* [thud 00/12] Thud pull request
@ 2019-10-10 15:49 Armin Kuster
2019-10-10 15:49 ` [thud 01/12] oeqa/selftest/context: ensure log directory exists Armin Kuster
` (11 more replies)
0 siblings, 12 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
Please merge these to thud mainline
Clean AB full build
The following changes since commit f5be8c8309a932cde507ba24d042880a922df0b6:
linux-yocto/4.14: update to v4.14.143 (2019-09-24 08:28:04 -0700)
are available in the git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/thud-next
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/thud-next
Adrian Bunk (1):
json-c: Don't --enable-rdrand
Andrii Bordunov via Openembedded-core (1):
wget: Security fixes CVE-2018-20483
Armin Kuster (1):
qemu: fix build issue on new hosts with glibc 2.30
Chen Qi (1):
oeqa/selftest/context: ensure log directory exists
Dan Tran (3):
qemu: Fix 4 CVEs
unzip: fix CVE-2019-13232
perl: Fix CVE-2018-18311 to 18314
Khem Raj (1):
gnupg: Do not apply -Woverride-init guard for gcc >= 9
Michael Halstead (1):
uninative: Update to 2.7 release
Sean Nyekjaer (1):
libgpg-error: Fix build with gawk 5.x
Shubham Agrawal (2):
elfutils: CVE fix for elfutils
sqlite3: Security fix for CVE-2019-8457
meta/conf/distro/include/yocto-uninative.inc | 10 +-
meta/lib/oeqa/selftest/context.py | 1 +
meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
.../elfutils/files/CVE-2019-7664.patch | 65 ++++
.../elfutils/files/CVE-2019-7665.patch | 154 +++++++++
meta/recipes-devtools/json-c/json-c_0.13.1.bb | 2 -
.../perl/perl/CVE-2018-18311.patch | 183 +++++++++++
.../perl/perl/CVE-2018-18312.patch | Bin 0 -> 2125 bytes
.../perl/perl/CVE-2018-18313.patch | 60 ++++
.../perl/perl/CVE-2018-18314.patch | 271 ++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.4.bb | 4 +
...nux-user-assume-__NR_gettid-always-exists.patch | 49 +++
...rename-gettid-to-sys_gettid-to-avoid-clas.patch | 95 ++++++
.../qemu/qemu/CVE-2018-10839.patch | 2 +-
.../qemu/qemu/CVE-2018-17958.patch | 52 ---
.../qemu/qemu/CVE-2018-18954.patch | 50 +++
.../recipes-devtools/qemu/qemu/CVE-2019-3812.patch | 39 +++
.../recipes-devtools/qemu/qemu/CVE-2019-6778.patch | 41 +++
.../recipes-devtools/qemu/qemu/CVE-2019-8934.patch | 215 +++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 8 +-
.../unzip/unzip/CVE-2019-13232_p1.patch | 33 ++
.../unzip/unzip/CVE-2019-13232_p2.patch | 356 +++++++++++++++++++++
.../unzip/unzip/CVE-2019-13232_p3.patch | 121 +++++++
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +
.../wget/wget/CVE-2018-20483_p1.patch | 73 +++++
.../wget/wget/CVE-2018-20483_p2.patch | 127 ++++++++
meta/recipes-extended/wget/wget_1.19.5.bb | 2 +
...1-Woverride-init-is-not-needed-with-gcc-9.patch | 31 ++
...c-use-a-custom-value-for-the-location-of-.patch | 6 +-
meta/recipes-support/gnupg/gnupg/relocate.patch | 2 +-
meta/recipes-support/gnupg/gnupg_2.2.12.bb | 3 +-
.../libgpg-error-1.35-gawk5-support.patch | 161 ++++++++++
.../libgpg-error/libgpg-error_1.32.bb | 1 +
.../sqlite/files/CVE-2019-8457.patch | 126 ++++++++
meta/recipes-support/sqlite/sqlite3_3.23.1.bb | 1 +
35 files changed, 2283 insertions(+), 66 deletions(-)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18312.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18313.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18314.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
create mode 100644 meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
create mode 100644 meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
create mode 100644 meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch
create mode 100644 meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-8457.patch
--
2.7.4
^ permalink raw reply [flat|nested] 14+ messages in thread
* [thud 01/12] oeqa/selftest/context: ensure log directory exists
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 02/12] qemu: Fix 4 CVEs Armin Kuster
` (10 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Ensure log directory exists to avoid the following error.
FileNotFoundError: [Errno 2] No such file or directory: '/.../build-selftest/tmp/log/oe-selftest-results-20181207043431.log'
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/lib/oeqa/selftest/context.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/lib/oeqa/selftest/context.py b/meta/lib/oeqa/selftest/context.py
index c521290..c56e53d 100644
--- a/meta/lib/oeqa/selftest/context.py
+++ b/meta/lib/oeqa/selftest/context.py
@@ -108,6 +108,7 @@ class OESelftestTestContextExecutor(OETestContextExecutor):
logdir = os.environ.get("BUILDDIR")
if 'LOG_DIR' in bbvars:
logdir = bbvars['LOG_DIR']
+ bb.utils.mkdirhier(logdir)
args.output_log = logdir + '/%s-results-%s.log' % (self.name, args.test_start_time)
super(OESelftestTestContextExecutor, self)._process_args(logger, args)
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 02/12] qemu: Fix 4 CVEs
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
2019-10-10 15:49 ` [thud 01/12] oeqa/selftest/context: ensure log directory exists Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 03/12] elfutils: CVE fix for elfutils Armin Kuster
` (9 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Fixes CVE-2018-18954, CVE-2019-3812, CVE-2019-6778, and CVE-2019-8934.
Also deleted duplicated patch and cleanup.
Signed-off-by: Dan Tran <dantran@microsoft.com>
[fixup for thud-next]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../qemu/qemu/CVE-2018-10839.patch | 2 +-
.../qemu/qemu/CVE-2018-17958.patch | 52 -----
.../qemu/qemu/CVE-2018-18954.patch | 50 +++++
.../recipes-devtools/qemu/qemu/CVE-2019-3812.patch | 39 ++++
.../recipes-devtools/qemu/qemu/CVE-2019-6778.patch | 41 ++++
.../recipes-devtools/qemu/qemu/CVE-2019-8934.patch | 215 +++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 6 +-
7 files changed, 351 insertions(+), 54 deletions(-)
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
index 7e1e442..81607c9 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
@@ -19,7 +19,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff
;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1]
-CVE: CVE-2018-10839
+CVE: CVE-2018-10839 CVE-2018-17958
Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
deleted file mode 100644
index af40ff2..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 06e88ca78d056ea4de885e3a1496805179dc47bc Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Mon, 15 Oct 2018 16:33:04 +0800
-Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive
-
-In ne2000_receive(), we try to assign size_ to size which converts
-from size_t to integer. This will cause troubles when size_ is greater
-INT_MAX, this will lead a negative value in size and it can then pass
-the check of size < MIN_BUF_SIZE which may lead out of bound access of
-for both buf and buf1.
-
-Fixing by converting the type of size to size_t.
-
-CC: address@hidden
-Reported-by: Daniel Shapira <address@hidden>
-Reviewed-by: Michael S. Tsirkin <address@hidden>
-Signed-off-by: Jason Wang <address@hidden>
-
-Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html]
-
-CVE: CVE-2018-17958
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- hw/net/ne2000.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 07d79e3..869518e 100644
---- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s)
- ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
- {
- NE2000State *s = qemu_get_nic_opaque(nc);
-- int size = size_;
-+ size_t size = size_;
- uint8_t *p;
- unsigned int total_len, next, avail, len, index, mcast_idx;
- uint8_t buf1[60];
-@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
- { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-
- #if defined(DEBUG_NE2000)
-- printf("NE2000: received len=%d\n", size);
-+ printf("NE2000: received len=%zu\n", size);
- #endif
-
- if (s->cmd & E8390_STOP || ne2000_buffer_full(s))
---
-2.7.4
-
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
new file mode 100644
index 0000000..9fe1364
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
@@ -0,0 +1,50 @@
+From 3c9fd43da473a324f6cc7a0d3db58f651a2d262c Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 26 Oct 2018 18:03:58 +0530
+Subject: [PATCH] ppc/pnv: check size before data buffer access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+While performing PowerNV memory r/w operations, the access length
+'sz' could exceed the data[4] buffer size. Add check to avoid OOB
+access.
+
+Reported-by: Moguofang <moguofang@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+
+CVE: CVE-2018-18954
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=d07945e78eb6b593cd17a4640c1fc9eb35e3245d]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/ppc/pnv_lpc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
+index d7721320a2..172a915cfc 100644
+--- a/hw/ppc/pnv_lpc.c
++++ b/hw/ppc/pnv_lpc.c
+@@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
+ /* XXX Check for magic bits at the top, addr size etc... */
+ unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
+ uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
+- uint8_t data[4];
++ uint8_t data[8];
+ bool success;
+
++ if (sz > sizeof(data)) {
++ qemu_log_mask(LOG_GUEST_ERROR,
++ "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
++ return;
++ }
++
+ if (cmd & ECCB_CTL_READ) {
+ success = opb_read(lpc, opb_addr, data, sz);
+ if (success) {
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
new file mode 100644
index 0000000..0e11ad2
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
+From b664d9d003d1a98642dcfb8e6fceef6dbf3d52d8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 8 Jan 2019 11:23:01 +0100
+Subject: [PATCH] i2c-ddc: fix oob read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Suggested-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190108102301.1957-1-kraxel@redhat.com
+
+CVE: CVE-2019-3812
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=b05b267840515730dbf6753495d5b7bd8b04ad1c]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/i2c/i2c-ddc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
+index bec0c91e2d..89e659288e 100644
+--- a/hw/i2c/i2c-ddc.c
++++ b/hw/i2c/i2c-ddc.c
+@@ -247,7 +247,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
+ I2CDDCState *s = I2CDDC(i2c);
+
+ int value;
+- value = s->edid_blob[s->reg];
++ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
+ s->reg++;
+ return value;
+ }
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
new file mode 100644
index 0000000..5b14596
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
@@ -0,0 +1,41 @@
+From b6c0fa3b435375918714e107b22de2ef13a41c26 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Sun, 13 Jan 2019 23:29:48 +0530
+Subject: [PATCH] slirp: check data length while emulating ident function
+
+While emulating identification protocol, tcp_emu() does not check
+available space in the 'sc_rcv->sb_data' buffer. It could lead to
+heap buffer overflow issue. Add check to avoid it.
+
+Reported-by: Kira <864786842@qq.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+CVE: CVE-2019-6778
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ slirp/tcp_subr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 8d0f94b75f..7277aadfdf 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -640,6 +640,11 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ socklen_t addrlen = sizeof(struct sockaddr_in);
+ struct sbuf *so_rcv = &so->so_rcv;
+
++ if (m->m_len > so_rcv->sb_datalen
++ - (so_rcv->sb_wptr - so_rcv->sb_data)) {
++ return 1;
++ }
++
+ memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
+ so_rcv->sb_wptr += m->m_len;
+ so_rcv->sb_rptr += m->m_len;
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
new file mode 100644
index 0000000..db3201c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
@@ -0,0 +1,215 @@
+From 13e153f01b4f2a3e199202b34a247d83c176f21a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 18 Feb 2019 23:43:49 +0530
+Subject: [PATCH] ppc: add host-serial and host-model machine attributes
+ (CVE-2019-8934)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On ppc hosts, hypervisor shares following system attributes
+
+ - /proc/device-tree/system-id
+ - /proc/device-tree/model
+
+with a guest. This could lead to information leakage and misuse.[*]
+Add machine attributes to control such system information exposure
+to a guest.
+
+[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
+
+Reported-by: Daniel P. Berrangé <berrange@redhat.com>
+Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+
+CVE: CVE-2019-8934
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/ppc/spapr.c | 128 ++++++++++++++++++++++++++++++++++++++---
+ include/hw/ppc/spapr.h | 2 +
+ 2 files changed, 123 insertions(+), 7 deletions(-)
+
+diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
+index 421b2dd09b..069d678ee0 100644
+--- a/hw/ppc/spapr.c
++++ b/hw/ppc/spapr.c
+@@ -1266,13 +1266,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
+ * Add info to guest to indentify which host is it being run on
+ * and what is the uuid of the guest
+ */
+- if (kvmppc_get_host_model(&buf)) {
+- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+- g_free(buf);
++ if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
++ if (g_str_equal(spapr->host_model, "passthrough")) {
++ /* -M host-model=passthrough */
++ if (kvmppc_get_host_model(&buf)) {
++ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
++ g_free(buf);
++ }
++ } else {
++ /* -M host-model=<user-string> */
++ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
++ }
+ }
+- if (kvmppc_get_host_serial(&buf)) {
+- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+- g_free(buf);
++
++ if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
++ if (g_str_equal(spapr->host_serial, "passthrough")) {
++ /* -M host-serial=passthrough */
++ if (kvmppc_get_host_serial(&buf)) {
++ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
++ g_free(buf);
++ }
++ } else {
++ /* -M host-serial=<user-string> */
++ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
++ }
+ }
+
+ buf = qemu_uuid_unparse_strdup(&qemu_uuid);
+@@ -3027,6 +3044,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name,
+ visit_type_uint32(v, name, (uint32_t *)opaque, errp);
+ }
+
++static char *spapr_get_ic_mode(Object *obj, Error **errp)
++{
++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++ if (spapr->irq == &spapr_irq_xics_legacy) {
++ return g_strdup("legacy");
++ } else if (spapr->irq == &spapr_irq_xics) {
++ return g_strdup("xics");
++ } else if (spapr->irq == &spapr_irq_xive) {
++ return g_strdup("xive");
++ } else if (spapr->irq == &spapr_irq_dual) {
++ return g_strdup("dual");
++ }
++ g_assert_not_reached();
++}
++
++static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp)
++{
++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++ if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
++ error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode");
++ return;
++ }
++
++ /* The legacy IRQ backend can not be set */
++ if (strcmp(value, "xics") == 0) {
++ spapr->irq = &spapr_irq_xics;
++ } else if (strcmp(value, "xive") == 0) {
++ spapr->irq = &spapr_irq_xive;
++ } else if (strcmp(value, "dual") == 0) {
++ spapr->irq = &spapr_irq_dual;
++ } else {
++ error_setg(errp, "Bad value for \"ic-mode\" property");
++ }
++}
++
++static char *spapr_get_host_model(Object *obj, Error **errp)
++{
++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++ return g_strdup(spapr->host_model);
++}
++
++static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
++{
++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++ g_free(spapr->host_model);
++ spapr->host_model = g_strdup(value);
++}
++
++static char *spapr_get_host_serial(Object *obj, Error **errp)
++{
++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++ return g_strdup(spapr->host_serial);
++}
++
++static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
++{
++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++ g_free(spapr->host_serial);
++ spapr->host_serial = g_strdup(value);
++}
++
+ static void spapr_instance_init(Object *obj)
+ {
+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+@@ -3063,6 +3147,25 @@ static void spapr_instance_init(Object *obj)
+ " the host's SMT mode", &error_abort);
+ object_property_add_bool(obj, "vfio-no-msix-emulation",
+ spapr_get_msix_emulation, NULL, NULL);
++
++ /* The machine class defines the default interrupt controller mode */
++ spapr->irq = smc->irq;
++ object_property_add_str(obj, "ic-mode", spapr_get_ic_mode,
++ spapr_set_ic_mode, NULL);
++ object_property_set_description(obj, "ic-mode",
++ "Specifies the interrupt controller mode (xics, xive, dual)",
++ NULL);
++
++ object_property_add_str(obj, "host-model",
++ spapr_get_host_model, spapr_set_host_model,
++ &error_abort);
++ object_property_set_description(obj, "host-model",
++ "Set host's model-id to use - none|passthrough|string", &error_abort);
++ object_property_add_str(obj, "host-serial",
++ spapr_get_host_serial, spapr_set_host_serial,
++ &error_abort);
++ object_property_set_description(obj, "host-serial",
++ "Set host's system-id to use - none|passthrough|string", &error_abort);
+ }
+
+ static void spapr_machine_finalizefn(Object *obj)
+@@ -4067,7 +4170,18 @@ static void spapr_machine_3_0_instance_options(MachineState *machine)
+
+ static void spapr_machine_3_0_class_options(MachineClass *mc)
+ {
+- /* Defaults for the latest behaviour inherited from the base class */
++ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
++ static GlobalProperty compat[] = {
++ { TYPE_SPAPR_MACHINE, "host-model", "passthrough" },
++ { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" },
++ };
++
++ spapr_machine_4_0_class_options(mc);
++ compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len);
++ compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
++
++ mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0");
++ smc->update_dt_enabled = false;
+ }
+
+ DEFINE_SPAPR_MACHINE(3_0, "3.0", true);
+diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
+index 7e5de1a6fd..4c69a55374 100644
+--- a/include/hw/ppc/spapr.h
++++ b/include/hw/ppc/spapr.h
+@@ -165,6 +165,8 @@ struct sPAPRMachineState {
+
+ /*< public >*/
+ char *kvm_type;
++ char *host_model;
++ char *host_serial;
+
+ const char *icp_type;
+
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index f02e312..6c3049b 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0009-apic-fixup-fallthrough-to-PIC.patch \
file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
+ file://CVE-2018-10839.patch\
file://CVE-2018-15746.patch \
- file://CVE-2018-17958.patch \
file://CVE-2018-17962.patch \
file://CVE-2018-17963.patch \
file://CVE-2018-16867.patch \
@@ -36,6 +36,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2018-20815_p2.patch \
file://CVE-2019-9824.patch \
file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
+ file://CVE-2018-18954.patch \
+ file://CVE-2019-3812.patch \
+ file://CVE-2019-6778.patch \
+ file://CVE-2019-8934.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 03/12] elfutils: CVE fix for elfutils
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
2019-10-10 15:49 ` [thud 01/12] oeqa/selftest/context: ensure log directory exists Armin Kuster
2019-10-10 15:49 ` [thud 02/12] qemu: Fix 4 CVEs Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 04/12] unzip: fix CVE-2019-13232 Armin Kuster
` (8 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Shubham Agrawal <shuagr@microsoft.com>
CVE: CVE-2019-7664.patch
CVE: CVE-2019-7665.patch
Sign off: Shubham Agrawal <shuagr@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/elfutils/elfutils_0.175.bb | 2 +
.../elfutils/files/CVE-2019-7664.patch | 65 +++++++++
.../elfutils/files/CVE-2019-7665.patch | 154 +++++++++++++++++++++
3 files changed, 221 insertions(+)
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.175.bb b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
index e94a48e..862a9b6 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.175.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.175.bb
@@ -31,6 +31,8 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://CVE-2019-7150.patch \
file://CVE-2019-7146_p1.patch \
file://CVE-2019-7146_p2.patch \
+ file://CVE-2019-7664.patch \
+ file://CVE-2019-7665.patch \
"
SRC_URI_append_libc-musl = " file://0008-build-Provide-alternatives-for-glibc-assumptions-hel.patch"
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
new file mode 100644
index 0000000..e55dc5a
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7664.patch
@@ -0,0 +1,65 @@
+From 3ed05376e7b2c96c1d6eb24d2842cc25b79a4f07 Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 12:25:57 +0100
+Subject: [PATCH] CVE: CVE-2019-7664
+
+Upstream-Status: Backport
+libelf: Correct overflow check in note_xlate.
+
+We want to make sure the note_len doesn't overflow and becomes shorter
+than the note header. But the namesz and descsz checks got the note header
+size wrong). Replace the wrong constant (8) with a sizeof cvt_Nhdr (12).
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24084
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libelf/ChangeLog | 13 +++++++++++++
+ libelf/note_xlate.h | 4 ++--
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/libelf/ChangeLog b/libelf/ChangeLog
+index 68c4fbd..892e6e7 100644
+--- a/libelf/ChangeLog
++++ b/libelf/ChangeLog
+@@ -1,3 +1,16 @@
++<<<<<<< HEAD
++=======
++2019-01-16 Mark Wielaard <mark@klomp.org>
++
++ * note_xlate.h (elf_cvt_note): Check n_namesz and n_descsz don't
++ overflow note_len into note header.
++
++2018-11-17 Mark Wielaard <mark@klomp.org>
++
++ * elf32_updatefile.c (updatemmap): Make sure to call convert
++ function on a properly aligned destination.
++
++>>>>>>> e65d91d... libelf: Correct overflow check in note_xlate.
+ 2018-11-16 Mark Wielaard <mark@klomp.org>
+
+ * libebl.h (__elf32_msize): Mark with const attribute.
+diff --git a/libelf/note_xlate.h b/libelf/note_xlate.h
+index 9bdc3e2..bc9950f 100644
+--- a/libelf/note_xlate.h
++++ b/libelf/note_xlate.h
+@@ -46,13 +46,13 @@ elf_cvt_note (void *dest, const void *src, size_t len, int encode,
+ /* desc needs to be aligned. */
+ note_len += n->n_namesz;
+ note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+- if (note_len > len || note_len < 8)
++ if (note_len > len || note_len < sizeof *n)
+ break;
+
+ /* data as a whole needs to be aligned. */
+ note_len += n->n_descsz;
+ note_len = nhdr8 ? NOTE_ALIGN8 (note_len) : NOTE_ALIGN4 (note_len);
+- if (note_len > len || note_len < 8)
++ if (note_len > len || note_len < sizeof *n)
+ break;
+
+ /* Copy or skip the note data. */
+--
+2.7.4
+
diff --git a/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
new file mode 100644
index 0000000..a1bb309
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/CVE-2019-7665.patch
@@ -0,0 +1,154 @@
+From 4323d46c4a369b614aa1f574805860b3434552df Mon Sep 17 00:00:00 2001
+From: Mark Wielaard <mark@klomp.org>
+Date: Wed, 16 Jan 2019 15:41:31 +0100
+Subject: [PATCH] CVE: CVE-2019-7665
+
+Upstream-Status: Backport
+
+Sign off: Shubham Agrawal <shuagr@microsoft.com>
+
+libebl: Check NT_PLATFORM core notes contain a zero terminated string.
+
+Most strings in core notes are fixed size. But NT_PLATFORM contains just
+a variable length string. Check that it is actually zero terminated
+before passing to readelf to print.
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=24089
+
+Signed-off-by: Mark Wielaard <mark@klomp.org>
+Signed-off-by: Ubuntu <lisa@shuagr-yocto-build.mdn4q2lr1oauhmizmzsslly3ad.xx.internal.cloudapp.net>
+---
+ libdwfl/linux-core-attach.c | 9 +++++----
+ libebl/eblcorenote.c | 39 +++++++++++++++++++--------------------
+ libebl/libebl.h | 3 ++-
+ src/readelf.c | 2 +-
+ 4 files changed, 27 insertions(+), 26 deletions(-)
+
+diff --git a/libdwfl/linux-core-attach.c b/libdwfl/linux-core-attach.c
+index 6c99b9e..c0f1b0d 100644
+--- a/libdwfl/linux-core-attach.c
++++ b/libdwfl/linux-core-attach.c
+@@ -137,7 +137,7 @@ core_next_thread (Dwfl *dwfl __attribute__ ((unused)), void *dwfl_arg,
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- if (! ebl_core_note (core_arg->ebl, &nhdr, name,
++ if (! ebl_core_note (core_arg->ebl, &nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ {
+ /* This note may be just not recognized, skip it. */
+@@ -191,8 +191,9 @@ core_set_initial_registers (Dwfl_Thread *thread, void *thread_arg_voidp)
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, ®s_offset,
+- &nregloc, ®locs, &nitems, &items);
++ int core_note_err = ebl_core_note (core_arg->ebl, &nhdr, name, desc,
++ ®s_offset, &nregloc, ®locs,
++ &nitems, &items);
+ /* __libdwfl_attach_state_for_core already verified the note is there. */
+ assert (core_note_err != 0);
+ assert (nhdr.n_type == NT_PRSTATUS);
+@@ -383,7 +384,7 @@ dwfl_core_file_attach (Dwfl *dwfl, Elf *core)
+ const Ebl_Register_Location *reglocs;
+ size_t nitems;
+ const Ebl_Core_Item *items;
+- if (! ebl_core_note (ebl, &nhdr, name,
++ if (! ebl_core_note (ebl, &nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ {
+ /* This note may be just not recognized, skip it. */
+diff --git a/libebl/eblcorenote.c b/libebl/eblcorenote.c
+index 783f981..7fab397 100644
+--- a/libebl/eblcorenote.c
++++ b/libebl/eblcorenote.c
+@@ -36,11 +36,13 @@
+ #include <inttypes.h>
+ #include <stdio.h>
+ #include <stddef.h>
++#include <string.h>
+ #include <libeblP.h>
+
+
+ int
+ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++ const char *desc,
+ GElf_Word *regs_offset, size_t *nregloc,
+ const Ebl_Register_Location **reglocs, size_t *nitems,
+ const Ebl_Core_Item **items)
+@@ -51,28 +53,25 @@ ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
+ {
+ /* The machine specific function did not know this type. */
+
+- *regs_offset = 0;
+- *nregloc = 0;
+- *reglocs = NULL;
+- switch (nhdr->n_type)
++ /* NT_PLATFORM is kind of special since it needs a zero terminated
++ string (other notes often have a fixed size string). */
++ static const Ebl_Core_Item platform[] =
+ {
+-#define ITEMS(type, table) \
+- case type: \
+- *items = table; \
+- *nitems = sizeof table / sizeof table[0]; \
+- result = 1; \
+- break
++ {
++ .name = "Platform",
++ .type = ELF_T_BYTE, .count = 0, .format = 's'
++ }
++ };
+
+- static const Ebl_Core_Item platform[] =
+- {
+- {
+- .name = "Platform",
+- .type = ELF_T_BYTE, .count = 0, .format = 's'
+- }
+- };
+- ITEMS (NT_PLATFORM, platform);
+-
+-#undef ITEMS
++ if (nhdr->n_type == NT_PLATFORM
++ && memchr (desc, '\0', nhdr->n_descsz) != NULL)
++ {
++ *regs_offset = 0;
++ *nregloc = 0;
++ *reglocs = NULL;
++ *items = platform;
++ *nitems = 1;
++ result = 1;
+ }
+ }
+
+diff --git a/libebl/libebl.h b/libebl/libebl.h
+index ca9b9fe..24922eb 100644
+--- a/libebl/libebl.h
++++ b/libebl/libebl.h
+@@ -319,7 +319,8 @@ typedef struct
+
+ /* Describe the format of a core file note with the given header and NAME.
+ NAME is not guaranteed terminated, it's NHDR->n_namesz raw bytes. */
+-extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr, const char *name,
++extern int ebl_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
++ const char *name, const char *desc,
+ GElf_Word *regs_offset, size_t *nregloc,
+ const Ebl_Register_Location **reglocs,
+ size_t *nitems, const Ebl_Core_Item **items)
+diff --git a/src/readelf.c b/src/readelf.c
+index 3a73710..71651e0 100644
+--- a/src/readelf.c
++++ b/src/readelf.c
+@@ -12153,7 +12153,7 @@ handle_core_note (Ebl *ebl, const GElf_Nhdr *nhdr,
+ size_t nitems;
+ const Ebl_Core_Item *items;
+
+- if (! ebl_core_note (ebl, nhdr, name,
++ if (! ebl_core_note (ebl, nhdr, name, desc,
+ ®s_offset, &nregloc, ®locs, &nitems, &items))
+ return;
+
+--
+2.7.4
+
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 04/12] unzip: fix CVE-2019-13232
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (2 preceding siblings ...)
2019-10-10 15:49 ` [thud 03/12] elfutils: CVE fix for elfutils Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 05/12] json-c: Don't --enable-rdrand Armin Kuster
` (7 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../unzip/unzip/CVE-2019-13232_p1.patch | 33 ++
.../unzip/unzip/CVE-2019-13232_p2.patch | 356 +++++++++++++++++++++
.../unzip/unzip/CVE-2019-13232_p3.patch | 121 +++++++
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +
4 files changed, 513 insertions(+)
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
create mode 100644 meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
new file mode 100644
index 0000000..d485a1b
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p1.patch
@@ -0,0 +1,33 @@
+From 080d52c3c9416c731f637f9c6e003961ef43f079 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Mon, 27 May 2019 08:20:32 -0700
+Subject: [PATCH 1/3] Fix bug in undefer_input() that misplaced the input
+ state.
+
+CVE: CVE-2019-13232
+Upstream-Status: Backport
+[https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ fileio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fileio.c b/fileio.c
+index 7605a29..14460f3 100644
+--- a/fileio.c
++++ b/fileio.c
+@@ -532,8 +532,10 @@ void undefer_input(__G)
+ * This condition was checked when G.incnt_leftover was set > 0 in
+ * defer_leftover_input(), and it is NOT allowed to touch G.csize
+ * before calling undefer_input() when (G.incnt_leftover > 0)
+- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
+ */
++ if (G.csize < 0L)
++ G.csize = 0L;
+ G.incnt = G.incnt_leftover + (int)G.csize;
+ G.inptr = G.inptr_leftover - (int)G.csize;
+ G.incnt_leftover = 0;
+--
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
new file mode 100644
index 0000000..41037a8
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p2.patch
@@ -0,0 +1,356 @@
+From 1aae47fa8935654a84403768f32c03ecbb1be470 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Tue, 11 Jun 2019 22:01:18 -0700
+Subject: [PATCH 2/3] Detect and reject a zip bomb using overlapped entries.
+
+This detects an invalid zip file that has at least one entry that
+overlaps with another entry or with the central directory to the
+end of the file. A Fifield zip bomb uses overlapped local entries
+to vastly increase the potential inflation ratio. Such an invalid
+zip file is rejected.
+
+See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
+analysis, construction, and examples of such zip bombs.
+
+The detection maintains a list of covered spans of the zip files
+so far, where the central directory to the end of the file and any
+bytes preceding the first entry at zip file offset zero are
+considered covered initially. Then as each entry is decompressed
+or tested, it is considered covered. When a new entry is about to
+be processed, its initial offset is checked to see if it is
+contained by a covered span. If so, the zip file is rejected as
+invalid.
+
+This commit depends on a preceding commit: "Fix bug in
+undefer_input() that misplaced the input state."
+
+CVE: CVE-2019-13232
+Upstream-Status: Backport
+[https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ globals.c | 1 +
+ globals.h | 3 +
+ process.c | 10 +++
+ unzip.h | 1 +
+ 5 files changed, 204 insertions(+), 1 deletion(-)
+
+diff --git a/extract.c b/extract.c
+index 24db2a8..2bb72ba 100644
+--- a/extract.c
++++ b/extract.c
+@@ -321,6 +321,125 @@ static ZCONST char Far UnsupportedExtraField[] =
+ "\nerror: unsupported extra-field compression type (%u)--skipping\n";
+ static ZCONST char Far BadExtraFieldCRC[] =
+ "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
++static ZCONST char Far NotEnoughMemCover[] =
++ "error: not enough memory for bomb detection\n";
++static ZCONST char Far OverlappedComponents[] =
++ "error: invalid zip file with overlapped components (possible zip bomb)\n";
++
++
++
++
++
++/* A growable list of spans. */
++typedef zoff_t bound_t;
++typedef struct {
++ bound_t beg; /* start of the span */
++ bound_t end; /* one past the end of the span */
++} span_t;
++typedef struct {
++ span_t *span; /* allocated, distinct, and sorted list of spans */
++ size_t num; /* number of spans in the list */
++ size_t max; /* allocated number of spans (num <= max) */
++} cover_t;
++
++/*
++ * Return the index of the first span in cover whose beg is greater than val.
++ * If there is no such span, then cover->num is returned.
++ */
++static size_t cover_find(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t lo = 0, hi = cover->num;
++ while (lo < hi) {
++ size_t mid = (lo + hi) >> 1;
++ if (val < cover->span[mid].beg)
++ hi = mid;
++ else
++ lo = mid + 1;
++ }
++ return hi;
++}
++
++/* Return true if val lies within any one of the spans in cover. */
++static int cover_within(cover, val)
++ cover_t *cover;
++ bound_t val;
++{
++ size_t pos = cover_find(cover, val);
++ return pos > 0 && val < cover->span[pos - 1].end;
++}
++
++/*
++ * Add a new span to the list, but only if the new span does not overlap any
++ * spans already in the list. The new span covers the values beg..end-1. beg
++ * must be less than end.
++ *
++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
++ * the list as needed. On success, 0 is returned. If the new span overlaps any
++ * existing spans, then 1 is returned and the new span is not added to the
++ * list. If the new span is invalid because beg is greater than or equal to
++ * end, then -1 is returned. If the list needs to be grown but the memory
++ * allocation fails, then -2 is returned.
++ */
++static int cover_add(cover, beg, end)
++ cover_t *cover;
++ bound_t beg;
++ bound_t end;
++{
++ size_t pos;
++ int prec, foll;
++
++ if (beg >= end)
++ /* The new span is invalid. */
++ return -1;
++
++ /* Find where the new span should go, and make sure that it does not
++ overlap with any existing spans. */
++ pos = cover_find(cover, beg);
++ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
++ (pos < cover->num && end > cover->span[pos].beg))
++ return 1;
++
++ /* Check for adjacencies. */
++ prec = pos > 0 && beg == cover->span[pos - 1].end;
++ foll = pos < cover->num && end == cover->span[pos].beg;
++ if (prec && foll) {
++ /* The new span connects the preceding and following spans. Merge the
++ following span into the preceding span, and delete the following
++ span. */
++ cover->span[pos - 1].end = cover->span[pos].end;
++ cover->num--;
++ memmove(cover->span + pos, cover->span + pos + 1,
++ (cover->num - pos) * sizeof(span_t));
++ }
++ else if (prec)
++ /* The new span is adjacent only to the preceding span. Extend the end
++ of the preceding span. */
++ cover->span[pos - 1].end = end;
++ else if (foll)
++ /* The new span is adjacent only to the following span. Extend the
++ beginning of the following span. */
++ cover->span[pos].beg = beg;
++ else {
++ /* The new span has gaps between both the preceding and the following
++ spans. Assure that there is room and insert the span. */
++ if (cover->num == cover->max) {
++ size_t max = cover->max == 0 ? 16 : cover->max << 1;
++ span_t *span = realloc(cover->span, max * sizeof(span_t));
++ if (span == NULL)
++ return -2;
++ cover->span = span;
++ cover->max = max;
++ }
++ memmove(cover->span + pos + 1, cover->span + pos,
++ (cover->num - pos) * sizeof(span_t));
++ cover->num++;
++ cover->span[pos].beg = beg;
++ cover->span[pos].end = end;
++ }
++ return 0;
++}
+
+
+
+@@ -376,6 +495,29 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
++ /* One more: initialize cover structure for bomb detection. Start with a
++ span that covers the central directory though the end of the file. */
++ if (G.cover == NULL) {
++ G.cover = malloc(sizeof(cover_t));
++ if (G.cover == NULL) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ ((cover_t *)G.cover)->span = NULL;
++ ((cover_t *)G.cover)->max = 0;
++ }
++ ((cover_t *)G.cover)->num = 0;
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ cover_add((cover_t *)G.cover,
++ G.extra_bytes + G.ecrec.offset_start_central_directory,
++ G.ziplen) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+ rectory lies at the end of the zipfile and the member files lie at the
+@@ -593,7 +735,8 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ if (error > error_in_archive)
+ error_in_archive = error;
+ /* ...and keep going (unless disk full or user break) */
+- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
++ error == PK_BOMB) {
+ /* clear reached_end to signal premature stop ... */
+ reached_end = FALSE;
+ /* ... and cancel scanning the central directory */
+@@ -1062,6 +1205,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
+
+ /* seek_zipf(__G__ pInfo->offset); */
+ request = G.pInfo->offset + G.extra_bytes;
++ if (cover_within((cover_t *)G.cover, request)) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ inbuf_offset = request % INBUFSIZ;
+ bufstart = request - inbuf_offset;
+
+@@ -1593,6 +1741,18 @@ reprompt:
+ return IZ_CTRLC; /* cancel operation by user request */
+ }
+ #endif
++ error = cover_add((cover_t *)G.cover, request,
++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
++ if (error < 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(NotEnoughMemCover)));
++ return PK_MEM;
++ }
++ if (error != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+ #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
+ UserStop();
+ #endif
+@@ -1994,6 +2154,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */
+ }
+
+ undefer_input(__G);
++
++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
++ /* skip over data descriptor (harder than it sounds, due to signature
++ * ambiguity)
++ */
++# define SIG 0x08074b50
++# define LOW 0xffffffff
++ uch buf[12];
++ unsigned shy = 12 - readbuf((char *)buf, 12);
++ ulg crc = shy ? 0 : makelong(buf);
++ ulg clen = shy ? 0 : makelong(buf + 4);
++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
++ if (crc == SIG && /* if not SIG, no signature */
++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
++ (clen == SIG && /* if not SIG, no signature */
++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
++ (ulen == SIG && /* if not SIG, no signature */
++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
++ /* if not SIG, have signature */
++ )))))
++ /* skip four more bytes to account for signature */
++ shy += 4 - readbuf((char *)buf, 4);
++ if (G.zip64)
++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
++ if (shy)
++ error = PK_ERR;
++ }
++
+ return error;
+
+ } /* end function extract_or_test_member() */
+diff --git a/globals.c b/globals.c
+index fa8cca5..1e0f608 100644
+--- a/globals.c
++++ b/globals.c
+@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
+ # if (!defined(NO_TIMESTAMPS))
+ uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
+ # endif
++ G.cover = NULL; /* not allocated yet */
+ #endif
+
+ uO.lflag=(-1);
+diff --git a/globals.h b/globals.h
+index 11b7215..2bdcdeb 100644
+--- a/globals.h
++++ b/globals.h
+@@ -260,12 +260,15 @@ typedef struct Globals {
+ ecdir_rec ecrec; /* used in unzip.c, extract.c */
+ z_stat statbuf; /* used by main, mapname, check_for_newer */
+
++ int zip64; /* true if Zip64 info in extra field */
++
+ int mem_mode;
+ uch *outbufptr; /* extract.c static */
+ ulg outsize; /* extract.c static */
+ int reported_backslash; /* extract.c static */
+ int disk_full;
+ int newfile;
++ void **cover; /* used in extract.c for bomb detection */
+
+ int didCRlast; /* fileio static */
+ ulg numlines; /* fileio static: number of lines printed */
+diff --git a/process.c b/process.c
+index a3c1a4d..208619c 100644
+--- a/process.c
++++ b/process.c
+@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */
+ }
+ #endif
+
++ /* Free the cover span list and the cover structure. */
++ if (G.cover != NULL) {
++ free(*(G.cover));
++ free(G.cover);
++ G.cover = NULL;
++ }
++
+ } /* end function free_G_buffers() */
+
+
+@@ -1905,6 +1912,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
+
+ #define Z64FLGS 0xffff
+ #define Z64FLGL 0xffffffff
++ G.zip64 = FALSE;
+
+ if (ef_len == 0 || ef_buf == NULL)
+ return PK_COOL;
+@@ -1964,6 +1972,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
+ G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
+ offset += 4;
+ }
++
++ G.zip64 = TRUE;
+ #if 0
+ break; /* Expect only one EF_PKSZ64 block. */
+ #endif /* 0 */
+diff --git a/unzip.h b/unzip.h
+index 5b2a326..ed24a5b 100644
+--- a/unzip.h
++++ b/unzip.h
+@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
+ #define PK_NOZIP 9 /* zipfile not found */
+ #define PK_PARAM 10 /* bad or illegal parameters specified */
+ #define PK_FIND 11 /* no files found */
++#define PK_BOMB 12 /* likely zip bomb */
+ #define PK_DISK 50 /* disk full */
+ #define PK_EOF 51 /* unexpected EOF */
+
+--
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
new file mode 100644
index 0000000..fd26fdd
--- /dev/null
+++ b/meta/recipes-extended/unzip/unzip/CVE-2019-13232_p3.patch
@@ -0,0 +1,121 @@
+From be88aa4811af47ca06d8b7dcda294f899eba70ea Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Thu, 25 Jul 2019 20:43:17 -0700
+Subject: [PATCH 3/3] Do not raise a zip bomb alert for a misplaced central
+ directory.
+
+There is a zip-like file in the Firefox distribution, omni.ja,
+which is a zip container with the central directory placed at the
+start of the file instead of after the local entries as required
+by the zip standard. This commit marks the actual location of the
+central directory, as well as the end of central directory records,
+as disallowed locations. This now permits such containers to not
+raise a zip bomb alert, where in fact there are no overlaps.
+
+CVE: CVE-2019-13232
+Upstream-Status: Backport
+[https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ extract.c | 25 +++++++++++++++++++------
+ process.c | 6 ++++++
+ unzpriv.h | 10 ++++++++++
+ 3 files changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/extract.c b/extract.c
+index 2bb72ba..a9dcca8 100644
+--- a/extract.c
++++ b/extract.c
+@@ -495,8 +495,11 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ }
+ #endif /* !SFX || SFX_EXDIR */
+
+- /* One more: initialize cover structure for bomb detection. Start with a
+- span that covers the central directory though the end of the file. */
++ /* One more: initialize cover structure for bomb detection. Start with
++ spans that cover any extra bytes at the start, the central directory,
++ the end of central directory record (including the Zip64 end of central
++ directory locator, if present), and the Zip64 end of central directory
++ record, if present. */
+ if (G.cover == NULL) {
+ G.cover = malloc(sizeof(cover_t));
+ if (G.cover == NULL) {
+@@ -508,15 +511,25 @@ int extract_or_test_files(__G) /* return PK-type error code */
+ ((cover_t *)G.cover)->max = 0;
+ }
+ ((cover_t *)G.cover)->num = 0;
+- if ((G.extra_bytes != 0 &&
+- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+- cover_add((cover_t *)G.cover,
++ if (cover_add((cover_t *)G.cover,
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
+- G.ziplen) != 0) {
++ G.extra_bytes + G.ecrec.offset_start_central_directory +
++ G.ecrec.size_central_directory) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
++ if ((G.extra_bytes != 0 &&
++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
++ (G.ecrec.have_ecr64 &&
++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
++ G.ecrec.ec64_end) != 0) ||
++ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
++ G.ecrec.ec_end) != 0) {
++ Info(slide, 0x401, ((char *)slide,
++ LoadFarString(OverlappedComponents)));
++ return PK_BOMB;
++ }
+
+ /*---------------------------------------------------------------------------
+ The basic idea of this function is as follows. Since the central di-
+diff --git a/process.c b/process.c
+index 208619c..5f8f6c6 100644
+--- a/process.c
++++ b/process.c
+@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */
+
+ /* Now, we are (almost) sure that we have a Zip64 archive. */
+ G.ecrec.have_ecr64 = 1;
++ G.ecrec.ec_start -= ECLOC64_SIZE+4;
++ G.ecrec.ec64_start = ecrec64_start_offset;
++ G.ecrec.ec64_end = ecrec64_start_offset +
++ 12 + makeint64(&byterec[ECREC64_LENGTH]);
+
+ /* Update the "end-of-central-dir offset" for later checks. */
+ G.real_ecrec_offset = ecrec64_start_offset;
+@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */
+ makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
+ G.ecrec.zipfile_comment_length =
+ makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
++ G.ecrec.ec_start = G.real_ecrec_offset;
++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
+
+ /* Now, we have to read the archive comment, BEFORE the file pointer
+ is moved away backwards to seek for a Zip64 ECLOC64 structure.
+diff --git a/unzpriv.h b/unzpriv.h
+index c8d3eab..5e177c7 100644
+--- a/unzpriv.h
++++ b/unzpriv.h
+@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf {
+ int have_ecr64; /* valid Zip64 ecdir-record exists */
+ int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
+ ush zipfile_comment_length;
++ zusz_t ec_start, ec_end; /* offsets of start and end of the
++ end of central directory record,
++ including if present the Zip64
++ end of central directory locator,
++ which immediately precedes the
++ end of central directory record */
++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
++ are the offsets of the start and
++ end of the Zip64 end of central
++ directory record */
+ } ecdir_rec;
+
+
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index daba722..464d73d 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -22,6 +22,9 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
file://symlink.patch \
file://0001-unzip-fix-CVE-2018-1000035.patch \
file://CVE-2018-18384.patch \
+ file://CVE-2019-13232_p1.patch \
+ file://CVE-2019-13232_p2.patch \
+ file://CVE-2019-13232_p3.patch \
"
UPSTREAM_VERSION_UNKNOWN = "1"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 05/12] json-c: Don't --enable-rdrand
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (3 preceding siblings ...)
2019-10-10 15:49 ` [thud 04/12] unzip: fix CVE-2019-13232 Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 06/12] perl: Fix CVE-2018-18311 to 18314 Armin Kuster
` (6 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Adrian Bunk <bunk@stusta.de>
In recent years AMD CPUs have had various problems with RDRAND
giving either non-random data or no result at all, which is
problematic if either build or target machine has a CPU with
this problem.
The fallback is /dev/urandom, and I'd trust the kernel here.
--enable-rdrand was added in an upgrade to a new upstream
version without mentioning any reason.
[YOCTO #13534]
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/recipes-devtools/json-c/json-c_0.13.1.bb | 2 --
1 file changed, 2 deletions(-)
diff --git a/meta/recipes-devtools/json-c/json-c_0.13.1.bb b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
index 5b10e68..e6a3899 100644
--- a/meta/recipes-devtools/json-c/json-c_0.13.1.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.13.1.bb
@@ -20,8 +20,6 @@ RPROVIDES_${PN} = "libjson"
inherit autotools
-EXTRA_OECONF = "--enable-rdrand"
-
do_configure_prepend() {
# Clean up autoconf cruft that should not be in the tarball
rm -f ${S}/config.status
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 06/12] perl: Fix CVE-2018-18311 to 18314
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (4 preceding siblings ...)
2019-10-10 15:49 ` [thud 05/12] json-c: Don't --enable-rdrand Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 07/12] sqlite3: Security fix for CVE-2019-8457 Armin Kuster
` (5 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Dan Tran <dantran@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
[Perl before 5.26.3 and 5.28.x before 5.28.1]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../perl/perl/CVE-2018-18311.patch | 183 ++++++++++++++
.../perl/perl/CVE-2018-18312.patch | Bin 0 -> 2125 bytes
.../perl/perl/CVE-2018-18313.patch | 60 +++++
.../perl/perl/CVE-2018-18314.patch | 271 +++++++++++++++++++++
meta/recipes-devtools/perl/perl_5.24.4.bb | 4 +
5 files changed, 518 insertions(+)
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18312.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18313.patch
create mode 100644 meta/recipes-devtools/perl/perl/CVE-2018-18314.patch
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
new file mode 100644
index 0000000..ba8cf15
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-18311.patch
@@ -0,0 +1,183 @@
+From 4706b65d7c835c0bb219db160fbcdbcd98efab2d Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Fri, 29 Jun 2018 13:37:03 +0100
+Subject: [PATCH] Perl_my_setenv(); handle integer wrap
+
+RT #133204
+
+Wean this function off int/I32 and onto UV/Size_t.
+Also, replace all malloc-ish calls with a wrapper that does
+overflow checks,
+
+In particular, it was doing (nlen + vlen + 2) which could wrap when
+the combined length of the environment variable name and value
+exceeded around 0x7fffffff.
+
+The wrapper check function is probably overkill, but belt and braces...
+
+NB this function has several variant parts, #ifdef'ed by platform
+type; I have blindly changed the parts that aren't compiled under linux.
+
+(cherry picked from commit 34716e2a6ee2af96078d62b065b7785c001194be)
+
+CVE: CVE-2018-18311
+Upstream-Status: Backport
+[https://perl5.git.perl.org/perl.git/commit/5737d31aac51360cc1eb412ef059e36147c9d6d6]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ util.c | 76 ++++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 53 insertions(+), 23 deletions(-)
+
+diff --git a/util.c b/util.c
+index 7c3d271f51..27f4eddf3b 100644
+--- a/util.c
++++ b/util.c
+@@ -2160,8 +2160,40 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN *buffer, const char *const bits,
+ *(s+(nlen+1+vlen)) = '\0'
+
+ #ifdef USE_ENVIRON_ARRAY
+- /* VMS' my_setenv() is in vms.c */
++
++/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if
++ * 'current' is non-null, with up to three sizes that are added together.
++ * It handles integer overflow.
++ */
++static char *
++S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size)
++{
++ void *p;
++ Size_t sl, l = l1 + l2;
++
++ if (l < l2)
++ goto panic;
++ l += l3;
++ if (l < l3)
++ goto panic;
++ sl = l * size;
++ if (sl < l)
++ goto panic;
++
++ p = current
++ ? safesysrealloc(current, sl)
++ : safesysmalloc(sl);
++ if (p)
++ return (char*)p;
++
++ panic:
++ croak_memory_wrap();
++}
++
++
++/* VMS' my_setenv() is in vms.c */
+ #if !defined(WIN32) && !defined(NETWARE)
++
+ void
+ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+@@ -2177,28 +2209,27 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #ifndef PERL_USE_SAFE_PUTENV
+ if (!PL_use_safe_putenv) {
+ /* most putenv()s leak, so we manipulate environ directly */
+- I32 i;
+- const I32 len = strlen(nam);
+- int nlen, vlen;
++ UV i;
++ Size_t vlen, nlen = strlen(nam);
+
+ /* where does it go? */
+ for (i = 0; environ[i]; i++) {
+- if (strnEQ(environ[i],nam,len) && environ[i][len] == '=')
++ if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=')
+ break;
+ }
+
+ if (environ == PL_origenviron) { /* need we copy environment? */
+- I32 j;
+- I32 max;
++ UV j, max;
+ char **tmpenv;
+
+ max = i;
+ while (environ[max])
+ max++;
+- tmpenv = (char**)safesysmalloc((max+2) * sizeof(char*));
++ /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */
++ tmpenv = (char**)S_env_alloc(NULL, max, 2, 0, sizeof(char*));
+ for (j=0; j<max; j++) { /* copy environment */
+- const int len = strlen(environ[j]);
+- tmpenv[j] = (char*)safesysmalloc((len+1)*sizeof(char));
++ const Size_t len = strlen(environ[j]);
++ tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1);
+ Copy(environ[j], tmpenv[j], len+1, char);
+ }
+ tmpenv[max] = NULL;
+@@ -2217,15 +2248,15 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #endif
+ }
+ if (!environ[i]) { /* does not exist yet */
+- environ = (char**)safesysrealloc(environ, (i+2) * sizeof(char*));
++ environ = (char**)S_env_alloc(environ, i, 2, 0, sizeof(char*));
+ environ[i+1] = NULL; /* make sure it's null terminated */
+ }
+ else
+ safesysfree(environ[i]);
+- nlen = strlen(nam);
++
+ vlen = strlen(val);
+
+- environ[i] = (char*)safesysmalloc((nlen+vlen+2) * sizeof(char));
++ environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1);
+ /* all that work just for this */
+ my_setenv_format(environ[i], nam, nlen, val, vlen);
+ } else {
+@@ -2250,22 +2281,21 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ if (environ) /* old glibc can crash with null environ */
+ (void)unsetenv(nam);
+ } else {
+- const int nlen = strlen(nam);
+- const int vlen = strlen(val);
+- char * const new_env =
+- (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++ const Size_t nlen = strlen(nam);
++ const Size_t vlen = strlen(val);
++ char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+ my_setenv_format(new_env, nam, nlen, val, vlen);
+ (void)putenv(new_env);
+ }
+ # else /* ! HAS_UNSETENV */
+ char *new_env;
+- const int nlen = strlen(nam);
+- int vlen;
++ const Size_t nlen = strlen(nam);
++ Size_t vlen;
+ if (!val) {
+ val = "";
+ }
+ vlen = strlen(val);
+- new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++ new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+ /* all that work just for this */
+ my_setenv_format(new_env, nam, nlen, val, vlen);
+ (void)putenv(new_env);
+@@ -2288,14 +2318,14 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+ dVAR;
+ char *envstr;
+- const int nlen = strlen(nam);
+- int vlen;
++ const Size_t nlen = strlen(nam);
++ Size_t vlen;
+
+ if (!val) {
+ val = "";
+ }
+ vlen = strlen(val);
+- Newx(envstr, nlen+vlen+2, char);
++ envstr = S_env_alloc(NULL, nlen, vlen, 2, 1);
+ my_setenv_format(envstr, nam, nlen, val, vlen);
+ (void)PerlEnv_putenv(envstr);
+ Safefree(envstr);
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-18312.patch b/meta/recipes-devtools/perl/perl/CVE-2018-18312.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1c3426542d7907ed0e5ab34621589bc3bbc5612d
GIT binary patch
literal 2125
zcmd5-S##Sq5Y97y#YS$2;z%Sxh~i}{w(BI5PNvh2?X;b-WDP`sN5Vq|As<uczjr|?
zzMAx*PoYR)vD*C>djW4{TZ12mg8G4o<CuHC$k>WUl%#&RBHo1i0SWmko%lZd(l&4=
z*5HLeNYcMR3Gs}#2$R5jCM)=(tg4dL9f}@&Dz1;xHEWz!=C6#`Oo>EejDh++4kca$
zo|jDh#P`4^0U^fOX7y2|DuIjNj?Yitf#*&Z(38ko3$(E3O(s4?Zq`beIy8Wqm5nlt
zli%MYfP<}ZZ7-U5)cCOOloYJC&lFReE`gs|`f1%tWn2_Wt-Hi^HR#mIOXX-v@3m)X
zj+?f1jnkB8JdS*t(TLzX35cI&Q!gZ5z<o}pUPLKwK3EvWS(!J2+ijNFtJ?%#vj)y3
z4hNhy3W=k-Ol8}(nQ{>Pm0{bq0aE0+SUV|fpF6;C7@%A!@XeRC=yFHF9ZX@Q9|I_4
zWhFXD3)bX<kMW<f>4a2e+jPT`HAVz3Dxudy+cFGZW*OKvIt5H)?(D4|XrpYnxB<a4
zCgL>9xZ@DQX~1I|6Y$VI-`CrHtZ(3E;4#M05!jv|g>)RkXiEfuOeuJ~Og9quD-&bq
z=F{o)&CSVj&15G=qy4Xouui);{BZK_`1JUE_@H6IYzC%fTBvB)PjR=a2ib3;_aa%v
z@(yOuu`99c7vI=R-l`Tb`n(d$7Aps-uSkA=8u;fKUAfOVyCjf^$0VJmK5?928cpJm
zr8In+gy)*uR6OVEgv66^03#eDor?MvekjVkSk~o@;7eZWnwY`RJT{?HU=q`ULp?zP
z$U~>JM%q?wvn;ScFg9z64VS^-M?(J`jG>i$I7kLM_*zu4)qe@jRWE6bwCrk=Z`&DR
z2gAdQ;o)V1(|kU^A!K1$^Z7zkcl6@&5~+xM58uK%b>{ORB!hhedvR}1fAC)1+E=XF
z2w1aHcF<;!wp_SEN<64`D^LYf&=u{b;#fUb0y3sp1-($`^k6z=G>CQ1Xy}dOUDA%Y
zV5)!_wub5IP+9iNh2@$sdj;mtjc#b{cLCyNEk)O1<HL2Sin4*ZiQ=%Z<|h2T_ZjM~
zHj-O_vF?z)`_q*Ml=zD;R$dOR|8E49(TdjZZ9KK&KUg`K?c6vMe{DpQ3K$+bjss1r
zKnYow4c;C6e)9)2M7_uSceg+CCBj2`VT@qlK9rg}&><WAx^3D%NN5Q#YN_C5lSALm
z3X}E_tuJNyqOVEq)Qj)5Cf&gpixSJSKMOIh=Y{A5Few19k&fkfYxG5^IoC`!=y3<v
yg=qS4<8@i4Y9B8TU2Ge?5+s-#1dsv`e=w*+sY9HrtaCj4O+zPNvCIq7$oL1o#ZxZ;
literal 0
HcmV?d00001
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-18313.patch b/meta/recipes-devtools/perl/perl/CVE-2018-18313.patch
new file mode 100644
index 0000000..540aa07
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-18313.patch
@@ -0,0 +1,60 @@
+From 3458f6115ca8e8d11779948c12b7e1cc5803358c Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Sat, 25 Mar 2017 15:00:22 -0600
+Subject: [PATCH 2/3] regcomp.c: Convert some strchr to memchr
+
+This allows things to work properly in the face of embedded NULs.
+See the branch merge message for more information.
+
+(cherry picked from commit 43b2f4ef399e2fd7240b4eeb0658686ad95f8e62)
+
+CVE: CVE-2018-18313
+Upstream-Status: Backport
+[https://perl5.git.perl.org/perl.git/commit/c1c28ce6ba90ee05aa96b11ad551a6063680f3b9]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ regcomp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index 00d26d9290..2688979882 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -11783,8 +11783,9 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state,
+
+ RExC_parse++; /* Skip past the '{' */
+
+- if (! (endbrace = strchr(RExC_parse, '}')) /* no trailing brace */
+- || ! (endbrace == RExC_parse /* nothing between the {} */
++ endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
++ if ((! endbrace) /* no trailing brace */
++ || ! (endbrace == RExC_parse /* nothing between the {} */
+ || (endbrace - RExC_parse >= 2 /* U+ (bad hex is checked... */
+ && strnEQ(RExC_parse, "U+", 2)))) /* ... below for a better
+ error msg) */
+@@ -12483,9 +12484,11 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+ else {
+ STRLEN length;
+ char name = *RExC_parse;
+- char * endbrace;
++ char * endbrace = NULL;
+ RExC_parse += 2;
+- endbrace = strchr(RExC_parse, '}');
++ if (RExC_parse < RExC_end) {
++ endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
++ }
+
+ if (! endbrace) {
+ vFAIL2("Missing right brace on \\%c{}", name);
+@@ -15939,7 +15942,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+ vFAIL2("Empty \\%c", (U8)value);
+ if (*RExC_parse == '{') {
+ const U8 c = (U8)value;
+- e = strchr(RExC_parse, '}');
++ e = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
+ if (!e) {
+ RExC_parse++;
+ vFAIL2("Missing right brace on \\%c{}", c);
+--
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/perl/perl/CVE-2018-18314.patch b/meta/recipes-devtools/perl/perl/CVE-2018-18314.patch
new file mode 100644
index 0000000..e84e7bc
--- /dev/null
+++ b/meta/recipes-devtools/perl/perl/CVE-2018-18314.patch
@@ -0,0 +1,271 @@
+From 6a2d07f43ae7cfcb2eb30cf39751f2f7fed7ecc1 Mon Sep 17 00:00:00 2001
+From: Yves Orton <demerphq@gmail.com>
+Date: Mon, 26 Jun 2017 13:19:55 +0200
+Subject: [PATCH 3/3] fix #131649 - extended charclass can trigger assert
+
+The extended charclass parser makes some assumptions during the
+first pass which are only true on well structured input, and it
+does not properly catch various errors. later on the code assumes
+that things the first pass will let through are valid, when in
+fact they should trigger errors.
+
+(cherry picked from commit 19a498a461d7c81ae3507c450953d1148efecf4f)
+
+CVE: CVE-2018-18314
+Upstream-Status: Backport
+[https://perl5.git.perl.org/perl.git/commit/dabe076af345ab4512ea80245b4e4cd7ec0996cd]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ pod/perldiag.pod | 27 ++++++++++++++++++++++++++-
+ pod/perlrecharclass.pod | 4 ++--
+ regcomp.c | 23 +++++++++++++----------
+ t/lib/warnings/regcomp | 6 +++---
+ t/re/reg_mesg.t | 29 ++++++++++++++++-------------
+ t/re/regex_sets.t | 6 +++---
+ 6 files changed, 63 insertions(+), 32 deletions(-)
+
+diff --git a/pod/perldiag.pod b/pod/perldiag.pod
+index 737d3633f6..644b814008 100644
+--- a/pod/perldiag.pod
++++ b/pod/perldiag.pod
+@@ -5777,7 +5777,7 @@ yourself.
+ a perl4 interpreter, especially if the next 2 tokens are "use strict"
+ or "my $var" or "our $var".
+
+-=item Syntax error in (?[...]) in regex m/%s/
++=item Syntax error in (?[...]) in regex; marked by <-- HERE in m/%s/
+
+ (F) Perl could not figure out what you meant inside this construct; this
+ notifies you that it is giving up trying.
+@@ -6153,6 +6153,31 @@ for example,
+ (F) The unexec() routine failed for some reason. See your local FSF
+ representative, who probably put it there in the first place.
+
++=item Unexpected ']' with no following ')' in (?[... in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing an extended character class a ']' character was encountered
++at a point in the definition where the only legal use of ']' is to close the
++character class definition as part of a '])', you may have forgotten the close
++paren, or otherwise confused the parser.
++
++=item Expecting close paren for nested extended charclass in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing a nested extended character class like:
++
++ (?[ ... (?flags:(?[ ... ])) ... ])
++ ^
++
++we expected to see a close paren ')' (marked by ^) but did not.
++
++=item Expecting close paren for wrapper for nested extended charclass in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing a nested extended character class like:
++
++ (?[ ... (?flags:(?[ ... ])) ... ])
++ ^
++
++we expected to see a close paren ')' (marked by ^) but did not.
++
+ =item Unexpected binary operator '%c' with no preceding operand in regex;
+ marked by S<<-- HERE> in m/%s/
+
+diff --git a/pod/perlrecharclass.pod b/pod/perlrecharclass.pod
+index 89f4a7ef3f..a557cc0384 100644
+--- a/pod/perlrecharclass.pod
++++ b/pod/perlrecharclass.pod
+@@ -1101,8 +1101,8 @@ hence both of the following work:
+ Any contained POSIX character classes, including things like C<\w> and C<\D>
+ respect the C<E<sol>a> (and C<E<sol>aa>) modifiers.
+
+-C<< (?[ ]) >> is a regex-compile-time construct. Any attempt to use
+-something which isn't knowable at the time the containing regular
++Note that C<< (?[ ]) >> is a regex-compile-time construct. Any attempt
++to use something which isn't knowable at the time the containing regular
+ expression is compiled is a fatal error. In practice, this means
+ just three limitations:
+
+diff --git a/regcomp.c b/regcomp.c
+index 2688979882..cb8409ed27 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -14609,8 +14609,9 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+ TRUE /* Force /x */ );
+
+ switch (*RExC_parse) {
+- case '?':
+- if (RExC_parse[1] == '[') depth++, RExC_parse++;
++ case '(':
++ if (RExC_parse[1] == '?' && RExC_parse[2] == '[')
++ depth++, RExC_parse+=2;
+ /* FALLTHROUGH */
+ default:
+ break;
+@@ -14667,9 +14668,9 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+ }
+
+ case ']':
+- if (depth--) break;
+- RExC_parse++;
+- if (*RExC_parse == ')') {
++ if (RExC_parse[1] == ')') {
++ RExC_parse++;
++ if (depth--) break;
+ node = reganode(pRExC_state, ANYOF, 0);
+ RExC_size += ANYOF_SKIP;
+ nextchar(pRExC_state);
+@@ -14681,20 +14682,20 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+
+ return node;
+ }
+- goto no_close;
++ RExC_parse++;
++ vFAIL("Unexpected ']' with no following ')' in (?[...");
+ }
+
+ RExC_parse += UTF ? UTF8SKIP(RExC_parse) : 1;
+ }
+
+- no_close:
+ /* We output the messages even if warnings are off, because we'll fail
+ * the very next thing, and these give a likely diagnosis for that */
+ if (posix_warnings && av_tindex_nomg(posix_warnings) >= 0) {
+ output_or_return_posix_warnings(pRExC_state, posix_warnings, NULL);
+ }
+
+- FAIL("Syntax error in (?[...])");
++ vFAIL("Syntax error in (?[...])");
+ }
+
+ /* Pass 2 only after this. */
+@@ -14868,12 +14869,14 @@ redo_curchar:
+ * inversion list, and RExC_parse points to the trailing
+ * ']'; the next character should be the ')' */
+ RExC_parse++;
+- assert(UCHARAT(RExC_parse) == ')');
++ if (UCHARAT(RExC_parse) != ')')
++ vFAIL("Expecting close paren for nested extended charclass");
+
+ /* Then the ')' matching the original '(' handled by this
+ * case: statement */
+ RExC_parse++;
+- assert(UCHARAT(RExC_parse) == ')');
++ if (UCHARAT(RExC_parse) != ')')
++ vFAIL("Expecting close paren for wrapper for nested extended charclass");
+
+ RExC_flags = save_flags;
+ goto handle_operand;
+diff --git a/t/lib/warnings/regcomp b/t/lib/warnings/regcomp
+index 08cb27b00f..367276d0fc 100644
+--- a/t/lib/warnings/regcomp
++++ b/t/lib/warnings/regcomp
+@@ -59,21 +59,21 @@ Unmatched [ in regex; marked by <-- HERE in m/abc[ <-- HERE fi[.00./ at - line
+ qr/(?[[[:word]]])/;
+ EXPECT
+ Assuming NOT a POSIX class since there is no terminating ':' in regex; marked by <-- HERE in m/(?[[[:word <-- HERE ]]])/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[[:word]]])/ at - line 2.
++Unexpected ']' with no following ')' in (?[... in regex; marked by <-- HERE in m/(?[[[:word]] <-- HERE ])/ at - line 2.
+ ########
+ # NAME qr/(?[ [[:digit: ])/
+ # OPTION fatal
+ qr/(?[[[:digit: ])/;
+ EXPECT
+ Assuming NOT a POSIX class since no blanks are allowed in one in regex; marked by <-- HERE in m/(?[[[:digit: ] <-- HERE )/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[[:digit: ])/ at - line 2.
++syntax error in (?[...]) in regex; marked by <-- HERE in m/(?[[[:digit: ]) <-- HERE / at - line 2.
+ ########
+ # NAME qr/(?[ [:digit: ])/
+ # OPTION fatal
+ qr/(?[[:digit: ])/
+ EXPECT
+ Assuming NOT a POSIX class since no blanks are allowed in one in regex; marked by <-- HERE in m/(?[[:digit: ] <-- HERE )/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[:digit: ])/ at - line 2.
++syntax error in (?[...]) in regex; marked by <-- HERE in m/(?[[:digit: ]) <-- HERE / at - line 2.
+ ########
+ # NAME [perl #126141]
+ # OPTION fatal
+diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
+index 658397ac27..08a3688e1d 100644
+--- a/t/re/reg_mesg.t
++++ b/t/re/reg_mesg.t
+@@ -202,8 +202,9 @@ my @death =
+ '/\b{gc}/' => "'gc' is an unknown bound type {#} m/\\b{gc{#}}/",
+ '/\B{gc}/' => "'gc' is an unknown bound type {#} m/\\B{gc{#}}/",
+
+- '/(?[[[::]]])/' => "Syntax error in (?[...]) in regex m/(?[[[::]]])/",
+- '/(?[[[:w:]]])/' => "Syntax error in (?[...]) in regex m/(?[[[:w:]]])/",
++
++ '/(?[[[::]]])/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[[[::]]{#}])/",
++ '/(?[[[:w:]]])/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[[[:w:]]{#}])/",
+ '/(?[[:w:]])/' => "",
+ '/[][[:alpha:]]' => "", # [perl #127581]
+ '/([.].*)[.]/' => "", # [perl #127582]
+@@ -227,11 +228,12 @@ my @death =
+ '/(?[ \p{foo} ])/' => 'Can\'t find Unicode property definition "foo" {#} m/(?[ \p{foo}{#} ])/',
+ '/(?[ \p{ foo = bar } ])/' => 'Can\'t find Unicode property definition "foo = bar" {#} m/(?[ \p{ foo = bar }{#} ])/',
+ '/(?[ \8 ])/' => 'Unrecognized escape \8 in character class {#} m/(?[ \8{#} ])/',
+- '/(?[ \t ]/' => 'Syntax error in (?[...]) in regex m/(?[ \t ]/',
+- '/(?[ [ \t ]/' => 'Syntax error in (?[...]) in regex m/(?[ [ \t ]/',
+- '/(?[ \t ] ]/' => 'Syntax error in (?[...]) in regex m/(?[ \t ] ]/',
+- '/(?[ [ ] ]/' => 'Syntax error in (?[...]) in regex m/(?[ [ ] ]/',
+- '/(?[ \t + \e # This was supposed to be a comment ])/' => 'Syntax error in (?[...]) in regex m/(?[ \t + \e # This was supposed to be a comment ])/',
++ '/(?[ \t ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[ \\t ]{#}/",
++ '/(?[ [ \t ]/' => "Syntax error in (?[...]) {#} m/(?[ [ \\t ]{#}/",
++ '/(?[ \t ] ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[ \\t ]{#} ]/",
++ '/(?[ [ ] ]/' => "Syntax error in (?[...]) {#} m/(?[ [ ] ]{#}/",
++ '/(?[ \t + \e # This was supposed to be a comment ])/' =>
++ "Syntax error in (?[...]) {#} m/(?[ \\t + \\e # This was supposed to be a comment ]){#}/",
+ '/(?[ ])/' => 'Incomplete expression within \'(?[ ])\' {#} m/(?[ {#}])/',
+ 'm/(?[[a-\d]])/' => 'False [] range "a-\d" {#} m/(?[[a-\d{#}]])/',
+ 'm/(?[[\w-x]])/' => 'False [] range "\w-" {#} m/(?[[\w-{#}x]])/',
+@@ -410,10 +412,10 @@ my @death_utf8 = mark_as_utf8(
+
+ '/ネ\p{}ネ/' => 'Empty \p{} {#} m/ネ\p{{#}}ネ/',
+
+- '/ネ(?[[[:ネ]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ]]])ネ/",
+- '/ネ(?[[[:ネ: ])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ: ])ネ/",
+- '/ネ(?[[[::]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[::]]])ネ/",
+- '/ネ(?[[[:ネ:]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ:]]])ネ/",
++ '/ネ(?[[[:ネ]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[:ネ]]{#}])ネ/",
++ '/ネ(?[[[:ネ: ])ネ/' => "Syntax error in (?[...]) {#} m/ネ(?[[[:ネ: ])ネ{#}/",
++ '/ネ(?[[[::]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[::]]{#}])ネ/",
++ '/ネ(?[[[:ネ:]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[:ネ:]]{#}])ネ/",
+ '/ネ(?[[:ネ:]])ネ/' => "",
+ '/ネ(?[ネ])ネ/' => 'Unexpected character {#} m/ネ(?[ネ{#}])ネ/',
+ '/ネ(?[ + [ネ] ])/' => 'Unexpected binary operator \'+\' with no preceding operand {#} m/ネ(?[ +{#} [ネ] ])/',
+@@ -426,8 +428,9 @@ my @death_utf8 = mark_as_utf8(
+ '/(?[ \x{ネ} ])ネ/' => 'Non-hex character {#} m/(?[ \x{ネ{#}} ])ネ/',
+ '/(?[ \p{ネ} ])/' => 'Can\'t find Unicode property definition "ネ" {#} m/(?[ \p{ネ}{#} ])/',
+ '/(?[ \p{ ネ = bar } ])/' => 'Can\'t find Unicode property definition "ネ = bar" {#} m/(?[ \p{ ネ = bar }{#} ])/',
+- '/ネ(?[ \t ]/' => 'Syntax error in (?[...]) in regex m/ネ(?[ \t ]/',
+- '/(?[ \t + \e # ネ This was supposed to be a comment ])/' => 'Syntax error in (?[...]) in regex m/(?[ \t + \e # ネ This was supposed to be a comment ])/',
++ '/ネ(?[ \t ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[ \\t ]{#}/",
++ '/(?[ \t + \e # ネ This was supposed to be a comment ])/' =>
++ "Syntax error in (?[...]) {#} m/(?[ \\t + \\e # ネ This was supposed to be a comment ]){#}/",
+ 'm/(*ネ)ネ/' => q<Unknown verb pattern 'ネ' {#} m/(*ネ){#}ネ/>,
+ '/\cネ/' => "Character following \"\\c\" must be printable ASCII",
+ '/\b{ネ}/' => "'ネ' is an unknown bound type {#} m/\\b{ネ{#}}/",
+diff --git a/t/re/regex_sets.t b/t/re/regex_sets.t
+index 92875677be..60a126ba3c 100644
+--- a/t/re/regex_sets.t
++++ b/t/re/regex_sets.t
+@@ -157,13 +157,13 @@ for my $char ("٠", "٥", "٩") {
+ eval { $_ = '/(?[(\c]) /'; qr/$_/ };
+ like($@, qr/^Syntax error/, '/(?[(\c]) / should not panic');
+ eval { $_ = '(?[\c#]' . "\n])"; qr/$_/ };
+- like($@, qr/^Syntax error/, '/(?[(\c]) / should not panic');
++ like($@, qr/^Unexpected/, '/(?[(\c]) / should not panic');
+ eval { $_ = '(?[(\c])'; qr/$_/ };
+ like($@, qr/^Syntax error/, '/(?[(\c])/ should be a syntax error');
+ eval { $_ = '(?[(\c]) ]\b'; qr/$_/ };
+- like($@, qr/^Syntax error/, '/(?[(\c]) ]\b/ should be a syntax error');
++ like($@, qr/^Unexpected/, '/(?[(\c]) ]\b/ should be a syntax error');
+ eval { $_ = '(?[\c[]](])'; qr/$_/ };
+- like($@, qr/^Syntax error/, '/(?[\c[]](])/ should be a syntax error');
++ like($@, qr/^Unexpected/, '/(?[\c[]](])/ should be a syntax error');
+ like("\c#", qr/(?[\c#])/, '\c# should match itself');
+ like("\c[", qr/(?[\c[])/, '\c[ should match itself');
+ like("\c\ ", qr/(?[\c\])/, '\c\ should match itself');
+--
+2.22.0.vfs.1.1.57.gbaf16c8
+
diff --git a/meta/recipes-devtools/perl/perl_5.24.4.bb b/meta/recipes-devtools/perl/perl_5.24.4.bb
index a644970..2f27749 100644
--- a/meta/recipes-devtools/perl/perl_5.24.4.bb
+++ b/meta/recipes-devtools/perl/perl_5.24.4.bb
@@ -65,6 +65,10 @@ SRC_URI += " \
file://perl-5.26.1-guard_old_libcrypt_fix.patch \
file://CVE-2018-12015.patch \
file://0001-ExtUtils-MM_Unix.pm-fix-race-issues.patch \
+ file://CVE-2018-18311.patch \
+ file://CVE-2018-18312.patch \
+ file://CVE-2018-18313.patch \
+ file://CVE-2018-18314.patch \
"
# Fix test case issues
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 07/12] sqlite3: Security fix for CVE-2019-8457
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (5 preceding siblings ...)
2019-10-10 15:49 ` [thud 06/12] perl: Fix CVE-2018-18311 to 18314 Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 08/12] wget: Security fixes CVE-2018-20483 Armin Kuster
` (4 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Shubham Agrawal <shuagr@microsoft.com>
Signed-off-by: Shubham Agrawal <shuagr@microsoft.com>
[Cleaned up patch]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../sqlite/files/CVE-2019-8457.patch | 126 +++++++++++++++++++++
meta/recipes-support/sqlite/sqlite3_3.23.1.bb | 1 +
2 files changed, 127 insertions(+)
create mode 100644 meta/recipes-support/sqlite/files/CVE-2019-8457.patch
diff --git a/meta/recipes-support/sqlite/files/CVE-2019-8457.patch b/meta/recipes-support/sqlite/files/CVE-2019-8457.patch
new file mode 100644
index 0000000..5883774
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2019-8457.patch
@@ -0,0 +1,126 @@
+From fbf2392644f0ae4282fa4583c9bb67260995d983 Mon Sep 17 00:00:00 2001
+From: Shubham Agrawal <shuagr@microsoft.com>
+Date: Mon, 23 Sep 2019 20:58:47 +0000
+Subject: [PATCH] sqlite: fix for CVE-2019-8457
+
+Upstream-Status: Backport
+CVE: CVE-2019-8457
+Signed-off-by: Shubham Agrawal <shuagr@microsoft.com>
+---
+ sqlite3.c | 50 +++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/sqlite3.c b/sqlite3.c
+index 00513d4..5c8c7f4 100644
+--- a/sqlite3.c
++++ b/sqlite3.c
+@@ -172325,6 +172325,33 @@
+ }
+
+
++/* Allocate and initialize a new dynamic string object */
++StrAccum *sqlite3_str_new(sqlite3 *db){
++ StrAccum *p = sqlite3DbMallocRaw(db, sizeof(*p));
++ if( p ){
++ sqlite3StrAccumInit(p, db, 0, 0, SQLITE_MAX_LENGTH);
++ }
++ return p;
++}
++
++/* Finalize a string created using sqlite3_str_new().
++*/
++
++char *sqlite3_str_finish(StrAccum *p){
++ char *z;
++ if( p ){
++ z = sqlite3StrAccumFinish(p);
++ sqlite3DbFree(p->db, p);
++ }else{
++ z = 0;
++ }
++ return z;
++}
++/* Return any error code associated with p */
++int sqlite3_str_errcode(StrAccum *p){
++ return p ? p->accError : SQLITE_NOMEM;
++}
++
+ /*
+ ** Implementation of a scalar function that decodes r-tree nodes to
+ ** human readable strings. This can be used for debugging and analysis.
+@@ -172342,49 +172369,53 @@
+ ** <num-dimension>*2 coordinates.
+ */
+ static void rtreenode(sqlite3_context *ctx, int nArg, sqlite3_value **apArg){
+- char *zText = 0;
++
+ RtreeNode node;
+ Rtree tree;
+ int ii;
++ int nData;
++ int errCode;
++ StrAccum *pOut;
+
+ UNUSED_PARAMETER(nArg);
+ memset(&node, 0, sizeof(RtreeNode));
+ memset(&tree, 0, sizeof(Rtree));
+ tree.nDim = (u8)sqlite3_value_int(apArg[0]);
++ if( tree.nDim<1 || tree.nDim>5 ) return;
+ tree.nDim2 = tree.nDim*2;
+ tree.nBytesPerCell = 8 + 8 * tree.nDim;
+ node.zData = (u8 *)sqlite3_value_blob(apArg[1]);
++ nData = sqlite3_value_bytes(apArg[1]);
++ if( nData<4 ) return;
++ if( nData<NCELL(&node)*tree.nBytesPerCell ) return;
+
++ pOut = sqlite3_str_new(0);
+ for(ii=0; ii<NCELL(&node); ii++){
+- char zCell[512];
+- int nCell = 0;
++
++
+ RtreeCell cell;
+ int jj;
+
+ nodeGetCell(&tree, &node, ii, &cell);
+- sqlite3_snprintf(512-nCell,&zCell[nCell],"%lld", cell.iRowid);
+- nCell = (int)strlen(zCell);
++ if( ii>0 ) sqlite3StrAccumAppend(pOut, " ", 1);
++ sqlite3XPrintf(pOut, "{%lld", cell.iRowid);
++
+ for(jj=0; jj<tree.nDim2; jj++){
+ #ifndef SQLITE_RTREE_INT_ONLY
+- sqlite3_snprintf(512-nCell,&zCell[nCell], " %g",
+- (double)cell.aCoord[jj].f);
++
++ sqlite3XPrintf(pOut, " %g", (double)cell.aCoord[jj].f);
+ #else
+- sqlite3_snprintf(512-nCell,&zCell[nCell], " %d",
+- cell.aCoord[jj].i);
++
++ sqlite3XPrintf(pOut, " %d", cell.aCoord[jj].i);
+ #endif
+- nCell = (int)strlen(zCell);
+- }
+
+- if( zText ){
+- char *zTextNew = sqlite3_mprintf("%s {%s}", zText, zCell);
+- sqlite3_free(zText);
+- zText = zTextNew;
+- }else{
+- zText = sqlite3_mprintf("{%s}", zCell);
+ }
++ sqlite3StrAccumAppend(pOut, "}", 1);
+ }
+-
+- sqlite3_result_text(ctx, zText, -1, sqlite3_free);
++
++ errCode = sqlite3_str_errcode(pOut);
++ sqlite3_result_text(ctx, sqlite3_str_finish(pOut), -1, sqlite3_free);
++ sqlite3_result_error_code(ctx, errCode);
+ }
+
+ /* This routine implements an SQL function that returns the "depth" parameter
+--
+2.7.4
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
index d214ea1..7df61cd 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.23.1.bb
@@ -7,6 +7,7 @@ SRC_URI = "\
http://www.sqlite.org/2018/sqlite-autoconf-${SQLITE_PV}.tar.gz \
file://CVE-2018-20505.patch \
file://CVE-2018-20506.patch \
+ file://CVE-2019-8457.patch \
"
SRC_URI[md5sum] = "99a51b40a66872872a91c92f6d0134fa"
SRC_URI[sha256sum] = "92842b283e5e744eff5da29ed3c69391de7368fccc4d0ee6bf62490ce555ef25"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 08/12] wget: Security fixes CVE-2018-20483
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (6 preceding siblings ...)
2019-10-10 15:49 ` [thud 07/12] sqlite3: Security fix for CVE-2019-8457 Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 09/12] qemu: fix build issue on new hosts with glibc 2.30 Armin Kuster
` (3 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Andrii Bordunov via Openembedded-core <openembedded-core@lists.openembedded.org>
Source: http://git.savannah.gnu.org/cgit/wget.git/
Type: Security Fix
Disposition: Backport from http://git.savannah.gnu.org/cgit/wget.git/
Description:
Fixes CVE-2018-20483
Signed-off-by: Aviraj CJ <acj@cisco.com>
[Affects Wget before 1.20.1]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../wget/wget/CVE-2018-20483_p1.patch | 73 ++++++++++++
.../wget/wget/CVE-2018-20483_p2.patch | 127 +++++++++++++++++++++
meta/recipes-extended/wget/wget_1.19.5.bb | 2 +
3 files changed, 202 insertions(+)
create mode 100644 meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
create mode 100644 meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
new file mode 100644
index 0000000..cbc4a12
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p1.patch
@@ -0,0 +1,73 @@
+From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 13:51:48 +0100
+Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default
+
+* src/init.c (defaults): Set enable_xattr to false by default
+* src/main.c (print_help): Reverse option logic of --xattr
+* doc/wget.texi: Add description for --xattr
+
+Users may not be aware that the origin URL and Referer are saved
+including credentials, and possibly access tokens within
+the urls.
+
+CVE: CVE-2018-20483 patch 1
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ doc/wget.texi | 8 ++++++++
+ src/init.c | 4 ----
+ src/main.c | 2 +-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/doc/wget.texi b/doc/wget.texi
+index eaf6b380..3f9d7c1c 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -540,6 +540,14 @@ right NUMBER.
+ Set preferred location for Metalink resources. This has effect if multiple
+ resources with same priority are available.
+
++@cindex xattr
++@item --xattr
++Enable use of file system's extended attributes to save the
++original URL and the Referer HTTP header value if used.
++
++Be aware that the URL might contain private information like
++access tokens or credentials.
++
+
+ @cindex force html
+ @item -F
+diff --git a/src/init.c b/src/init.c
+index eb81ab47..800970c5 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -509,11 +509,7 @@ defaults (void)
+ opt.hsts = true;
+ #endif
+
+-#ifdef ENABLE_XATTR
+- opt.enable_xattr = true;
+-#else
+ opt.enable_xattr = false;
+-#endif
+ }
+
+ /* Return the user's home directory (strdup-ed), or NULL if none is
+diff --git a/src/main.c b/src/main.c
+index 81db9319..6ac1621b 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -754,7 +754,7 @@ Download:\n"),
+ #endif
+ #ifdef ENABLE_XATTR
+ N_("\
+- --no-xattr turn off storage of metadata in extended file attributes\n"),
++ --xattr turn on storage of metadata in extended file attributes\n"),
+ #endif
+ "\n",
+
+--
+2.19.1
+
diff --git a/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
new file mode 100644
index 0000000..72ce8a0
--- /dev/null
+++ b/meta/recipes-extended/wget/wget/CVE-2018-20483_p2.patch
@@ -0,0 +1,127 @@
+From 5a4ee4f3c07cc5dc7ef5f7244fcf51fd2fa3bc67 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Wed, 26 Dec 2018 14:38:18 +0100
+Subject: [PATCH 2/2] Don't save user/pw with --xattr
+
+Also the Referer info is reduced to scheme+host+port.
+
+* src/ftp.c (getftp): Change params of set_file_metadata()
+* src/http.c (gethttp): Change params of set_file_metadata()
+* src/xattr.c (set_file_metadata): Remove user/password from origin URL,
+ reduce Referer value to scheme/host/port.
+* src/xattr.h: Change prototype of set_file_metadata()
+
+CVE: CVE-2018-20483 patch 2
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa]
+Signed-off-by: Aviraj CJ <acj@cisco.com>
+---
+ src/ftp.c | 2 +-
+ src/http.c | 4 ++--
+ src/xattr.c | 24 ++++++++++++++++++++----
+ src/xattr.h | 3 ++-
+ 4 files changed, 25 insertions(+), 8 deletions(-)
+
+diff --git a/src/ftp.c b/src/ftp.c
+index 69148936..db8a6267 100644
+--- a/src/ftp.c
++++ b/src/ftp.c
+@@ -1580,7 +1580,7 @@ Error in server response, closing control connection.\n"));
+
+ #ifdef ENABLE_XATTR
+ if (opt.enable_xattr)
+- set_file_metadata (u->url, NULL, fp);
++ set_file_metadata (u, NULL, fp);
+ #endif
+
+ fd_close (local_sock);
+diff --git a/src/http.c b/src/http.c
+index 77bdbbed..472c328f 100644
+--- a/src/http.c
++++ b/src/http.c
+@@ -4120,9 +4120,9 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+ if (opt.enable_xattr)
+ {
+ if (original_url != u)
+- set_file_metadata (u->url, original_url->url, fp);
++ set_file_metadata (u, original_url, fp);
+ else
+- set_file_metadata (u->url, NULL, fp);
++ set_file_metadata (u, NULL, fp);
+ }
+ #endif
+
+diff --git a/src/xattr.c b/src/xattr.c
+index 66524226..0f20fadf 100644
+--- a/src/xattr.c
++++ b/src/xattr.c
+@@ -21,6 +21,7 @@
+ #include <string.h>
+
+ #include "log.h"
++#include "utils.h"
+ #include "xattr.h"
+
+ #ifdef USE_XATTR
+@@ -57,7 +58,7 @@ write_xattr_metadata (const char *name, const char *value, FILE *fp)
+ #endif /* USE_XATTR */
+
+ int
+-set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
++set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp)
+ {
+ /* Save metadata about where the file came from (requested, final URLs) to
+ * user POSIX Extended Attributes of retrieved file.
+@@ -67,13 +68,28 @@ set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp)
+ * [http://0pointer.de/lennart/projects/mod_mime_xattr/].
+ */
+ int retval = -1;
++ char *value;
+
+ if (!origin_url || !fp)
+ return retval;
+
+- retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (origin_url), fp);
+- if ((!retval) && referrer_url)
+- retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (referrer_url), fp);
++ value = url_string (origin_url, URL_AUTH_HIDE);
++ retval = write_xattr_metadata ("user.xdg.origin.url", escnonprint_uri (value), fp);
++ xfree (value);
++
++ if (!retval && referrer_url)
++ {
++ struct url u;
++
++ memset(&u, 0, sizeof(u));
++ u.scheme = referrer_url->scheme;
++ u.host = referrer_url->host;
++ u.port = referrer_url->port;
++
++ value = url_string (&u, 0);
++ retval = write_xattr_metadata ("user.xdg.referrer.url", escnonprint_uri (value), fp);
++ xfree (value);
++ }
+
+ return retval;
+ }
+diff --git a/src/xattr.h b/src/xattr.h
+index 10f3ed11..40c7a8d3 100644
+--- a/src/xattr.h
++++ b/src/xattr.h
+@@ -16,12 +16,13 @@
+ along with this program; if not, see <http://www.gnu.org/licenses/>. */
+
+ #include <stdio.h>
++#include <url.h>
+
+ #ifndef _XATTR_H
+ #define _XATTR_H
+
+ /* Store metadata name/value attributes against fp. */
+-int set_file_metadata (const char *origin_url, const char *referrer_url, FILE *fp);
++int set_file_metadata (const struct url *origin_url, const struct url *referrer_url, FILE *fp);
+
+ #if defined(__linux)
+ /* libc on Linux has fsetxattr (5 arguments). */
+--
+2.19.1
+
diff --git a/meta/recipes-extended/wget/wget_1.19.5.bb b/meta/recipes-extended/wget/wget_1.19.5.bb
index 920b74d..a53844b 100644
--- a/meta/recipes-extended/wget/wget_1.19.5.bb
+++ b/meta/recipes-extended/wget/wget_1.19.5.bb
@@ -2,6 +2,8 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://0001-Unset-need_charset_alias-when-building-for-musl.patch \
file://0002-improve-reproducibility.patch \
file://CVE-2019-5953.patch \
+ file://CVE-2018-20483_p1.patch \
+ file://CVE-2018-20483_p2.patch \
"
SRC_URI[md5sum] = "2db6f03d655041f82eb64b8c8a1fa7da"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 09/12] qemu: fix build issue on new hosts with glibc 2.30
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (7 preceding siblings ...)
2019-10-10 15:49 ` [thud 08/12] wget: Security fixes CVE-2018-20483 Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 10/12] libgpg-error: Fix build with gawk 5.x Armin Kuster
` (2 subsequent siblings)
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
This fixes the following error:
TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:254:16: error: static declaration of ‘gettid’ follows non-static declaration
254 | _syscall0(int, gettid)
| ^~~~~~
TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:185:13: note: in definition of macro ‘_syscall0’
185 | static type name (void) \
| ^~~~
In file included from /usr/include/unistd.h:1170,
from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/include/qemu/osdep.h:90,
from TOPDIR/tmp/work/x86_64-linux/qemu-native/3.1.0-r0/qemu-3.1.0/linux-user/syscall.c:20:
/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
34 | extern __pid_t gettid (void) __THROW;
| ^~~~~~
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...nux-user-assume-__NR_gettid-always-exists.patch | 49 +++++++++++
...rename-gettid-to-sys_gettid-to-avoid-clas.patch | 95 ++++++++++++++++++++++
meta/recipes-devtools/qemu/qemu_3.0.0.bb | 2 +
3 files changed, 146 insertions(+)
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
diff --git a/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch b/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch
new file mode 100644
index 0000000..767b200
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch
@@ -0,0 +1,49 @@
+From 184943d827ce09375284e6fbb9fd5eeb9e369529 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 20 Mar 2019 16:18:41 +0000
+Subject: [PATCH] linux-user: assume __NR_gettid always exists
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The gettid syscall was introduced in Linux 2.4.11. This is old enough
+that we can assume it always exists and thus not bother with the
+conditional backcompat logic.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Laurent Vivier <laurent@vivier.eu>
+Message-Id: <20190320161842.13908-2-berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+
+Upstream-Status: Backport
+dependancy patch for fix
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+
+
+ linux-user/syscall.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+Index: qemu-3.0.0/linux-user/syscall.c
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall.c
++++ qemu-3.0.0/linux-user/syscall.c
+@@ -251,15 +251,7 @@ static type name (type1 arg1,type2 arg2,
+ #define TARGET_NR__llseek TARGET_NR_llseek
+ #endif
+
+-#ifdef __NR_gettid
+ _syscall0(int, gettid)
+-#else
+-/* This is a replacement for the host gettid() and must return a host
+- errno. */
+-static int gettid(void) {
+- return -ENOSYS;
+-}
+-#endif
+
+ /* For the 64-bit guest on 32-bit host case we must emulate
+ * getdents using getdents64, because otherwise the host
diff --git a/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch b/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
new file mode 100644
index 0000000..ab3b71d
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
@@ -0,0 +1,95 @@
+From 71ba74f67eaca21b0cc9d96f534ad3b9a7161400 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Wed, 20 Mar 2019 16:18:42 +0000
+Subject: [PATCH] linux-user: rename gettid() to sys_gettid() to avoid clash
+ with glibc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The glibc-2.29.9000-6.fc31.x86_64 package finally includes the gettid()
+function as part of unistd.h when __USE_GNU is defined. This clashes
+with linux-user code which unconditionally defines this function name
+itself.
+
+/home/berrange/src/virt/qemu/linux-user/syscall.c:253:16: error: static declaration of ‘gettid’ follows non-static declaration
+ 253 | _syscall0(int, gettid)
+ | ^~~~~~
+/home/berrange/src/virt/qemu/linux-user/syscall.c:184:13: note: in definition of macro ‘_syscall0’
+ 184 | static type name (void) \
+ | ^~~~
+In file included from /usr/include/unistd.h:1170,
+ from /home/berrange/src/virt/qemu/include/qemu/osdep.h:107,
+ from /home/berrange/src/virt/qemu/linux-user/syscall.c:20:
+/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
+ 34 | extern __pid_t gettid (void) __THROW;
+ | ^~~~~~
+ CC aarch64-linux-user/linux-user/signal.o
+make[1]: *** [/home/berrange/src/virt/qemu/rules.mak:69: linux-user/syscall.o] Error 1
+make[1]: *** Waiting for unfinished jobs....
+make: *** [Makefile:449: subdir-aarch64-linux-user] Error 2
+
+While we could make our definition conditional and rely on glibc's impl,
+this patch simply renames our definition to sys_gettid() which is a
+common pattern in this file.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Laurent Vivier <laurent@vivier.eu>
+Message-Id: <20190320161842.13908-3-berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+
+Upstream-status: Backport
+
+Fixes issue found on tumbleweed-ty-1
+Yocto bug: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13577
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ linux-user/syscall.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+Index: qemu-3.0.0/linux-user/syscall.c
+===================================================================
+--- qemu-3.0.0.orig/linux-user/syscall.c
++++ qemu-3.0.0/linux-user/syscall.c
+@@ -251,7 +251,8 @@ static type name (type1 arg1,type2 arg2,
+ #define TARGET_NR__llseek TARGET_NR_llseek
+ #endif
+
+-_syscall0(int, gettid)
++#define __NR_sys_gettid __NR_gettid
++_syscall0(int, sys_gettid)
+
+ /* For the 64-bit guest on 32-bit host case we must emulate
+ * getdents using getdents64, because otherwise the host
+@@ -6483,7 +6484,7 @@ static void *clone_func(void *arg)
+ cpu = ENV_GET_CPU(env);
+ thread_cpu = cpu;
+ ts = (TaskState *)cpu->opaque;
+- info->tid = gettid();
++ info->tid = sys_gettid();
+ task_settid(ts);
+ if (info->child_tidptr)
+ put_user_u32(info->tid, info->child_tidptr);
+@@ -6628,9 +6629,9 @@ static int do_fork(CPUArchState *env, un
+ mapping. We can't repeat the spinlock hack used above because
+ the child process gets its own copy of the lock. */
+ if (flags & CLONE_CHILD_SETTID)
+- put_user_u32(gettid(), child_tidptr);
++ put_user_u32(sys_gettid(), child_tidptr);
+ if (flags & CLONE_PARENT_SETTID)
+- put_user_u32(gettid(), parent_tidptr);
++ put_user_u32(sys_gettid(), parent_tidptr);
+ ts = (TaskState *)cpu->opaque;
+ if (flags & CLONE_SETTLS)
+ cpu_set_tls (env, newtls);
+@@ -11876,7 +11877,7 @@ abi_long do_syscall(void *cpu_env, int n
+ break;
+ #endif
+ case TARGET_NR_gettid:
+- ret = get_errno(gettid());
++ ret = get_errno(sys_gettid());
+ break;
+ #ifdef TARGET_NR_readahead
+ case TARGET_NR_readahead:
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index 6c3049b..e483aca 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -40,6 +40,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2019-3812.patch \
file://CVE-2019-6778.patch \
file://CVE-2019-8934.patch \
+ file://0001-linux-user-assume-__NR_gettid-always-exists.patch \
+ file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \
"
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 10/12] libgpg-error: Fix build with gawk 5.x
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (8 preceding siblings ...)
2019-10-10 15:49 ` [thud 09/12] qemu: fix build issue on new hosts with glibc 2.30 Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 11/12] gnupg: Do not apply -Woverride-init guard for gcc >= 9 Armin Kuster
2019-10-10 15:49 ` [thud 12/12] uninative: Update to 2.7 release Armin Kuster
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Sean Nyekjaer <sean@geanix.com>
Based on poky master, but for version 1.35
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
[backported to thud
yocto# 13580]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libgpg-error-1.35-gawk5-support.patch | 161 +++++++++++++++++++++
.../libgpg-error/libgpg-error_1.32.bb | 1 +
2 files changed, 162 insertions(+)
create mode 100644 meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
diff --git a/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
new file mode 100644
index 0000000..dc3d558
--- /dev/null
+++ b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
@@ -0,0 +1,161 @@
+Upstream-Status: Backport [https://dev.gnupg.org/T4459]
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+
+From 37069826e497d6af01e3e48fe5d2220ae7f85449 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Mon, 15 Apr 2019 15:10:44 +0900
+Subject: [PATCH] awk: Prepare for Gawk 5.0.
+
+* src/Makefile.am: Use pkg_namespace (instead of namespace).
+* src/mkerrnos.awk: Likewise.
+* lang/cl/mkerrcodes.awk: Don't escape # in regexp.
+* src/mkerrcodes.awk, src/mkerrcodes1.awk, src/mkerrcodes2.awk: Ditto.
+
+--
+
+In Gawk 5.0, regexp routines are replaced by Gnulib implementation,
+which only allows escaping specific characters.
+
+GnuPG-bug-id: 4459
+Reported-by: Marius Schamschula
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ lang/cl/mkerrcodes.awk | 2 +-
+ src/Makefile.am | 2 +-
+ src/mkerrcodes.awk | 2 +-
+ src/mkerrcodes1.awk | 2 +-
+ src/mkerrcodes2.awk | 2 +-
+ src/mkerrnos.awk | 2 +-
+ src/mkstrtable.awk | 10 +++++-----
+ 7 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/lang/cl/mkerrcodes.awk b/lang/cl/mkerrcodes.awk
+index ae29043..9a1fc18 100644
+--- a/lang/cl/mkerrcodes.awk
++++ b/lang/cl/mkerrcodes.awk
+@@ -122,7 +122,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 42998e4..0ceac9f 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -281,7 +281,7 @@ code-from-errno.h: mkerrcodes Makefile
+
+ errnos-sym.h: Makefile mkstrtable.awk errnos.in
+ $(AWK) -f $(srcdir)/mkstrtable.awk -v textidx=2 -v nogettext=1 \
+- -v prefix=GPG_ERR_ -v namespace=errnos_ \
++ -v prefix=GPG_ERR_ -v pkg_namespace=errnos_ \
+ $(srcdir)/errnos.in >$@
+
+
+diff --git a/src/mkerrcodes.awk b/src/mkerrcodes.awk
+index 46d436c..e9c857c 100644
+--- a/src/mkerrcodes.awk
++++ b/src/mkerrcodes.awk
+@@ -85,7 +85,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkerrcodes1.awk b/src/mkerrcodes1.awk
+index a771a73..4578e29 100644
+--- a/src/mkerrcodes1.awk
++++ b/src/mkerrcodes1.awk
+@@ -81,7 +81,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkerrcodes2.awk b/src/mkerrcodes2.awk
+index ea58503..188f7a4 100644
+--- a/src/mkerrcodes2.awk
++++ b/src/mkerrcodes2.awk
+@@ -91,7 +91,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkerrnos.awk b/src/mkerrnos.awk
+index f79df66..15b1aad 100644
+--- a/src/mkerrnos.awk
++++ b/src/mkerrnos.awk
+@@ -83,7 +83,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkstrtable.awk b/src/mkstrtable.awk
+index c9de9c1..285e45f 100644
+--- a/src/mkstrtable.awk
++++ b/src/mkstrtable.awk
+@@ -77,7 +77,7 @@
+ #
+ # The variable prefix can be used to prepend a string to each message.
+ #
+-# The variable namespace can be used to prepend a string to each
++# The variable pkg_namespace can be used to prepend a string to each
+ # variable and macro name.
+
+ BEGIN {
+@@ -102,7 +102,7 @@ header {
+ print "/* The purpose of this complex string table is to produce";
+ print " optimal code with a minimum of relocations. */";
+ print "";
+- print "static const char " namespace "msgstr[] = ";
++ print "static const char " pkg_namespace "msgstr[] = ";
+ header = 0;
+ }
+ else
+@@ -110,7 +110,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+@@ -150,7 +150,7 @@ END {
+ else
+ print " gettext_noop (\"" last_msgstr "\");";
+ print "";
+- print "static const int " namespace "msgidx[] =";
++ print "static const int " pkg_namespace "msgidx[] =";
+ print " {";
+ for (i = 0; i < coded_msgs; i++)
+ print " " pos[i] ",";
+@@ -158,7 +158,7 @@ END {
+ print " };";
+ print "";
+ print "static GPG_ERR_INLINE int";
+- print namespace "msgidxof (int code)";
++ print pkg_namespace "msgidxof (int code)";
+ print "{";
+ print " return (0 ? 0";
+
+--
+2.23.0
+
diff --git a/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb b/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
index e552001..52ae11a 100644
--- a/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
+++ b/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgpg-error/libgpg-error-${PV}.tar.bz2 \
file://pkgconfig.patch \
file://0001-syscfg-Support-ARC-CPUs-and-simplify-aliasing-table.patch \
file://0002-syscfg-Add-support-for-arc-unknown-linux-gnu.patch \
+ file://libgpg-error-1.35-gawk5-support.patch \
"
SRC_URI[md5sum] = "ef3d928a5a453fa701ecc3bb22be1c64"
SRC_URI[sha256sum] = "c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 11/12] gnupg: Do not apply -Woverride-init guard for gcc >= 9
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (9 preceding siblings ...)
2019-10-10 15:49 ` [thud 10/12] libgpg-error: Fix build with gawk 5.x Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
2019-10-10 15:49 ` [thud 12/12] uninative: Update to 2.7 release Armin Kuster
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
...1-Woverride-init-is-not-needed-with-gcc-9.patch | 31 ++++++++++++++++++++++
...c-use-a-custom-value-for-the-location-of-.patch | 6 ++---
meta/recipes-support/gnupg/gnupg/relocate.patch | 2 +-
meta/recipes-support/gnupg/gnupg_2.2.12.bb | 3 ++-
4 files changed, 37 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch
diff --git a/meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch b/meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch
new file mode 100644
index 0000000..4a280f9
--- /dev/null
+++ b/meta/recipes-support/gnupg/gnupg/0001-Woverride-init-is-not-needed-with-gcc-9.patch
@@ -0,0 +1,31 @@
+From 0df5800cc2e720aad883a517f7d24a9722fe5845 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Thu, 20 Dec 2018 17:37:48 -0800
+Subject: [PATCH] Woverride-init is not needed with gcc 9
+
+Fixes
+| ../../gnupg-2.2.12/dirmngr/dns.h:525:16: error: lvalue required as
+unary '&' operand |
+525 | dns_rr_i_init(&dns_quietinit((struct dns_rr_i){ 0, __VA_ARGS__
+}), (P))
+
+Upstream-Status: Pending
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ dirmngr/dns.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dirmngr/dns.h b/dirmngr/dns.h
+index 30d0b45..98fe412 100644
+--- a/dirmngr/dns.h
++++ b/dirmngr/dns.h
+@@ -154,7 +154,7 @@ DNS_PUBLIC int *dns_debug_p(void);
+
+ #define dns_quietinit(...) \
+ DNS_PRAGMA_PUSH DNS_PRAGMA_QUIET __VA_ARGS__ DNS_PRAGMA_POP
+-#elif (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || __GNUC__ > 4
++#elif (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || (__GNUC__ > 4 && __GNUC__ < 9)
+ #define DNS_PRAGMA_PUSH _Pragma("GCC diagnostic push")
+ #define DNS_PRAGMA_QUIET _Pragma("GCC diagnostic ignored \"-Woverride-init\"")
+ #define DNS_PRAGMA_POP _Pragma("GCC diagnostic pop")
diff --git a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
index 3f1c3ab..c43ecdf 100644
--- a/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
+++ b/meta/recipes-support/gnupg/gnupg/0001-configure.ac-use-a-custom-value-for-the-location-of-.patch
@@ -1,4 +1,4 @@
-From 8eb4d25c25a1c1323797d94e0727a3e42b7f3287 Mon Sep 17 00:00:00 2001
+From c69c3a49f3295179c247db5ceb3ef8952928a724 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Mon, 22 Jan 2018 18:00:21 +0200
Subject: [PATCH] configure.ac: use a custom value for the location of
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index 4d66af9..b9ef235 100644
+index 919ab31..cd58fdb 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1848,7 +1848,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
+@@ -1855,7 +1855,7 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf",
AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool])
diff --git a/meta/recipes-support/gnupg/gnupg/relocate.patch b/meta/recipes-support/gnupg/gnupg/relocate.patch
index c494ef8..1a5ea4a 100644
--- a/meta/recipes-support/gnupg/gnupg/relocate.patch
+++ b/meta/recipes-support/gnupg/gnupg/relocate.patch
@@ -1,4 +1,4 @@
-From f9fc214b0bf2f67b515ca8a5333f39c497d1b518 Mon Sep 17 00:00:00 2001
+From 6d31b04d7a75f1d73c3518bf043b5b0a2dc40cb1 Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Wed, 19 Sep 2018 14:44:40 +0100
Subject: [PATCH] Allow the environment to override where gnupg looks for its
diff --git a/meta/recipes-support/gnupg/gnupg_2.2.12.bb b/meta/recipes-support/gnupg/gnupg_2.2.12.bb
index 1f381c2..a02c66a 100644
--- a/meta/recipes-support/gnupg/gnupg_2.2.12.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.2.12.bb
@@ -14,7 +14,8 @@ SRC_URI = "${GNUPG_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
file://0002-use-pkgconfig-instead-of-npth-config.patch \
file://0003-dirmngr-uses-libgpg-error.patch \
file://0004-autogen.sh-fix-find-version-for-beta-checking.patch \
- "
+ file://0001-Woverride-init-is-not-needed-with-gcc-9.patch \
+ "
SRC_URI_append_class-native = " file://0001-configure.ac-use-a-custom-value-for-the-location-of-.patch \
file://relocate.patch"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 12/12] uninative: Update to 2.7 release
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
` (10 preceding siblings ...)
2019-10-10 15:49 ` [thud 11/12] gnupg: Do not apply -Woverride-init guard for gcc >= 9 Armin Kuster
@ 2019-10-10 15:49 ` Armin Kuster
11 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-10 15:49 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
The 2.7 release updates glibc to version 2.30. Recently added to openSUSE
Tumbleweed and needed for Fedora Core 31.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index df24346..ad75d3e 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,9 +6,9 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.29"
+UNINATIVE_MAXGLIBCVERSION = "2.30"
-UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.6/"
-UNINATIVE_CHECKSUM[aarch64] ?= "a37118fc8b423f48146120707b81dd15017512c3e8ef9e6ca2cb3a033f4f4046"
-UNINATIVE_CHECKSUM[i686] ?= "3234fc3ded810225071f23a0e9a99f4f8c2480059945a848eff076ce78122ade"
-UNINATIVE_CHECKSUM[x86_64] ?= "133387753a9acf3e1b788103c59fac91e968e2ee331d7a4b9498e926ada7be57"
+UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.7/"
+UNINATIVE_CHECKSUM[aarch64] ?= "e76a45886ee8a0b3904b761c17ac8ff91edf9811ee455f1832d10763ba794dfc"
+UNINATIVE_CHECKSUM[i686] ?= "810d027dfb1c7675226afbcec07808770516c969ee7378f6d8240281083f8924"
+UNINATIVE_CHECKSUM[x86_64] ?= "9498d8bba047499999a7310ac2576d0796461184965351a56f6d32c888a1f216"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [thud 10/12] libgpg-error: Fix build with gawk 5.x
2019-10-08 15:26 [thud 00/12] patch review Armin Kuster
@ 2019-10-08 15:26 ` Armin Kuster
0 siblings, 0 replies; 14+ messages in thread
From: Armin Kuster @ 2019-10-08 15:26 UTC (permalink / raw)
To: openembedded-core
From: Sean Nyekjaer <sean@geanix.com>
Based on poky master, but for version 1.35
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
[backported to thud
yocto# 13580]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../libgpg-error-1.35-gawk5-support.patch | 161 +++++++++++++++++++++
.../libgpg-error/libgpg-error_1.32.bb | 1 +
2 files changed, 162 insertions(+)
create mode 100644 meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
diff --git a/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
new file mode 100644
index 0000000..dc3d558
--- /dev/null
+++ b/meta/recipes-support/libgpg-error/libgpg-error/libgpg-error-1.35-gawk5-support.patch
@@ -0,0 +1,161 @@
+Upstream-Status: Backport [https://dev.gnupg.org/T4459]
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+
+From 37069826e497d6af01e3e48fe5d2220ae7f85449 Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Mon, 15 Apr 2019 15:10:44 +0900
+Subject: [PATCH] awk: Prepare for Gawk 5.0.
+
+* src/Makefile.am: Use pkg_namespace (instead of namespace).
+* src/mkerrnos.awk: Likewise.
+* lang/cl/mkerrcodes.awk: Don't escape # in regexp.
+* src/mkerrcodes.awk, src/mkerrcodes1.awk, src/mkerrcodes2.awk: Ditto.
+
+--
+
+In Gawk 5.0, regexp routines are replaced by Gnulib implementation,
+which only allows escaping specific characters.
+
+GnuPG-bug-id: 4459
+Reported-by: Marius Schamschula
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ lang/cl/mkerrcodes.awk | 2 +-
+ src/Makefile.am | 2 +-
+ src/mkerrcodes.awk | 2 +-
+ src/mkerrcodes1.awk | 2 +-
+ src/mkerrcodes2.awk | 2 +-
+ src/mkerrnos.awk | 2 +-
+ src/mkstrtable.awk | 10 +++++-----
+ 7 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/lang/cl/mkerrcodes.awk b/lang/cl/mkerrcodes.awk
+index ae29043..9a1fc18 100644
+--- a/lang/cl/mkerrcodes.awk
++++ b/lang/cl/mkerrcodes.awk
+@@ -122,7 +122,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 42998e4..0ceac9f 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -281,7 +281,7 @@ code-from-errno.h: mkerrcodes Makefile
+
+ errnos-sym.h: Makefile mkstrtable.awk errnos.in
+ $(AWK) -f $(srcdir)/mkstrtable.awk -v textidx=2 -v nogettext=1 \
+- -v prefix=GPG_ERR_ -v namespace=errnos_ \
++ -v prefix=GPG_ERR_ -v pkg_namespace=errnos_ \
+ $(srcdir)/errnos.in >$@
+
+
+diff --git a/src/mkerrcodes.awk b/src/mkerrcodes.awk
+index 46d436c..e9c857c 100644
+--- a/src/mkerrcodes.awk
++++ b/src/mkerrcodes.awk
+@@ -85,7 +85,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkerrcodes1.awk b/src/mkerrcodes1.awk
+index a771a73..4578e29 100644
+--- a/src/mkerrcodes1.awk
++++ b/src/mkerrcodes1.awk
+@@ -81,7 +81,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkerrcodes2.awk b/src/mkerrcodes2.awk
+index ea58503..188f7a4 100644
+--- a/src/mkerrcodes2.awk
++++ b/src/mkerrcodes2.awk
+@@ -91,7 +91,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkerrnos.awk b/src/mkerrnos.awk
+index f79df66..15b1aad 100644
+--- a/src/mkerrnos.awk
++++ b/src/mkerrnos.awk
+@@ -83,7 +83,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+diff --git a/src/mkstrtable.awk b/src/mkstrtable.awk
+index c9de9c1..285e45f 100644
+--- a/src/mkstrtable.awk
++++ b/src/mkstrtable.awk
+@@ -77,7 +77,7 @@
+ #
+ # The variable prefix can be used to prepend a string to each message.
+ #
+-# The variable namespace can be used to prepend a string to each
++# The variable pkg_namespace can be used to prepend a string to each
+ # variable and macro name.
+
+ BEGIN {
+@@ -102,7 +102,7 @@ header {
+ print "/* The purpose of this complex string table is to produce";
+ print " optimal code with a minimum of relocations. */";
+ print "";
+- print "static const char " namespace "msgstr[] = ";
++ print "static const char " pkg_namespace "msgstr[] = ";
+ header = 0;
+ }
+ else
+@@ -110,7 +110,7 @@ header {
+ }
+
+ !header {
+- sub (/\#.+/, "");
++ sub (/#.+/, "");
+ sub (/[ ]+$/, ""); # Strip trailing space and tab characters.
+
+ if (/^$/)
+@@ -150,7 +150,7 @@ END {
+ else
+ print " gettext_noop (\"" last_msgstr "\");";
+ print "";
+- print "static const int " namespace "msgidx[] =";
++ print "static const int " pkg_namespace "msgidx[] =";
+ print " {";
+ for (i = 0; i < coded_msgs; i++)
+ print " " pos[i] ",";
+@@ -158,7 +158,7 @@ END {
+ print " };";
+ print "";
+ print "static GPG_ERR_INLINE int";
+- print namespace "msgidxof (int code)";
++ print pkg_namespace "msgidxof (int code)";
+ print "{";
+ print " return (0 ? 0";
+
+--
+2.23.0
+
diff --git a/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb b/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
index e552001..52ae11a 100644
--- a/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
+++ b/meta/recipes-support/libgpg-error/libgpg-error_1.32.bb
@@ -16,6 +16,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgpg-error/libgpg-error-${PV}.tar.bz2 \
file://pkgconfig.patch \
file://0001-syscfg-Support-ARC-CPUs-and-simplify-aliasing-table.patch \
file://0002-syscfg-Add-support-for-arc-unknown-linux-gnu.patch \
+ file://libgpg-error-1.35-gawk5-support.patch \
"
SRC_URI[md5sum] = "ef3d928a5a453fa701ecc3bb22be1c64"
SRC_URI[sha256sum] = "c345c5e73cc2332f8d50db84a2280abfb1d8f6d4f1858b9daa30404db44540ca"
--
2.7.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-10-10 15:49 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-10 15:49 [thud 00/12] Thud pull request Armin Kuster
2019-10-10 15:49 ` [thud 01/12] oeqa/selftest/context: ensure log directory exists Armin Kuster
2019-10-10 15:49 ` [thud 02/12] qemu: Fix 4 CVEs Armin Kuster
2019-10-10 15:49 ` [thud 03/12] elfutils: CVE fix for elfutils Armin Kuster
2019-10-10 15:49 ` [thud 04/12] unzip: fix CVE-2019-13232 Armin Kuster
2019-10-10 15:49 ` [thud 05/12] json-c: Don't --enable-rdrand Armin Kuster
2019-10-10 15:49 ` [thud 06/12] perl: Fix CVE-2018-18311 to 18314 Armin Kuster
2019-10-10 15:49 ` [thud 07/12] sqlite3: Security fix for CVE-2019-8457 Armin Kuster
2019-10-10 15:49 ` [thud 08/12] wget: Security fixes CVE-2018-20483 Armin Kuster
2019-10-10 15:49 ` [thud 09/12] qemu: fix build issue on new hosts with glibc 2.30 Armin Kuster
2019-10-10 15:49 ` [thud 10/12] libgpg-error: Fix build with gawk 5.x Armin Kuster
2019-10-10 15:49 ` [thud 11/12] gnupg: Do not apply -Woverride-init guard for gcc >= 9 Armin Kuster
2019-10-10 15:49 ` [thud 12/12] uninative: Update to 2.7 release Armin Kuster
-- strict thread matches above, loose matches on Subject: below --
2019-10-08 15:26 [thud 00/12] patch review Armin Kuster
2019-10-08 15:26 ` [thud 10/12] libgpg-error: Fix build with gawk 5.x Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.