3 files changed, 105 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/libconfuse/files/0001-only-apply-search-path-logic-to-relative-pathnames.patch b/meta-oe/recipes-support/libconfuse/files/0001-only-apply-search-path-logic-to-relative-pathnames.patch
new file mode 100644
index 0000000000..aa9fab86e6
--- /dev/null
+++ b/meta-oe/recipes-support/libconfuse/files/0001-only-apply-search-path-logic-to-relative-pathnames.patch
@@ -0,0 +1,48 @@
+From b684f4cc25821b6e86a58576f864e4b12dfdfecc Mon Sep 17 00:00:00 2001
+From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+Date: Sat, 5 Jun 2021 22:57:51 +0200
+Subject: [PATCH] only apply search path logic to relative pathnames
+Adding any directory to the search path via cfg_add_searchpath breaks
+lookup of absolute paths. So change the logic in cfg_searchpath() to
+ignore the search path when the given filename is absolute, and merely
+check that for existence.
+This is technically an ABI change, but the current behaviour is quite
+unusual and unexpected.
+Upstream-Status: Backport [https://github.com/libconfuse/libconfuse/pull/155]
+Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
+---
+ src/confuse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+diff --git a/src/confuse.c b/src/confuse.c
+index 2ea0254..19b56e3 100644
+--- a/src/confuse.c
+++ b/src/confuse.c
+@@ -1746,12 +1746,20 @@ DLLIMPORT char *cfg_searchpath(cfg_searchpath_t *p, const char *file)
+                return NULL;
+        }
+ 
+       if (file[0] == '/') {
+               fullpath = strdup(file);
+               if (!fullpath)
+                       return NULL;
+               goto check;
+       }
+
+        if ((fullpath = cfg_searchpath(p->next, file)) != NULL)
+                return fullpath;
+ 
+        if ((fullpath = cfg_make_fullpath(p->dir, file)) == NULL)
+                return NULL;
+ 
+check:
+ #ifdef HAVE_SYS_STAT_H
+        err = stat((const char *)fullpath, &st);
+        if ((!err) && S_ISREG(st.st_mode))
+-- 
+2.31.1
diff --git a/meta-oe/recipes-support/libconfuse/files/CVE-2022-40320.patch b/meta-oe/recipes-support/libconfuse/files/CVE-2022-40320.patch
new file mode 100755
index 0000000000..52296b9c0f
--- /dev/null
+++ b/meta-oe/recipes-support/libconfuse/files/CVE-2022-40320.patch
@@ -0,0 +1,42 @@
+From d73777c2c3566fb2647727bb56d9a2295b81669b Mon Sep 17 00:00:00 2001
+From: Joachim Wiberg <troglobit@gmail.com>
+Date: Fri, 2 Sep 2022 16:12:46 +0200
+Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
+Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
+CVE: CVE-2022-40320
+Upstream-Status: Backport [https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/confuse.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+diff --git a/src/confuse.c b/src/confuse.c
+index 6d1fdbd..05566b5 100644
+--- a/src/confuse.c
+++ b/src/confuse.c
+@@ -1872,17 +1872,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
+                        file = filename + 1;
+                } else {
+                        /* ~user or ~user/path */
+-                       char *user;
+                       char *user; /* ~user or ~user/path */
+                       size_t len;
+ 
+                        file = strchr(filename, '/');
+                        if (file == 0)
+                                file = filename + strlen(filename);
+ 
+-                       user = malloc(file - filename);
+                       len = file - filename - 1;
+                       user = malloc(len + 1);
+                        if (!user)
+                                return NULL;
+ 
+-                       strncpy(user, filename + 1, file - filename - 1);
+                       strncpy(user, &filename[1], len);
+                       user[len] = 0;
+                        passwd = getpwnam(user);
+                        free(user);
+                }
diff --git a/meta-oe/recipes-support/libconfuse/libconfuse_3.3.bb b/meta-oe/recipes-support/libconfuse/libconfuse_3.3.bb
new file mode 100644
index 0000000000..20966a535c
--- /dev/null
+++ b/meta-oe/recipes-support/libconfuse/libconfuse_3.3.bb
@@ -0,0 +1,15 @@
+SUMMARY = "libConfuse is a configuration file parser library"
+LICENSE = "ISC"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=42fa47330d4051cd219f7d99d023de3a"
+SRC_URI = "https://github.com/libconfuse/libconfuse/releases/download/v${PV}/confuse-${PV}.tar.gz"
+SRC_URI[sha256sum] = "3a59ded20bc652eaa8e6261ab46f7e483bc13dad79263c15af42ecbb329707b8"
+SRC_URI += "file://0001-only-apply-search-path-logic-to-relative-pathnames.patch"
+SRC_URI += "file://CVE-2022-40320.patch"
+inherit autotools-brokensep pkgconfig gettext
+S = "${UNPACKDIR}/confuse-${PV}"
+BBCLASSEXTEND = "native nativesdk"

diff --git a/meta-oe/recipes-support/libconfuse/files/0001-only-apply-search-path-logic-to-relative-pathnames.patch b/meta-oe/recipes-support/libconfuse/files/0001-only-apply-search-path-logic-to-relative-pathnames.patch new file mode 100644 index 0000000000..aa9fab86e6 --- /dev/null +++ b/meta-oe/recipes-support/libconfuse/files/0001-only-apply-search-path-logic-to-relative-pathnames.patch
@@ -0,0 +1,48 @@
	1	From b684f4cc25821b6e86a58576f864e4b12dfdfecc Mon Sep 17 00:00:00 2001
	2	From: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
	3	Date: Sat, 5 Jun 2021 22:57:51 +0200
	4	Subject: [PATCH] only apply search path logic to relative pathnames
	5
	6	Adding any directory to the search path via cfg_add_searchpath breaks
	7	lookup of absolute paths. So change the logic in cfg_searchpath() to
	8	ignore the search path when the given filename is absolute, and merely
	9	check that for existence.
	10
	11	This is technically an ABI change, but the current behaviour is quite
	12	unusual and unexpected.
	13
	14	Upstream-Status: Backport [https://github.com/libconfuse/libconfuse/pull/155]
	15
	16	Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
	17	---
	18	src/confuse.c \| 8 ++++++++
	19	1 file changed, 8 insertions(+)
	20
	21	diff --git a/src/confuse.c b/src/confuse.c
	22	index 2ea0254..19b56e3 100644
	23	--- a/src/confuse.c
	24	+++ b/src/confuse.c
	25	@@ -1746,12 +1746,20 @@ DLLIMPORT char cfg_searchpath(cfg_searchpath_t p, const char *file)
	26	return NULL;
	27	}
	28
	29	+ if (file[0] == '/') {
	30	+ fullpath = strdup(file);
	31	+ if (!fullpath)
	32	+ return NULL;
	33	+ goto check;
	34	+ }
	35	+
	36	if ((fullpath = cfg_searchpath(p->next, file)) != NULL)
	37	return fullpath;
	38
	39	if ((fullpath = cfg_make_fullpath(p->dir, file)) == NULL)
	40	return NULL;
	41
	42	+check:
	43	#ifdef HAVE_SYS_STAT_H
	44	err = stat((const char *)fullpath, &st);
	45	if ((!err) && S_ISREG(st.st_mode))
	46	--
	47	2.31.1
	48


diff --git a/meta-oe/recipes-support/libconfuse/files/CVE-2022-40320.patch b/meta-oe/recipes-support/libconfuse/files/CVE-2022-40320.patch new file mode 100755 index 0000000000..52296b9c0f --- /dev/null +++ b/meta-oe/recipes-support/libconfuse/files/CVE-2022-40320.patch
@@ -0,0 +1,42 @@
	1	From d73777c2c3566fb2647727bb56d9a2295b81669b Mon Sep 17 00:00:00 2001
	2	From: Joachim Wiberg <troglobit@gmail.com>
	3	Date: Fri, 2 Sep 2022 16:12:46 +0200
	4	Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
	5
	6	Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
	7
	8	CVE: CVE-2022-40320
	9	Upstream-Status: Backport [https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
	10	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	11	---
	12	src/confuse.c \| 9 ++++++---
	13	1 file changed, 6 insertions(+), 3 deletions(-)
	14
	15	diff --git a/src/confuse.c b/src/confuse.c
	16	index 6d1fdbd..05566b5 100644
	17	--- a/src/confuse.c
	18	+++ b/src/confuse.c
	19	@@ -1872,17 +1872,20 @@ DLLIMPORT char cfg_tilde_expand(const char filename)
	20	file = filename + 1;
	21	} else {
	22	/* ~user or ~user/path */
	23	- char *user;
	24	+ char user; / ~user or ~user/path */
	25	+ size_t len;
	26
	27	file = strchr(filename, '/');
	28	if (file == 0)
	29	file = filename + strlen(filename);
	30
	31	- user = malloc(file - filename);
	32	+ len = file - filename - 1;
	33	+ user = malloc(len + 1);
	34	if (!user)
	35	return NULL;
	36
	37	- strncpy(user, filename + 1, file - filename - 1);
	38	+ strncpy(user, &filename[1], len);
	39	+ user[len] = 0;
	40	passwd = getpwnam(user);
	41	free(user);
	42	}


diff --git a/meta-oe/recipes-support/libconfuse/libconfuse_3.3.bb b/meta-oe/recipes-support/libconfuse/libconfuse_3.3.bb new file mode 100644 index 0000000000..20966a535c --- /dev/null +++ b/meta-oe/recipes-support/libconfuse/libconfuse_3.3.bb
@@ -0,0 +1,15 @@
	1	SUMMARY = "libConfuse is a configuration file parser library"
	2	LICENSE = "ISC"
	3	LIC_FILES_CHKSUM = "file://LICENSE;md5=42fa47330d4051cd219f7d99d023de3a"
	4
	5	SRC_URI = "https://github.com/libconfuse/libconfuse/releases/download/v${PV}/confuse-${PV}.tar.gz"
	6	SRC_URI[sha256sum] = "3a59ded20bc652eaa8e6261ab46f7e483bc13dad79263c15af42ecbb329707b8"
	7
	8	SRC_URI += "file://0001-only-apply-search-path-logic-to-relative-pathnames.patch"
	9	SRC_URI += "file://CVE-2022-40320.patch"
	10
	11	inherit autotools-brokensep pkgconfig gettext
	12
	13	S = "${UNPACKDIR}/confuse-${PV}"
	14
	15	BBCLASSEXTEND = "native nativesdk"