf0470a99314e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta-networking/recipes-support/ntp/ntp/ntpdate | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-networking/recipes-support/ntp/ntp/ntpdate
index 17b64d1335..be3bacfcd1 100755
--- a/meta-networking/recipes-support/ntp/ntp/ntpdate
+++ b/meta-networking/recipes-support/ntp/ntp/ntpdate
@@ -52,3 +52,8 @@ if [ -x /usr/bin/lockfile-create ] ; then
 fi
 
 ) &
+
+# wait for all subprocesses to finish
+# this is required when using systemd service as ntpd will start before ntpdate finishes
+# and results in a bind error (port 123)
+wait
-- 
2.25.1

[hardknott 6/7] libiio: fix installing libiio when python3 bindings are enabled

[Armin Kuster]

From: Sam Van Den Berge <sam.van.den.berge@gmail.com>

This patch fixes the following error when libiio is installed when
python3 bindings are enabled:

ERROR: Execution of '.../libiio/0.21+gitAUTOINC+565bf68ecc-r0/temp/run.do_install.2349473' failed with exit code 1:
running build
running build_py
running install
Traceback (most recent call last):
  File ".../libiio/0.21+gitAUTOINC+565bf68ecc-r0/build/bindings/python/setup.py", line 77, in _check_libiio_installed
    raise OSError
OSError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File ".../libiio/0.21+gitAUTOINC+565bf68ecc-r0/build/bindings/python/setup.py", line 106, in <module>
    setup(**config)
  File ".../libiio/0.21+gitAUTOINC+565bf68ecc-r0/recipe-sysroot-native/usr/lib/python3.9/site-packages/setuptools/__init__.py", line 153, in setup
    return distutils.core.setup(**attrs)
  File ".../libiio/0.21+gitAUTOINC+565bf68ecc-r0/recipe-sysroot-native/usr/lib/python3.9/distutils/core.py", line 148, in setup
    dist.run_commands()
  File ".../libiio/0.21+gitAUTOINC+565bf68ecc-r0/recipe-sysroot-native/usr/lib/python3.9/distutils/dist.py", line 966, in run_commands
    self.run_command(cmd)
  File ".../libiio/0.21+gitAUTOINC+565bf68ecc-r0/recipe-sysroot-native/usr/lib/python3.9/distutils/dist.py", line 985, in run_command
    cmd_obj.run()
  File ".../libiio/0.21+gitAUTOINC+565bf68ecc-r0/build/bindings/python/setup.py", line 52, in run
    self._check_libiio_installed()
  File "/libiio/0.21+gitAUTOINC+565bf68ecc-r0/build/bindings/python/setup.py", line 83, in _check_libiio_installed
    raise Exception(msg)
Exception: The libiio library could not be found.
            libiio needs to be installed first before the python bindings.
            The latest release can be found on GitHub:
            https://github.com/analogdevicesinc/libiio/releases

Some time ago a fix for this issue was already discussed here [1].
However in the same discussion also a second issue was being handled.

A fix for the second issue was merged in 51f98865da0. The first issue
didn't pop up anymore and so a fix was never applied.

Recently however after switching from build machine, I started seeing
the first issue. I suspect due to build caching the first issue didn't
pop up anymore before up until now. With this patch, fixes are now
available for both issues handled in [1].

[1]: https://github.com/openembedded/meta-openembedded/issues/248

Signed-off-by: Sam Van Den Berge <sam.van.den.berge@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...rify-whether-libiio-is-installed-whe.patch | 37 +++++++++++++++++++
 meta-oe/recipes-support/libiio/libiio_git.bb  |  4 +-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch

diff --git a/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch b/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch
new file mode 100644
index 0000000000..5566aa0ffd
--- /dev/null
+++ b/meta-oe/recipes-support/libiio/files/0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch
@@ -0,0 +1,37 @@
+From 3a26f0536706fa7c241c9de986799ae440c68c8a Mon Sep 17 00:00:00 2001
+From: Julien Malik <julien.malik@unseenlabs.fr>
+Date: Mon, 27 Jul 2020 14:34:44 +0200
+Subject: [PATCH] python: Do not verify whether libiio is installed when
+ cross-compiling
+
+This should fix #561
+
+Upstream-Status: Backport
+
+Signed-off-by: Julien Malik <julien.malik@paraiso.me>
+Signed-off-by: Sam Van Den Berge <sam.van.den.berge@gmail.com>
+---
+ bindings/python/setup.py.cmakein | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/bindings/python/setup.py.cmakein b/bindings/python/setup.py.cmakein
+index cd14e2e..96d58a8 100644
+--- a/bindings/python/setup.py.cmakein
++++ b/bindings/python/setup.py.cmakein
+@@ -54,6 +54,13 @@ class InstallWrapper(install):
+         install.run(self)
+ 
+     def _check_libiio_installed(self):
++        cross_compiling = ("${CMAKE_CROSSCOMPILING}" == "TRUE")
++        if cross_compiling:
++            # When cross-compiling, we generally cannot dlopen
++            # the libiio shared lib from the build platform.
++            # Simply skip this check in that case.
++            return
++
+         from platform import system as _system
+         from ctypes import CDLL as _cdll
+         from ctypes.util import find_library
+-- 
+2.25.1
+
diff --git a/meta-oe/recipes-support/libiio/libiio_git.bb b/meta-oe/recipes-support/libiio/libiio_git.bb
index 00c016db44..d7e4cc60a9 100644
--- a/meta-oe/recipes-support/libiio/libiio_git.bb
+++ b/meta-oe/recipes-support/libiio/libiio_git.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;md5=7c13b3376cea0ce68d2d2da0a1b3a72c"
 SRCREV = "565bf68eccfdbbf22cf5cb6d792e23de564665c7"
 PV = "0.21+git${SRCPV}"
 
-SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https"
+SRC_URI = "git://github.com/analogdevicesinc/libiio.git;protocol=https \
+           file://0001-python-Do-not-verify-whether-libiio-is-installed-whe.patch \
+"
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)"
 
 S = "${WORKDIR}/git"
-- 
2.25.1

[hardknott 7/7] sysbench: fix memory test

[Armin Kuster]

From: massimo toscanelli <massimo.toscanelli@leica-geosystems.com>

In sysbench version 0.4, the tmp variable used by the memory test to
execute requests is optimized by the compiler. Caching mechanism reduces
the direct accesses to the memory increasing the transfer speed. This
leads to false timing estimations that considerably affect read and
also random write operations.

In sysbench version 1, this issue is fixed adding the volatile modifier
to the tmp variable. This prevents compiler optimizations forcing a direct
access to the memory.

The final result is a realistic transfer speed measurement.

Signed-off-by: massimo toscanelli <massimo.toscanelli@leica-geosystems.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 59cce5ad1603c2975684ae15b639e0e3cd688c40)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 ...modifier-to-tmp-variable-in-memory-t.patch | 40 +++++++++++++++++++
 .../sysbench/sysbench_0.4.12.bb               |  4 +-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch

diff --git a/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch b/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch
new file mode 100644
index 0000000000..d628e81b56
--- /dev/null
+++ b/meta-oe/recipes-benchmark/sysbench/sysbench/0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch
@@ -0,0 +1,40 @@
+From c1ebf893e32a0a77e820484d48a903523fef7c1b Mon Sep 17 00:00:00 2001
+From: Vasily Tarasov <tarasov@vasily.name>
+Date: Fri, 10 Jun 2016 14:33:48 -0400
+Subject: [PATCH] Adding volatile modifier to tmp variable in memory test
+
+Issue explanation:
+
+./sysbench/sysbench --test=memory --num-threads=16 \
+		    --memory-block-size=268435456 \
+		    --memory-total-size=137438953472 \
+		    --memory-oper=read \
+		    --memory-access-mode=seq \
+		    --memory-scope=local run
+
+Without this commit the time to run the above command is 0.0004 seconds.
+With this commit the time is greater than 3 seconds.  Essentially,
+without the volatile modifier, the compiler optimizes read access so
+that no real access happens.
+
+Upstream-Status: Backport [part of v1.0.0 https://github.com/akopytov/sysbench/commit/8753cb93be4c0b81a20b704ced91e7a422da52b1]
+
+(cherry picked from commit 8753cb93be4c0b81a20b704ced91e7a422da52b1)
+Signed-off-by: massimo toscanelli <massimo.toscanelli@leica-geosystems.com>
+---
+ sysbench/tests/memory/sb_memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sysbench/tests/memory/sb_memory.c b/sysbench/tests/memory/sb_memory.c
+index 2e8998f..7d22bb9 100644
+--- a/sysbench/tests/memory/sb_memory.c
++++ b/sysbench/tests/memory/sb_memory.c
+@@ -244,7 +244,7 @@ sb_request_t memory_get_request(int tid)
+ int memory_execute_request(sb_request_t *sb_req, int thread_id)
+ {
+   sb_mem_request_t    *mem_req = &sb_req->u.mem_request;
+-  int                 tmp = 0;
++  volatile int        tmp = 0;
+   int                 idx; 
+   int                 *buf, *end;
+   log_msg_t           msg;
diff --git a/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb b/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb
index 708c71f4ff..d1725dddd6 100644
--- a/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb
+++ b/meta-oe/recipes-benchmark/sysbench/sysbench_0.4.12.bb
@@ -8,7 +8,9 @@ inherit autotools
 
 # The project has moved from Sourceforge to Launchpad, to Github. Use the source tarball from
 # Launchpad until the next release is available from Github.
-SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/${BPN}_${PV}.orig.tar.gz"
+SRC_URI = "https://launchpad.net/ubuntu/+archive/primary/+files/${BPN}_${PV}.orig.tar.gz \
+           file://0001-Adding-volatile-modifier-to-tmp-variable-in-memory-t.patch \
+           "
 
 SRC_URI[md5sum] = "3a6d54fdd3fe002328e4458206392b9d"
 SRC_URI[sha256sum] = "83fa7464193e012c91254e595a89894d8e35b4a38324b52a5974777e3823ea9e"
-- 
2.25.1